add workflow for docker on github registry

[parasmehta]

Add GitHub workflow that builds the Docker container for the app and hosts it on the GitHub package registry. This would save participants' time during workshops and avoid build issues.

Summary by CodeRabbit

• New Features

  • Prebuilt multi-arch Docker image (amd64, arm64) now available on GitHub Container Registry for easier deployment.
  • docker-compose now pulls the published image by default for quicker startup.

• Chores

  • Added CI workflow to build, test, tag, and publish Docker images on pushes, PRs, and manual runs.
  • Images include standardized metadata (source, description, license, documentation) for improved registry visibility.
  • Automated tagging supports latest, branch/PR refs, and optional manual tags; publishes a summary of image details.

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow to build/test and publish Docker images to GHCR, augments the Dockerfile with OCI labels, and updates docker-compose to pull the pre-built image from GHCR instead of building locally.

Changes

Cohort / File(s)	Summary
CI: Docker publish workflow .github/workflows/docker-publish.yml	New workflow to build/test on push/PR, and publish multi-arch images to GHCR on main or manual dispatch. Uses Buildx/QEMU, metadata-action for tags/labels, caching, and emits a summary.
Image metadata Dockerfile	Adds OCI labels: source, description, licenses, documentation. No other build/run logic changed.
Compose uses prebuilt image docker-compose.yml	Switches service to ghcr.io/aihpi/ragsst:latest; removes local build block; adds comments explaining how to build locally if needed.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant BT as Job: build-and-test
  participant PB as Job: publish
  participant BX as Docker Buildx/QEMU
  participant MDA as metadata-action
  participant REG as GHCR (ghcr.io)

  Dev->>GH: push to main / PR to main / workflow_dispatch(tag?)
  GH->>BT: start
  BT->>BX: setup Buildx
  BT->>BX: docker build (no push) tag: ghcr.io/aihpi/ragsst:test
  BT-->>GH: status

  alt main branch or workflow_dispatch
    GH->>PB: start (needs BT)
    PB->>BX: setup QEMU + Buildx
    PB->>REG: login to ghcr.io
    PB->>MDA: extract tags/labels (branch/PR/semver/default/tag input)
    PB->>BX: build and push multi-arch (amd64, arm64)<br/>with tags/labels and build-args (BUILD_DATE, VCS_REF, VERSION)
    BX->>REG: push image manifests
    PB-->>GH: summary (registry, image, tags, platforms)
  else PRs/non-main pushes
    GH-->>Dev: publish job skipped
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I thump my paws—our ship now sails,
To GHCR on tidy trails.
Labels neat, a compose tweak,
Multi-arch builds each busy week.
Carrot-shaped tags? Not quite—yet sweet! 🥕
Hop, push, release—another feat.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "add workflow for docker on github registry" concisely and accurately summarizes the primary change — adding a GitHub Actions workflow to build and publish the Docker image to GitHub's registry — and is directly related to the changeset, making it clear for reviewers scanning history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/docker-github-registry

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (9)

Dockerfile (2)

23-27: Wire labels to build args and add standard OCI fields.

Enables provenance and avoids manual edits; also adds title/version/revision/created.

Apply:

+# Build-time metadata from workflow
+ARG BUILD_DATE
+ARG VCS_REF
+ARG VERSION
 # Add metadata labels for GitHub Container Registry
 LABEL org.opencontainers.image.source="https://github.com/aihpi/ragsst"
 LABEL org.opencontainers.image.description="RAGSST - Retrieval Augmented Generation and Semantic-Search Tool"
 LABEL org.opencontainers.image.licenses="GPL-3.0"
 LABEL org.opencontainers.image.documentation="https://github.com/aihpi/ragsst/blob/main/README.md"
+LABEL org.opencontainers.image.title="RAGSST"
+LABEL org.opencontainers.image.version="${VERSION}"
+LABEL org.opencontainers.image.revision="${VCS_REF}"
+LABEL org.opencontainers.image.created="${BUILD_DATE}"

---

26-26: Confirm license label is correct.

Ensure the repo is actually GPL-3.0; mismatch here can mislead downstream users.

docker-compose.yml (1)

13-18: Avoid floating latest; make tag configurable.

Improves reproducibility for workshops while keeping defaults.

Apply:

-      image: ghcr.io/aihpi/ragsst:latest
+      image: ghcr.io/aihpi/ragsst:${RAGSST_TAG:-latest}
+# .env example:
+# RAGSST_TAG=2025-09-15

.github/workflows/docker-publish.yml (6)

21-42: Job name says “build-and-test” but no tests run.

Either add tests or rename to “build”.

-  build-and-test:
+  build:

Note: Also update needs: build-and-test below accordingly.

---

47-47: Don’t hardcode default branch name.

Make it resilient if the default branch changes.

-    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    if: github.ref_name == github.event.repository.default_branch || github.event_name == 'workflow_dispatch'

---

70-83: Tag generation: remove duplicate latest and fix sha prefix.

Current raw tag line can duplicate “latest”; prefix={{branch}}- is not supported for type=sha.

           tags: |
             type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=raw,value=latest,enable={{is_default_branch}}
-            type=raw,value=${{ github.event.inputs.tag || 'latest' }}
-            type=sha,prefix={{branch}}-
+            # Only add manual tag on workflow_dispatch
+            type=raw,value=${{ github.event.inputs.tag }},enable=${{ github.event_name == 'workflow_dispatch' }}
+            type=sha,prefix=sha-

---

94-97: Build args passed but unused in Dockerfile.

You send BUILD_DATE/VCS_REF/VERSION; wire them to labels (see Dockerfile suggestion) or drop these args.

---

1-1: Fix line endings.

Yamllint flags CRLF; convert file to LF.

---

109-109: Add trailing newline.

Satisfy yamllint new-line-at-end-of-file rule.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 22aba76 and 10672be.

📒 Files selected for processing (3)

• .github/workflows/docker-publish.yml (1 hunks)
• Dockerfile (1 hunks)
• docker-compose.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/docker-publish.yml

[error] 1-1: wrong new line character: expected \n

(new-lines)

---

[error] 109-109: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-test

[parasmehta]

Merging this pull request so as to build and push the Docker image to Github registry