Skip to content

Feat: Add Docker release workflow for node image #912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
FletcherMan merged 2 commits into from
Mar 13, 2026
Merged

Feat: Add Docker release workflow for node image #912

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cd7fba4
Feat: Add Docker release workflow for node image
Mar 13, 2026
8ae507c
Feat: Add semver validation for release tag input
Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/docker_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: Push Docker Image

on:
push:
tags:
- v*
workflow_dispatch:
inputs:
tag:
description: 'Tag name to build (e.g. v0.5.0)'
required: true

permissions:
contents: read
packages: write

env:
IMAGE_NAME: ghcr.io/morph-l2/node

jobs:
push:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag || github.ref }}
Comment on lines +25 to +27
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Constrain checkout to tag refs for manual releases.

Line 27 checks out whatever inputs.tag resolves to. A non-tag ref (e.g., similarly named branch) can be built and published if it matches the regex string format. Force checkout to refs/tags/... so manual releases only build real tags.

Suggested hardening 
       - uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.tag || github.ref }}
+          ref: refs/tags/${{ inputs.tag || github.ref_name }}
+          fetch-depth: 0
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker_release.yml around lines 25 - 27, The checkout step
currently uses ref: ${{ inputs.tag || github.ref }} which can resolve to non-tag
refs; update the actions/checkout@v4 ref to force tag refs when a manual tag is
supplied by changing it to use the refs/tags/ prefix (e.g. ref: ${{ inputs.tag
&& 'refs/tags/' + inputs.tag || github.ref }}), so the checkout in the
actions/checkout step always uses refs/tags/<tag> for manual releases while
falling back to github.ref otherwise.


- name: Set up QEMU
uses: docker/setup-qemu-action@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log into registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract version and commit
id: meta
run: |
TAG="${{ inputs.tag || github.ref_name }}"
if ! [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$ ]]; then
echo "Invalid release tag: $TAG (expected e.g. v0.5.0)"
exit 1
fi
VERSION="${TAG#v}"
COMMIT=$(git rev-parse HEAD)
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "commit=${COMMIT}" >> "$GITHUB_OUTPUT"

- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile.l2-node
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
${{ env.IMAGE_NAME }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
Loading