Skip to content

ci: update workflow to build and push to GHCR instead of AWS ECR#1

Merged
TeeHit101 merged 1 commit into
mainfrom
feature/push-to-ghcr
Jun 29, 2026
Merged

ci: update workflow to build and push to GHCR instead of AWS ECR#1
TeeHit101 merged 1 commit into
mainfrom
feature/push-to-ghcr

Conversation

@TeeHit101

@TeeHit101 TeeHit101 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • Chores
    • Updated the container publishing workflow to use GitHub Container Registry.
    • The build now tags images with both the commit version and latest.
    • Deployment config updates now point to the new registry location for smoother releases.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The CI workflow is migrated from AWS ECR to GitHub Container Registry (GHCR). The workflow name is updated, job-level permissions for contents: read and packages: write are added, and the build/push steps now authenticate to ghcr.io and tag images with both the commit SHA and latest. The config repo update step is adjusted to write a GHCR image URL.

Changes

ECR to GHCR Migration

Layer / File(s) Summary
GHCR auth, build, push, and config update
.github/workflows/bygg_push.yml
Workflow name changed to GHCR-focused title; job permissions set to contents: read and packages: write; steps replaced to login to ghcr.io with GITHUB_TOKEN, build and push image with SHA and latest tags, and patch apps/inventory-app/deployment.yaml in the config repo to reference the GHCR image URL.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 Hop hop, no more ECR in sight,
The registry switched to GitHub tonight!
With SHA and latest both pushed with care,
The container now lives in GHCR's lair.
A token, a login, a lowercased name—
The bunny's CI will never be the same! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: switching the workflow from AWS ECR to GHCR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/push-to-ghcr

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@TeeHit101 TeeHit101 merged commit a24ef63 into main Jun 29, 2026
1 check was pending

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/bygg_push.yml:
- Line 1: The workflow file is committed with CRLF line endings, which is
causing yamllint to fail. Normalize the GitHub Actions workflow content to
LF-only line endings in the workflow file itself so it matches the repository’s
expected Unix newline format.
- Around line 15-16: The checkout step is persisting the repo token into the
workspace, which can leak into the Docker build context because the build uses a
broad copy of the repo. Update the actions/checkout step in the workflow to
disable credential persistence, and keep using the explicit push token later for
the config repo push. Reference the checkout step near the actions/checkout
usage so it’s easy to locate.
- Around line 15-23: The workflow step definitions for actions/checkout and
docker/login-action are pinned to outdated major versions. Update the uses
entries in the GitHub Actions job to the latest major releases for Checkout and
Docker Login so the workflow runs on supported runtimes and avoids Node 16
deprecation issues.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e350547f-d364-4790-9137-51c5bac87961

📥 Commits

Reviewing files that changed from the base of the PR and between bf19150 and 443b93c.

📒 Files selected for processing (1)
  • .github/workflows/bygg_push.yml

@@ -1,4 +1,4 @@
name: Build and Push to AWS ECR
name: Build and Push to GitHub Container Registry

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Normalize this workflow file to LF line endings.

Yamllint is already failing on this file because it is committed with CRLF instead of \n.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 1-1: wrong new line character: expected \n

(new-lines)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bygg_push.yml at line 1, The workflow file is committed
with CRLF line endings, which is causing yamllint to fail. Normalize the GitHub
Actions workflow content to LF-only line endings in the workflow file itself so
it matches the repository’s expected Unix newline format.

Source: Linters/SAST tools

Comment on lines 15 to 16
- name: Checkout code
uses: actions/checkout@v3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable checkout credential persistence before the Docker build.

actions/checkout persists the repo token by default, and this repo’s Dockerfile:1-25 does COPY . .. That creates a real path for the checkout token to end up in the Docker build context/image whenever .git is not excluded. This workflow does not need the checkout token after clone anyway because the later config-repo push uses secrets.GITOPSTOKEN.

🔒 Suggested change
       - name: Checkout code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout code
uses: actions/checkout@v3
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false
🧰 Tools
🪛 actionlint (1.7.12)

[error] 16-16: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.26.1)

[warning] 15-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bygg_push.yml around lines 15 - 16, The checkout step is
persisting the repo token into the workspace, which can leak into the Docker
build context because the build uses a broad copy of the repo. Update the
actions/checkout step in the workflow to disable credential persistence, and
keep using the explicit push token later for the config repo push. Reference the
checkout step near the actions/checkout usage so it’s easy to locate.

