Update Docker workflow for permissions and manifests

[sbryngelson]

User description

User description

Add github container deployment

---

PR Type

Enhancement

---

Description

• Add GitHub Container Registry (GHCR) deployment alongside Docker Hub

• Implement proper workflow permissions for container operations

• Enhance manifest creation with multi-registry support

• Add OCI image labels for source repository tracking

---

Diagram Walkthrough

flowchart LR
  A["Docker Workflow"] -->|Add Permissions| B["GHCR + Docker Hub"]
  B -->|Login Steps| C["Dual Registry Auth"]
  C -->|Build & Push| D["Multi-arch Images"]
  D -->|Create Manifests| E["CPU & GPU Manifests"]
  E -->|Push to Both| F["GHCR + Docker Hub"]

Loading

File Walkthrough

Relevant files

Enhancement

docker.yml Add GHCR support and enhance multi-registry deployment      .github/workflows/docker.yml Added permissions block with contents: read and packages: write for secure GitHub Actions execution Added GHCR login step using github.actor and GITHUB_TOKEN credentials Enhanced build steps to push images to both Docker Hub and GHCR with OCI labels Expanded manifest creation job to build and push manifests for both registries with CPU and GPU variants Updated docker/build-push-action from v5 to v6 for GPU builds Added detailed comments for manifest creation logic +64/-12

---

---

CodeAnt-AI Description

Publish multi-arch CPU/GPU images and manifests to Docker Hub and GHCR

What Changed

• Build steps now push each built image to both Docker Hub and GitHub Container Registry so the same tags are published to both registries
• The manifest job creates and pushes CPU and GPU multi-architecture manifests (including per-version and "latest" GPU/CPU tags) to both Docker Hub and GHCR
• Images include an OCI label linking to the GitHub repository and the workflow now grants permissions and performs authenticated GHCR login so pushes succeed

Impact

✅ Dual registry image publishing (Docker Hub + GHCR)
✅ Multi-arch CPU and GPU images available in both registries
✅ Images traceable to source repository via OCI label

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

• Chores
  • Container images are now published to GitHub Container Registry (GHCR) in addition to Docker Hub, providing an alternative distribution channel for pulling images.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[qodo-code-review]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Possible Issue GPU matrix duplicates 'gpu' target across runners but both use the same base image; ensure images are built for correct arch and that tags used in manifests (ubuntu-22.04 vs ubuntu-22.04-arm) actually exist and correspond to distinct architectures. - { name: 'cpu', runner: 'ubuntu-22.04', base_image: 'ubuntu:22.04' } - { name: 'gpu', runner: 'ubuntu-22.04', base_image: 'nvcr.io/nvidia/nvhpc:23.11-devel-cuda_multi-ubuntu22.04' } - { name: 'gpu', runner: 'ubuntu-22.04-arm', base_image: 'nvcr.io/nvidia/nvhpc:23.11-devel-cuda_multi-ubuntu22.04' } runs-on: ${{ matrix.config.runner }} outputs: tag: ${{ steps.clone.outputs.tag }} steps: - name: Free Disk Space Tag Consistency Manifest creation references tags with runner suffixes while CPU uses plain '-cpu' without arch suffix; verify naming scheme is consistent across build and manifest steps for both Docker Hub and GHCR to avoid missing tag errors. ${{ secrets.DOCKERHUB_USERNAME }}/mfc:${{ env.TAG }}-${{ matrix.config.name }}-${{ matrix.config.runner}} ghcr.io/${{ github.repository_owner }}/mfc:${{ env.TAG }}-${{ matrix.config.name }}-${{ matrix.config.runner}} push: true manifests: runs-on: ubuntu-latest needs: Container steps: - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Login to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Create and Push Manifest Lists (Docker Hub + GHCR) env: TAG: ${{ needs.Container.outputs.tag }} DH_REGISTRY: ${{ secrets.DOCKERHUB_USERNAME }}/mfc GH_REGISTRY: ghcr.io/${{ github.repository_owner }}/mfc run: | # ---- CPU multi-arch "latest-cpu" from the already pushed $TAG-cpu ---- docker buildx imagetools create -t $DH_REGISTRY:latest-cpu $DH_REGISTRY:$TAG-cpu docker buildx imagetools create -t $GH_REGISTRY:latest-cpu $GH_REGISTRY:$TAG-cpu # ---- GPU manifests across the two runners ---- # Tag these for versioned + latest GPU docker manifest create $DH_REGISTRY:$TAG-gpu \ $DH_REGISTRY:$TAG-gpu-ubuntu-22.04 \ $DH_REGISTRY:$TAG-gpu-ubuntu-22.04-arm docker manifest create $DH_REGISTRY:latest-gpu \ $DH_REGISTRY:$TAG-gpu-ubuntu-22.04 \ $DH_REGISTRY:$TAG-gpu-ubuntu-22.04-arm docker manifest push $DH_REGISTRY:$TAG-gpu docker manifest push $DH_REGISTRY:latest-gpu # GHCR equivalent docker manifest create $GH_REGISTRY:$TAG-gpu \ $GH_REGISTRY:$TAG-gpu-ubuntu-22.04 \ $GH_REGISTRY:$TAG-gpu-ubuntu-22.04-arm docker manifest create $GH_REGISTRY:latest-gpu \ $GH_REGISTRY:$TAG-gpu-ubuntu-22.04 \ $GH_REGISTRY:$TAG-gpu-ubuntu-22.04-arm docker manifest push $GH_REGISTRY:$TAG-gpu docker manifest push $GH_REGISTRY:latest-gpu Permissions Scope Using GITHUB_TOKEN for GHCR push requires sufficient 'packages: write' with correct repo visibility; confirm org/repo settings allow pushing to ghcr.io/${{ github.repository_owner }} and that token permissions are not restricted in environments. permissions: contents: read packages: write

