feat: Refactor GitHub Actions workflows to use a reusable Docker build/push workflow

[rapoler]

Summary by CodeRabbit

• Chores
  • Refactored CI/CD workflows to use reusable workflow configurations for improved maintainability and consistency.
  • Updated build pipeline permissions to support token-based authentication.

[claude]

Claude finished @rapoler's task —— View job

---

PR Review: GitHub Actions Workflow Refactor

Review Tasks:

• Analyze server-prod.yaml workflow changes
• Analyze web-app.yaml workflow changes
• Check for code quality and best practices
• Identify potential bugs or issues
• Evaluate performance considerations
• Review security concerns
• Assess test coverage impact

---

✅ Overall Assessment

This refactoring successfully consolidates Docker build/push logic into a reusable workflow, significantly reducing duplication and improving maintainability. The changes are well-structured and follow GitHub Actions best practices.

🔍 Detailed Analysis

Positive Changes:

1. DRY Principle: Eliminated ~44 lines of duplicated Docker build/push logic by leveraging a reusable workflow
2. Centralized Configuration: Docker registry migration from Docker Hub to Google Artifact Registry (asia-south1-docker.pkg.dev) is now centralized
3. Improved Security:
   • Switched from contents: write to contents: read in server-prod.yaml:14
   • Added id-token: write for OIDC authentication (more secure than long-lived secrets)
4. Simplified Tag Management: Using ${{ github.ref_name }} instead of custom environment variable logic
5. Better Job Separation: Split server workflow into separate build-server and build-migrate jobs

Potential Issues & Recommendations:

1. ⚠️ External Dependency Risk (.github/workflows/server-prod.yaml:8, .github/workflows/web-app.yaml:9)

   • Both workflows depend on factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop
   • Risk: Using @develop branch could introduce breaking changes unexpectedly
   • Recommendation: Pin to a specific tag/commit hash for stability:

     uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@v1.2.3

2. 🔍 Missing Error Handling

   • No validation that the reusable workflow exists or is accessible
   • Recommendation: Add a fallback or validation step

3. 📝 Registry Migration Impact

   • Complete migration from Docker Hub (factly/gopie-*) to Google Artifact Registry
   • Verify: Ensure downstream systems (deployment scripts, helm charts, etc.) are updated to use new registry URLs

Security Analysis:

✅ Improvements:

• OIDC authentication with id-token: write is more secure than secret-based auth
• Minimal permissions with contents: read

⚠️ Considerations:

• Ensure the factly/gopie-ee repository has proper access controls
• The reusable workflow will have access to secrets in the calling repository's context

Performance Considerations:

✅ Better Performance:

• Reduced workflow complexity should improve execution time
• Centralized caching logic in reusable workflow (if implemented)

Test Coverage:

⚠️ Missing Context:

• Cannot assess if the reusable workflow includes proper testing
• Original workflows didn't include tests either, so this is not a regression

🎯 Action Items:

1. High Priority: Pin the reusable workflow to a stable version instead of @develop
2. Medium Priority: Verify all deployment configs use the new Artifact Registry URLs
3. Low Priority: Consider adding workflow validation or fallback mechanisms

🏆 Conclusion:

This is a solid refactoring that follows infrastructure-as-code best practices. The main concern is the dependency on an unstable branch reference. Once that's addressed, this change will significantly improve workflow maintainability.

Recommendation: ✅ Approve with minor changes - address the version pinning concern before merging.

---

[coderabbitai]

📝 Walkthrough

Walkthrough

Refactors two GitHub Actions workflows to use a centralized reusable docker-build-push workflow. Replaces embedded build-and-push steps with workflow invocations, consolidating Docker image building logic. Updates authentication to token-based approach and introduces a separate build-migrate job for the server workflow.

Changes

Cohort / File(s)	Summary
Workflow Refactoring .github/workflows/server-prod.yaml, .github/workflows/web-app.yaml	Replaces inline Docker build/push steps with reusable workflow invocations. Removes embedded checkout, environment setup, Docker login, and build steps. Updates permissions to include id-token: write for token-based authentication. Server workflow adds separate build-migrate job alongside build-server.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• add chat-server, server-prod, web-prod git actions #14: Directly modifies the same workflows (server-prod.yaml and web-app.yaml) with opposite intent—adds standalone jobs versus refactoring to reusable workflow invocations.

