Skip to content

ci: skip image publishing for dependabot pushes#66

Merged
raeperd merged 3 commits into
mainfrom
codex/fix-dependabot-ci-build-failures
Jul 2, 2026
Merged

ci: skip image publishing for dependabot pushes#66
raeperd merged 3 commits into
mainfrom
codex/fix-dependabot-ci-build-failures

Conversation

@raeperd

@raeperd raeperd commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Prevent Dependabot branch pushes from attempting GHCR login and Jib image publishing which can fail and break CI while still running the Gradle build validation for PRs and other pushes.

Description

  • Update .github/workflows/build.yml to add && github.actor != 'dependabot[bot]' to the GHCR login, branch-name export, and Jib image build steps so Dependabot pushes skip image publishing.

Testing

  • Ran JAVA_HOME=$HOME/.local/share/mise/installs/java/25.0.2 ./gradlew compileJava --info which succeeded, attempted ./gradlew build --info but it was blocked in this environment by HTTP 403 responses from Maven Central, and ran git diff --check before committing the workflow change.

Codex Task

Summary by CodeRabbit

  • Chores
    • Updated the release workflow so container image build and publish steps run only on standard push events, not automated bot pushes.
    • Removed the prior branch-name retrieval step and adjusted tagging to use the generated BRANCH_NAME shell variable.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The GitHub Actions workflow now limits Docker registry login and Jib container build/publish execution to push events from actors other than dependabot[bot], and the branch-name environment setup step was removed.

Changes

CI Workflow Condition Update

Layer / File(s) Summary
Restrict publish steps to non-dependabot pushes
.github/workflows/build.yml
Registry login and "Build container image" steps now require a push event from a non-dependabot[bot] actor, and the separate branch-name setup step was removed in favor of using BRANCH_NAME directly.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main workflow change: skipping image publishing for Dependabot push events.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-dependabot-ci-build-failures

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@raeperd raeperd self-assigned this Jul 2, 2026
@raeperd raeperd removed the codex label Jul 2, 2026
@raeperd raeperd changed the title Skip image publishing for Dependabot pushes ci Skip image publishing for Dependabot pushes Jul 2, 2026
@raeperd raeperd changed the title ci Skip image publishing for Dependabot pushes ci: skip image publishing for dependabot pushes Jul 2, 2026
@raeperd raeperd marked this pull request as ready for review July 2, 2026 15:39

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 39-41: The Build container image step is interpolating BRANCH_NAME
directly into the run script, which can allow shell injection. Update the
workflow step that runs ./gradlew jib so it reads the branch value from the
shell environment at execution time instead of using the ${ { env.BRANCH_NAME }
} template expression, and keep the tagging logic in the same step while
referencing the variable safely through the shell.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b746bbf7-30f5-4f18-9d47-b7ce3b445e4d

📥 Commits

Reviewing files that changed from the base of the PR and between a69b13f and b62e743.

📒 Files selected for processing (1)
  • .github/workflows/build.yml

Comment thread .github/workflows/build.yml Outdated
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 36-38: The build step still uses $BRANCH_NAME in the Build
container image job, but the branch-name export was removed so the tag will be
empty on push runs. Restore the branch resolution before this step (using a safe
shell/job env export into GITHUB_ENV, or an equivalent env setup) and keep the
Jib invocation in Build container image reading that exported variable so
jib.to.tags receives a real branch tag.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 940f93a2-49c9-431a-ab9b-d9291ece42f8

📥 Commits

Reviewing files that changed from the base of the PR and between b62e743 and 05c6429.

📒 Files selected for processing (1)
  • .github/workflows/build.yml

Comment thread .github/workflows/build.yml
@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@raeperd raeperd merged commit 3a0d56b into main Jul 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant