EAGLE-649: Prototype dockerhub upload workflow

[myxie]

https://icrar.atlassian.net/browse/EAGLE-649

Summary by Sourcery

Build:

• Introduce a Docker upload GitHub Actions workflow that logs into Docker Hub, builds images via docker compose, and pushes a slimmed-down eagle image tagged with the current Git ref.

[sourcery-ai]

Reviewer's Guide

Adds a new GitHub Actions workflow that builds a Docker image using docker compose, slims it with SlimToolkit, and pushes tagged images to Docker Hub on every push.

Flow diagram for build-and-push Docker image job in GitHub Actions

graph TD
  A[Push event to repository] --> B[Trigger workflow Build and Push Docker Images]
  B --> C[Start job build-eagle-slim on ubuntu-latest]
  C --> D[Checkout repository using actions/checkout@v4]
  D --> E[Extract Git tag from GITHUB_REF_NAME into VCS_TAG]
  E --> F[Log in to Docker Hub using secrets DOCKERHUB_USERNAME and DOCKERHUB_TOKEN]
  F --> G[Run docker compose -f docker/docker-compose.dep.yml build]
  G --> H[Install SlimToolkit via install-slim.sh]
  H --> I[Run slim build to create icrar/eagle.slim:VCS_TAG from icrar/eagle:VCS_TAG]
  I --> J[docker push --all-tags icrar/eagle.slim to Docker Hub]

Loading

File-Level Changes

Change	Details	Files
Add CI workflow to build, slim, and push Docker images to Docker Hub on push events.	Create a GitHub Actions workflow triggered on push that runs on ubuntu-latest Check out the repository and derive a VCS_TAG from GITHUB_REF_NAME for image tagging Authenticate to Docker Hub using repository secrets for username and token Build the eagle image using docker compose with the dependency compose file Install SlimToolkit via remote install script and generate a slimmed eagle image tagged with the VCS_TAG Push all tags of the slimmed eagle image repository to Docker Hub	.github/workflows/docker-upload.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[james-strauss-uwa]

Hi @myxie, we were having test failure issues across all our branches. Once I fixed that in master, I merged the changes into this branch. Sure enough, it fixed the tests.

Was the failing tests the reason this PR is a draft, or is there something else still in-progress?

[myxie]

@james-strauss-uwa I was hoping to get some feedback from the team and @awicenec on how you wanted this to work moving forward, but Andreas was away and then I have been focused on AusSRC.

If you're happy with this as a preliminary implementation, I can update the scripts so it only generates on release and then open this for review, probably from @awicenec given they're the most familiar with the existing containerisation?

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The workflow currently runs on every push; consider scoping the trigger to tag pushes or specific branches so Docker Hub uploads only happen for intended releases.
• The slim build command assumes an icrar/eagle:${VCS_TAG} image already exists, but the workflow only runs docker compose ... build without an explicit tag or push; confirm the compose config tags that image as expected or add an explicit docker build/docker tag step.
• Instead of installing Slim on every run via curl | bash, consider pinning to a specific version or using a maintained GitHub Action/container image to improve reproducibility and reduce supply-chain risk.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The workflow currently runs on every push; consider scoping the trigger to tag pushes or specific branches so Docker Hub uploads only happen for intended releases.
- The `slim build` command assumes an `icrar/eagle:${VCS_TAG}` image already exists, but the workflow only runs `docker compose ... build` without an explicit tag or push; confirm the compose config tags that image as expected or add an explicit `docker build`/`docker tag` step.
- Instead of installing Slim on every run via `curl | bash`, consider pinning to a specific version or using a maintained GitHub Action/container image to improve reproducibility and reduce supply-chain risk.

## Individual Comments

### Comment 1
<location path=".github/workflows/docker-upload.yml" line_range="14-15" />
<code_context>
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Extract Git Tag
+        run: |
+          echo "VCS_TAG=${GITHUB_REF_NAME}" >> $GITHUB_ENV
+
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Using `GITHUB_REF_NAME` directly may produce unexpected tags for non-tag pushes.

On branch pushes, this will set `VCS_TAG` to the branch name (e.g., `main`), so images get tagged with branch names and `icrar/eagle:${VCS_TAG}` may not exist if base images are only built from tags.

If you only want to build/push on tag pushes, you could either restrict the workflow trigger to tag refs and keep `GITHUB_REF_NAME`, or compute `VCS_TAG` differently for branches (e.g., append the commit SHA) so base image/tag assumptions remain valid.

Suggested implementation:

```
on:
  push:
    tags:
      - '*'
  # release:
  #   types: [published]

```

1. Keep the existing `Extract Git Tag` step that sets `VCS_TAG=${GITHUB_REF_NAME}`; with this change the workflow will only run for tag pushes, so `GITHUB_REF_NAME` will always be a tag and the value of `VCS_TAG` will match your base image tags.
2. If you want to narrow which tags trigger the workflow (e.g., only semantic versions), replace `- '*'` with a more specific pattern such as `- 'v*'`.
</issue_to_address>

### Comment 2
<location path=".github/workflows/docker-upload.yml" line_range="27" />
<code_context>
+      - name: Build and Push eagle-slim
+        run: |
+          docker compose -f ./docker/docker-compose.dep.yml build
+          curl -sL https://raw.githubusercontent.com/slimtoolkit/slim/master/scripts/install-slim.sh | sudo -E bash -
+          slim build --include-shell --include-path /usr/local/lib --include-path /usr/local/bin --tag icrar/eagle.slim:${VCS_TAG} icrar/eagle:${VCS_TAG}  
+          # docker push --all-tags icrar/eagle
</code_context>
<issue_to_address>
**🚨 issue (security):** Piping `curl` directly to `sudo bash` is a security risk and makes debugging harder.