Poem

🐰 Workflows now dance with reusable grace,
No more steps scattered all over the place,
A Docker poem told once, used everywhere,
Tokens replace secrets with careful care,
Build, migrate, push—orchestrated with flair! 🐇

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: refactoring GitHub Actions workflows to use a reusable Docker build/push workflow, which is the primary focus across both modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/server-prod.yaml:
- Line 8: The reusable workflow reference "uses:
factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop" should be
pinned to an immutable commit SHA instead of the branch name; update both
occurrences (the one shown and the other at line 18) to use the exact commit SHA
for factly/gopie-ee so the release jobs always run the same workflow version.

In @.github/workflows/web-app.yaml:
- Line 9: Replace the mutable branch reference in the reusable workflow call
(the string "factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop"
used in .github/workflows/web-app.yaml) with a fixed commit SHA; update the
workflow invocation to reference the repository path plus the specific commit
SHA instead of "@develop" so builds are deterministic, and make the same change
for the other occurrences noted in .github/workflows/server-prod.yaml (the two
references currently using "@develop").

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dadd3611-f8a2-44e3-954b-4e76390d3529

📥 Commits

Reviewing files that changed from the base of the PR and between 2442ea7 and c21b264.

📒 Files selected for processing (2)

• .github/workflows/server-prod.yaml
• .github/workflows/web-app.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the file exists and examine its content
if [ -f ".github/workflows/server-prod.yaml" ]; then
  cat -n ".github/workflows/server-prod.yaml"
else
  echo "File not found"
fi

Repository: factly/gopie

Length of output: 917

---

🏁 Script executed:

#!/bin/bash
# Let's verify the context - confirm this is a production workflow and check the severity
# Check if there are other workflow files to understand the pattern
git ls-files ".github/workflows/" | head -20

Repository: factly/gopie

Length of output: 262

---

Pin the reusable workflow to an immutable ref before using it in release jobs.

GitHub lets reusable workflows be referenced by branch, tag, or SHA, but explicitly calls the commit SHA the safest option for stability and security. Keeping both release jobs on @develop means a future change in factly/gopie-ee can silently change or break tagged production builds, and full workflow reruns may resolve that branch again instead of preserving the original workflow version. (docs.github.com)

Suggested change

-    uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop
+    uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@<pinned-commit-sha>

Also applies to line 18.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/server-prod.yaml at line 8, The reusable workflow
reference "uses:
factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop" should be
pinned to an immutable commit SHA instead of the branch name; update both
occurrences (the one shown and the other at line 18) to use the exact commit SHA
for factly/gopie-ee so the release jobs always run the same workflow version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check if the file exists and examine its content
if [ -f ".github/workflows/web-app.yaml" ]; then
    echo "=== File: .github/workflows/web-app.yaml ==="
    cat -n ".github/workflows/web-app.yaml"
else
    echo "File not found, searching for it..."
    find . -name "web-app.yaml" -o -name "*web-app*" 2>/dev/null | head -20
fi

Repository: factly/gopie

Length of output: 597

---

🏁 Script executed:

# Also check for other workflow files to understand the pattern
ls -la .github/workflows/ 2>/dev/null || echo "Directory not found"

Repository: factly/gopie

Length of output: 560

---

🏁 Script executed:

# Let's also check if there's a server-prod workflow mentioned in the scratchpad
if [ -f ".github/workflows/server-prod.yaml" ]; then
    echo "=== File: .github/workflows/server-prod.yaml (for context) ==="
    cat -n ".github/workflows/server-prod.yaml"
fi

Repository: factly/gopie

Length of output: 980

---

Pin the reusable workflow reference to a commit SHA instead of @develop.

This workflow is triggered on tag pushes and uses @develop to reference the shared build workflow in the external factly/gopie-ee repository. Since develop is mutable, the same tag could produce different Docker images if the upstream branch changes, breaking reproducibility. GitHub's best practice for reusable workflows is to pin to a specific commit SHA for security and deterministic builds. Note that this same issue exists in .github/workflows/server-prod.yaml (lines 8 and 18).

Suggested change

-    uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop
+    uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@<pinned-commit-sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/web-app.yaml at line 9, Replace the mutable branch
reference in the reusable workflow call (the string
"factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop" used in
.github/workflows/web-app.yaml) with a fixed commit SHA; update the workflow
invocation to reference the repository path plus the specific commit SHA instead
of "@develop" so builds are deterministic, and make the same change for the
other occurrences noted in .github/workflows/server-prod.yaml (the two
references currently using "@develop").