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The GitHub Actions Docker workflow is enhanced to support multi-registry publishing, adding authentication and build logic for both Docker Hub and GHCR. The workflow upgrades build-push-action to v6, extends image tagging strategy, and implements separate manifest creation and push operations across both registries.

Changes

Cohort / File(s)	Summary
Multi-registry Docker workflow \.github/workflows/docker\.yml	Adds GitHub Actions permissions and authentication for Docker Hub and GHCR; upgrades build-push-action from v5 to v6; introduces separate registry variables and multi-arch manifest logic for both Docker Hub and GHCR; extends image tagging to include ghcr.io-prefixed tags alongside Docker Hub tags.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Manifest logic duplication: Review separate manifest creation and push sequences for each registry to ensure consistency and correctness
• Registry configuration: Verify authentication steps, environment variable handling (DH_REGISTRY, GH_REGISTRY), and tag construction for both registries
• Build-push-action upgrade: Confirm v6 compatibility and that labels/metadata are correctly applied to both CPU and GPU builds
• Tag strategy consistency: Ensure image tags are properly scoped per registry and that versioning logic remains sound across both Docker Hub and GHCR

Poem

🐰 Two registries, one workflow, oh what a sight,
Docker Hub and GHCR, burning oh so bright,
Manifests multiplied, tags synchronized with care,
Multi-arch images floating everywhere! 📦✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description includes key information about changes, enhancements, and a diagram, but lacks required template sections like testing details, checklist items, and proper Type of change selection.	Complete the PR description using the template: add testing methodology, verify checklist items, and clearly specify the Type of change (this appears to be a workflow enhancement).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update Docker workflow for permissions and manifests' accurately summarizes the main changes: adding permissions and multi-registry manifest support to the Docker workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

High-level Suggestion

The manifest creation script in the manifests job contains duplicated logic for Docker Hub and GHCR. This should be refactored into a loop over the registries to improve readability and maintainability. [High-level, importance: 7]

Solution Walkthrough:

Before:

# Create and push for Docker Hub
docker buildx imagetools create -t $DH_REGISTRY:latest-cpu ...
docker manifest create $DH_REGISTRY:$TAG-gpu ...
docker manifest create $DH_REGISTRY:latest-gpu ...
docker manifest push $DH_REGISTRY:$TAG-gpu
docker manifest push $DH_REGISTRY:latest-gpu

# Create and push for GHCR (duplication)
docker buildx imagetools create -t $GH_REGISTRY:latest-cpu ...
docker manifest create $GH_REGISTRY:$TAG-gpu ...
docker manifest create $GH_REGISTRY:latest-gpu ...
docker manifest push $GH_REGISTRY:$TAG-gpu
docker manifest push $GH_REGISTRY:latest-gpu

After:

for REGISTRY in $DH_REGISTRY $GH_REGISTRY; do
  docker buildx imagetools create -t $REGISTRY:latest-cpu $REGISTRY:$TAG-cpu

  docker manifest create $REGISTRY:$TAG-gpu \
    $REGISTRY:$TAG-gpu-ubuntu-22.04 \
    $REGISTRY:$TAG-gpu-ubuntu-22.04-arm

  docker manifest create $REGISTRY:latest-gpu \
    $REGISTRY:$TAG-gpu-ubuntu-22.04 \
    $REGISTRY:$TAG-gpu-ubuntu-22.04-arm

  docker manifest push $REGISTRY:$TAG-gpu
  docker manifest push $REGISTRY:latest-gpu
done

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Pull request overview

This PR adds GitHub Container Registry (GHCR) as a secondary container registry alongside the existing Docker Hub deployment. The changes enable the workflow to push container images to both registries simultaneously while maintaining proper permissions for GitHub Packages.