Fetching and executing a remote script with `sudo` in a single step prevents inspection/validation and couples the build to whatever is at that URL at run time. Prefer downloading the script first, verifying it (e.g., checksum or pinned ref), then executing it, and pin slimtoolkit to a specific version/commit for reproducible builds.
</issue_to_address>

### Comment 3
<location path=".github/workflows/docker-upload.yml" line_range="26" />
<code_context>
+
+      - name: Build and Push eagle-slim
+        run: |
+          docker compose -f ./docker/docker-compose.dep.yml build
+          curl -sL https://raw.githubusercontent.com/slimtoolkit/slim/master/scripts/install-slim.sh | sudo -E bash -
+          slim build --include-shell --include-path /usr/local/lib --include-path /usr/local/bin --tag icrar/eagle.slim:${VCS_TAG} icrar/eagle:${VCS_TAG}  
</code_context>
<issue_to_address>
**suggestion (performance):** Building all services via `docker compose ... build` may be more work than necessary for this job.

If only the slim-related images are needed, consider building just those services, e.g. `docker compose -f ./docker/docker-compose.dep.yml build <service-name>`. This can cut CI build time and resource usage and make the slim step’s dependencies explicit.

Suggested implementation:

```
      - name: Build and Push eagle-slim
        run: |
          # Build only the service that produces the icrar/eagle:${VCS_TAG} image,
          # to avoid building unrelated services and keep this job lean.
          docker compose -f ./docker/docker-compose.dep.yml build eagle
          curl -sL https://raw.githubusercontent.com/slimtoolkit/slim/master/scripts/install-slim.sh | sudo -E bash -
          slim build --include-shell --include-path /usr/local/lib --include-path /usr/local/bin --tag icrar/eagle.slim:${VCS_TAG} icrar/eagle:${VCS_TAG}
          # docker push --all-tags icrar/eagle
          docker push --all-tags icrar/eagle.slim

```

1. Replace `eagle` in the `docker compose ... build eagle` command with the actual service name from `docker/docker-compose.dep.yml` that builds the `icrar/eagle:${VCS_TAG}` image (e.g. `eagle`, `eagle-app`, etc.).
2. If multiple services are required for the slim build (e.g. a base image and an app image), list them all: `docker compose -f ./docker/docker-compose.dep.yml build service1 service2`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): Using GITHUB_REF_NAME directly may produce unexpected tags for non-tag pushes.

On branch pushes, this will set VCS_TAG to the branch name (e.g., main), so images get tagged with branch names and icrar/eagle:${VCS_TAG} may not exist if base images are only built from tags.

If you only want to build/push on tag pushes, you could either restrict the workflow trigger to tag refs and keep GITHUB_REF_NAME, or compute VCS_TAG differently for branches (e.g., append the commit SHA) so base image/tag assumptions remain valid.

Suggested implementation:

on:
  push:
    tags:
      - '*'
  # release:
  #   types: [published]

1. Keep the existing Extract Git Tag step that sets VCS_TAG=${GITHUB_REF_NAME}; with this change the workflow will only run for tag pushes, so GITHUB_REF_NAME will always be a tag and the value of VCS_TAG will match your base image tags.
2. If you want to narrow which tags trigger the workflow (e.g., only semantic versions), replace - '*' with a more specific pattern such as - 'v*'.

[sourcery-ai]

🚨 issue (security): Piping curl directly to sudo bash is a security risk and makes debugging harder.

Fetching and executing a remote script with sudo in a single step prevents inspection/validation and couples the build to whatever is at that URL at run time. Prefer downloading the script first, verifying it (e.g., checksum or pinned ref), then executing it, and pin slimtoolkit to a specific version/commit for reproducible builds.

[sourcery-ai]

suggestion (performance): Building all services via docker compose ... build may be more work than necessary for this job.

If only the slim-related images are needed, consider building just those services, e.g. docker compose -f ./docker/docker-compose.dep.yml build <service-name>. This can cut CI build time and resource usage and make the slim step’s dependencies explicit.

Suggested implementation:

      - name: Build and Push eagle-slim
        run: |
          # Build only the service that produces the icrar/eagle:${VCS_TAG} image,
          # to avoid building unrelated services and keep this job lean.
          docker compose -f ./docker/docker-compose.dep.yml build eagle
          curl -sL https://raw.githubusercontent.com/slimtoolkit/slim/master/scripts/install-slim.sh | sudo -E bash -
          slim build --include-shell --include-path /usr/local/lib --include-path /usr/local/bin --tag icrar/eagle.slim:${VCS_TAG} icrar/eagle:${VCS_TAG}
          # docker push --all-tags icrar/eagle
          docker push --all-tags icrar/eagle.slim

1. Replace eagle in the docker compose ... build eagle command with the actual service name from docker/docker-compose.dep.yml that builds the icrar/eagle:${VCS_TAG} image (e.g. eagle, eagle-app, etc.).
2. If multiple services are required for the slim build (e.g. a base image and an app image), list them all: docker compose -f ./docker/docker-compose.dep.yml build service1 service2.

[james-strauss-uwa]

@myxie Sounds good