ci: skip image publishing for dependabot pushes#66
Conversation
📝 WalkthroughWalkthroughThe GitHub Actions workflow now limits Docker registry login and Jib container build/publish execution to push events from actors other than ChangesCI Workflow Condition Update
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build.yml:
- Around line 39-41: The Build container image step is interpolating BRANCH_NAME
directly into the run script, which can allow shell injection. Update the
workflow step that runs ./gradlew jib so it reads the branch value from the
shell environment at execution time instead of using the ${ { env.BRANCH_NAME }
} template expression, and keep the tagging logic in the same step while
referencing the variable safely through the shell.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b746bbf7-30f5-4f18-9d47-b7ce3b445e4d
📒 Files selected for processing (1)
.github/workflows/build.yml
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build.yml:
- Around line 36-38: The build step still uses $BRANCH_NAME in the Build
container image job, but the branch-name export was removed so the tag will be
empty on push runs. Restore the branch resolution before this step (using a safe
shell/job env export into GITHUB_ENV, or an equivalent env setup) and keep the
Jib invocation in Build container image reading that exported variable so
jib.to.tags receives a real branch tag.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 940f93a2-49c9-431a-ab9b-d9291ece42f8
📒 Files selected for processing (1)
.github/workflows/build.yml
|



Motivation
Description
.github/workflows/build.ymlto add&& github.actor != 'dependabot[bot]'to the GHCR login, branch-name export, and Jib image build steps so Dependabot pushes skip image publishing.Testing
JAVA_HOME=$HOME/.local/share/mise/installs/java/25.0.2 ./gradlew compileJava --infowhich succeeded, attempted./gradlew build --infobut it was blocked in this environment by HTTP 403 responses from Maven Central, and rangit diff --checkbefore committing the workflow change.Codex Task
Summary by CodeRabbit
BRANCH_NAMEshell variable.