Key changes:

• Added workflow-level permissions for contents: read and packages: write to enable GHCR publishing
• Introduced dual registry authentication (Docker Hub + GHCR) in both Container and manifests jobs
• Updated image build steps to tag and push to both Docker Hub and GHCR with OCI labels

[cubic-dev-ai]

No issues found across 1 file

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Normalize GHCR image names to lowercase

The GHCR tags are built from ${{ github.repository_owner }} as-is (e.g., ghcr.io/${{ github.repository_owner }}/mfc:${{ env.TAG }}-${{ matrix.config.name }}), but the owner here is MFlowCode with capital letters. Docker/OCI image references must be lowercase, so this produces an invalid reference and the GHCR pushes/manifests will fail with “repository name must be lowercase” whenever the workflow runs.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/docker.yml (2)

12-14: Consider removing unnecessary contents: read permission.

The workflow clones the repository via URL and doesn't read repository content via Git operations, so this permission may be unnecessary. However, it's harmless and could be kept defensively if future changes might require it.

---

151-184: Manifest creation approach works but has consistency gaps.

The workflow uses two different manifest creation methods:

• CPU: docker buildx imagetools create (modern, buildx-native)
• GPU: docker manifest create + docker manifest push (lower-level API)

Both approaches work because CPU builds are multi-arch via buildx, while GPU builds are single-arch per runner. However, this inconsistency could be confusing for maintenance.

Consider:

1. Adding explicit image availability checks before manifest operations to catch missing images early:

docker pull $DH_REGISTRY:$TAG-gpu-ubuntu-22.04

2. Documenting why two different methods are used in the workflow, especially since the GPU multi-runner manifest relies on the images being simultaneously available in the registry.

3. Optionally unifying the approach by using docker buildx imagetools create for GPU images as well (once images are pushed), which would be more consistent.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d9a83b and b639628.

📒 Files selected for processing (1)

• .github/workflows/docker.yml (5 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Detect File Changes
• GitHub Check: Build & Publish

🔇 Additional comments (2)

.github/workflows/docker.yml (2)

51-56: GHCR login configuration is correct.

The GHCR login properly uses github.actor and GITHUB_TOKEN, which is the standard approach for GitHub Container Registry authentication.

---

105-109: Multi-registry tag strategy is well-structured.

Publishing to both Docker Hub and GHCR in a single build step via extended tags is efficient. The OCI image source label is a good addition for discoverability.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Reconsider GPU image tag naming strategy.

Using the full runner name (ubuntu-22.04-arm) as part of the image tag creates implementation-specific, verbose identifiers. Image tags should reflect semantic versioning or architecture, not the CI runner environment.

Current tags like mfc:v1.0-gpu-ubuntu-22.04-arm are opaque to end users.

Consider one of these alternatives:

• Use architecture-neutral semantic tags (e.g., mfc:v1.0-gpu) and rely on manifest multi-arch resolution
• Use explicit architecture suffixes if per-architecture access is needed (e.g., mfc:v1.0-gpu-amd64, mfc:v1.0-gpu-arm64)
• Include only the Ubuntu version, not the runner architecture (e.g., mfc:v1.0-gpu-ubuntu22.04)

If you want to maintain per-runner image artifacts for debugging or pinning specific builds, consider using a different approach such as:

• Storing runner-specific metadata in image labels instead of tags
• Using separate tag namespaces (e.g., mfc:debug-ubuntu-22.04-arm-v1.0)
• Documenting the expected tag format for users

🤖 Prompt for AI Agents

.github/workflows/docker.yml around lines 129-131: the current tag uses the full
runner name (e.g., ubuntu-22.04-arm) which is verbose and CI-implementation
specific; change the tagging strategy to emit semantic/architecture-friendly
tags instead (recommended: ${env.TAG}-gpu for multi-arch manifests or
${env.TAG}-gpu-amd64 / ${env.TAG}-gpu-arm64 when per-arch images are required),
derive architecture from a matrix variable like matrix.config.arch or map the
runner to amd64/arm64, and keep runner-specific info out of the tag by adding it
to image labels or a separate debug tag/namespace (e.g., debug-ubuntu-22.04-arm)
if needed; update the workflow tag lines to use the new tag variable and add
labels/metadata steps to record runner details.

[Malmahrouqi3]

@sbryngelson Why, not needed at all? MFC containers are just massive to be hosted by GitHub Registry.

[Malmahrouqi3]

It would be better honestly to re-orient and push MFC (OpenMP) Images, as they should have existed since ~v5.0.6. They can go as a separate image with its own manifest. The only was to use OMP containers is by grabbing existing ACC ones for any release and re-building with OpenMP config which is not the best way for the long run. Will manually push OMP Images next week as I need them anyways.

[sbryngelson]

thank you for your suggestions