feature: docker build and release workflow

[dougyster]

Created build.py based on justfile to get the correct tags and build args for each build type and added a dry-run flag to preview args before building.

Added dockerfile path into the workflow to specify which dockerfile to build.

[gemini-code-assist]

Summary of Changes

Hello @dougyster, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the Docker image building and pushing process for the 'Miles' project. By introducing a new Python script, build.py, it centralizes the logic for various build configurations, replacing a less flexible justfile. This change aims to improve the maintainability and extensibility of the build system, providing clear variant definitions, robust caching, and a dry-run capability for command verification, ultimately streamlining the release workflow.

Highlights

• New Docker Build Script: Introduced a new build.py Python script to centralize and manage Docker image builds and pushes, replacing the previous justfile approach.
• Multiple Build Variants: The script supports various build variants including primary, cu129-arm64, cu13-arm64, and debug, each with specific configurations for image names, tags, and build arguments.
• Dry-Run Capability: Added a --dry-run flag, allowing users to preview the exact docker buildx commands that would be executed without actually performing the build or push.
• Buildx Integration and Caching: Utilizes docker buildx for efficient image building, incorporating local caching (/tmp/miles-docker-cache) and direct pushing of images to the registry.
• Proxy Support: The script automatically passes http_proxy and https_proxy environment variables as build arguments to Docker, ensuring builds can operate correctly in proxied environments.

Changelog

• docker/build.py
  • New script added to manage Docker image builds and pushes.
  • Defines a VARIANTS dictionary to configure different build types (primary, cu129-arm64, cu13-arm64, debug) with specific image names, tag postfixes, and build arguments.
  • Includes a get_version function to dynamically retrieve the image version from version.txt.
  • Implements build_and_push function to construct and execute docker buildx build commands, incorporating local caching and --push functionality.
  • Adds logic to automatically pass http_proxy and https_proxy environment variables as Docker build arguments.
  • Introduces a --dry-run command-line argument to print build commands without execution, aiding in verification.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/docker-build.yml
  • .github/workflows/release-docker.yaml

Activity

• The pull request was opened by dougyster with a detailed description, including examples of the new build.py script's dry-run output. No further human activity (comments, reviews) has been recorded yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request replaces the justfile with a new Python script, docker/build.py, for building and pushing Docker images, improving structure and maintainability. However, it introduces an insecure temporary directory for the build cache and logs sensitive proxy credentials. Recommendations include moving the cache directory to a user-specific location, masking sensitive build arguments in logs, and improving command-line argument display, proxy environment variable handling, and path management for overall robustness and code quality.

[gemini-code-assist]

The script prints the full Docker command, including sensitive proxy credentials (HTTP_PROXY, HTTPS_PROXY), which are exposed in logs. This is a security vulnerability. Additionally, using ' '.join(cmd) can misrepresent the command for logging if arguments contain spaces. It's more robust to use shlex.join() for correct quoting and improved debuggability. Consider masking sensitive values before printing and ensure shlex is imported.

Suggested change

	print(f"+ {' '.join(cmd)}", flush=True)
	print(f"+ {shlex.join(cmd)}", flush=True)

[gemini-code-assist]

The use of a hardcoded, predictable directory in /tmp for the Docker build cache is insecure. Since /tmp is world-writable, a local attacker could pre-create this directory or use symlinks to trick the script (especially if run with elevated privileges, which is common for Docker builds) into writing data to arbitrary locations on the filesystem. Consider using a user-specific cache directory.

Suggested change

	CACHE_DIR = "/tmp/miles-docker-cache"
	CACHE_DIR = os.path.expanduser("~/.cache/miles-docker-cache")

[gemini-code-assist]

For better code structure and to make functions more self-contained, consider defining repo_root as a module-level constant.

1. Add this after your imports:

   REPO_ROOT = Path(__file__).resolve().parent.parent

2. Update get_version to use this constant and remove its repo_root parameter:

   def get_version() -> str:
       version_file = REPO_ROOT / "docker" / "version.txt"
       return version_file.read_text().strip()

3. Finally, you can remove this line (repo_root = ...) and call get_version() without arguments on line 72.

[gemini-code-assist]

The current proxy handling only checks for lowercase environment variables (http_proxy, https_proxy). It is a common convention to also support uppercase versions (HTTP_PROXY, HTTPS_PROXY). To make the script more robust, you should check for both.

Suggested change

	for env_var, arg_name in [
	("http_proxy", "HTTP_PROXY"),
	("https_proxy", "HTTPS_PROXY"),
	]:
	value = os.environ.get(env_var, "")
	if value:
	cmd += ["--build-arg", f"{arg_name}={value}"]
	for arg_name in ["HTTP_PROXY", "HTTPS_PROXY"]:
	value = os.environ.get(arg_name.lower()) or os.environ.get(arg_name)
	if value:
	cmd += ["--build-arg", f"{arg_name}={value}"]