Source: Linters/SAST tools

Comment on lines 15 to +23
- name: Checkout code
uses: actions/checkout@v3

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
- name: Log in to GitHub Container Registry
uses: docker/login-action@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-north-1 # Din region
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow file and surrounding context
git ls-files .github/workflows
wc -l .github/workflows/bygg_push.yml
cat -n .github/workflows/bygg_push.yml | sed -n '1,120p'

# Look for any version pins or related workflow usage elsewhere
rg -n "actions/checkout@v3|docker/login-action@v2|actions/checkout@v4|docker/login-action@v3" .github/workflows . || true

Repository: TeeHit101/inventory-tracker-app

Length of output: 2970


🌐 Web query:

GitHub Actions actions/checkout v3 support deprecation runner current GitHub-hosted runner docker/login-action v2 deprecation

💡 Result:

As of June 29, 2026, both actions/checkout@v3 and docker/login-action@v2 are outdated and should be upgraded to their latest versions to ensure compatibility with modern GitHub Actions runners, which have transitioned to newer Node.js runtimes [1][2][3][4][5]. actions/checkout: You should upgrade from v3 to the latest version (v7 as of June 2026) [6][7]. Older versions like v3 relied on Node.js 16, which is no longer supported by GitHub-hosted runners [1][2]. Using an outdated version may lead to runtime failures as GitHub-hosted runner images continue to remove legacy support for older Node.js versions [1]. docker/login-action: You should upgrade from v2 to the latest version (v4.2.0 as of May 2026) [3][8]. Version v2 is deprecated; GitHub community and maintainers advise updating to at least v3 or the current v4 series [4], which supports modern runtimes including Node.js 24 [3][5]. Current GitHub-hosted Runners: As of June 2026, GitHub-hosted runners have evolved to support newer operating systems and runtimes [9][10]. Notable current runner images include: - Linux: ubuntu-24.04 (current default) and ubuntu-26.04 (in public preview) [9][10][11]. Note that Ubuntu 22.04 images have entered a deprecation phase [10]. - Windows: Windows Server 2025 with Visual Studio 2026 [12][10][11]. - macOS: macOS 15 (latest) and preview versions of macOS 26 [12][11]. It is recommended to always use the most recent stable release of any GitHub Action to ensure security, compatibility with the latest runner environments, and access to new features [6][3].

Citations:


🌐 Web query:

site:github.com/actions/checkout v3 Node 16 deprecation GitHub Actions

💡 Result:

Node.js 16 reached its end-of-life on September 11, 2023 [1][2], and GitHub Actions has subsequently transitioned to using Node.js 20 as the default runtime [2]. Because actions/checkout@v3 was built specifically to run on Node.js 16 [3], it is now considered deprecated and will trigger warning annotations in your GitHub Actions workflows [4][5]. To resolve these warnings and ensure compatibility with current infrastructure, you should update your workflows to use actions/checkout@v4 (or the latest major version) [4][5]. While some users may have experienced workarounds or inconsistencies where v3 might appear to run on Node.js 20 due to runner-level changes [6], relying on older action versions is not recommended. Updating to v4 is the standard and supported path to ensure your workflows remain secure and fully functional [5].

Citations:


Upgrade the pinned action majors. actions/checkout@v3 and docker/login-action@v2 are outdated; actions/checkout@v3 still targets Node 16, which GitHub Actions has deprecated. Move both to the latest major versions to avoid runner/runtime compatibility issues.

🧰 Tools
🪛 actionlint (1.7.12)

[error] 16-16: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


[error] 19-19: the runner of "docker/login-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.26.1)

[warning] 15-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bygg_push.yml around lines 15 - 23, The workflow step
definitions for actions/checkout and docker/login-action are pinned to outdated
major versions. Update the uses entries in the GitHub Actions job to the latest
major releases for Checkout and Docker Login so the workflow runs on supported
runtimes and avoids Node 16 deprecation issues.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant