Reworked CI Build

[overheadhunter]

• Refactored workflow into separate jobs
• Use external Dockerfile instead of Quarkus magic to build images
• Use a build matrix to build native images (avoid slow emulation when using Quarkus native image)
• Publish multi-arch container images, so we no longer need -amd64 suffix when deploying native images.
• Added provenance attestation

See Build

See Resulting Image for commit 625d3cd

See Attestation for this build.

Verify as per this instruction:

regctl manifest get --format raw-body ghcr.io/cryptomator/hub:625d3cd > manifest.json
regctl artifact get ghcr.io/cryptomator/hub:sha256-491a192667a38c8c8fefa2f4bba5270f7afc4c74b607cad740dd677f25358f22 > bundle.json
cosign verify-blob-attestation --bundle bundle.json --new-bundle-format --certificate-oidc-issuer="https://token.actions.githubusercontent.com" --certificate-identity-regexp="^https://github.com/cryptomator/hub/.github/workflows/build.yml.*" manifest.json

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The changes modify the build and deployment configurations across multiple areas. The GitHub Actions workflow in .github/workflows/build.yml has been updated to remove the manual trigger input and rename a test job, while switching from the standard Maven command to use the Maven Wrapper with additional options. Two new workflow jobs, build-native-image and multi-arch-image, have been added to build and push Docker images for multiple architectures using the commit SHA for tagging and to generate multi-architecture manifests. In the backend, the Maven Wrapper is now integrated with the addition of new wrapper scripts, a properties file, and an updated .gitignore entry for the Maven Wrapper jar. The README.md has been revised to replace Maven-based build commands with Docker commands, and changes in pom.xml adjust the Quarkus container image configurations. New Dockerfiles for both JVM and native images have been introduced.

Possibly related PRs

• Reworked CI Build #322: The changes in the main PR are directly related to those in the retrieved PR, as both involve significant modifications to the GitHub Actions workflow in .github/workflows/build.yml, including the introduction of the build-native-image job and the use of the Maven Wrapper.

Suggested reviewers

• SailReal

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d53abc6 and 635f43b.

📒 Files selected for processing (2)

• .github/workflows/keycloak.yml (1 hunks)
• CHANGELOG.md (1 hunks)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

backend/src/main/docker/Dockerfile.jvm (2)

2-2: Consider pinning specific base image versions.

The base images use major version tags which could lead to unexpected changes. Consider using more specific version tags for better reproducibility.

-FROM quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-21 AS builder
+FROM quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-21.0.2 AS builder
-FROM eclipse-temurin:21-jre-alpine
+FROM eclipse-temurin:21.0.2_13-jre-alpine

Also applies to: 13-13

---

8-10: Consider caching Maven dependencies more effectively.

The current setup downloads dependencies twice. Consider copying the source files before running go-offline to cache all dependencies.

+COPY src /code/src
 RUN ./mvnw -B quarkus:go-offline --no-transfer-progress
-COPY src /code/src
 RUN ./mvnw -B package -DskipTests --no-transfer-progress --strict-checksums

backend/src/main/docker/Dockerfile.native (2)

2-2: Consider pinning specific base image versions.

The base images use major version tags which could lead to unexpected changes. Consider using more specific version tags for better reproducibility.

-FROM quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-21 AS builder
+FROM quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-21.0.2 AS builder
-FROM quay.io/quarkus/quarkus-micro-image:2.0
+FROM quay.io/quarkus/quarkus-micro-image:2.0.3

Also applies to: 13-13

---

8-10: Consider caching Maven dependencies more effectively.

The current setup downloads dependencies twice. Consider copying the source files before running go-offline to cache all dependencies.

+COPY src /code/src
 RUN ./mvnw -B quarkus:go-offline --no-transfer-progress
-COPY src /code/src
 RUN ./mvnw -B package -Dnative -DskipTests --no-transfer-progress --strict-checksums

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 76e7431 and d53abc6.

📒 Files selected for processing (9)

• .github/workflows/build.yml (2 hunks)
• backend/.mvn/wrapper/.gitignore (1 hunks)
• backend/.mvn/wrapper/maven-wrapper.properties (1 hunks)
• backend/README.md (2 hunks)
• backend/mvnw (1 hunks)
• backend/mvnw.cmd (1 hunks)
• backend/pom.xml (1 hunks)
• backend/src/main/docker/Dockerfile.jvm (1 hunks)
• backend/src/main/docker/Dockerfile.native (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• backend/.mvn/wrapper/maven-wrapper.properties
• backend/.mvn/wrapper/.gitignore

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build.yml

87-87: label "ubuntu-24.04-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🔇 Additional comments (11)

backend/mvnw.cmd (1)

1-150: LGTM! Well-structured Maven wrapper script for Windows.

The script follows best practices with proper error handling, secure credential management, and checksum validation.

backend/mvnw (1)

1-260: LGTM! Well-structured Maven wrapper script for Unix-like systems.

The script implements robust security practices with proper error handling, secure credential management, and platform-specific adaptations.

backend/src/main/docker/Dockerfile.native (1)

17-21: LGTM! Proper permission setup for non-root user.

The permission setup follows security best practices by:

• Setting appropriate directory permissions
• Running as non-root user
• Maintaining group access for container orchestration

backend/README.md (3)

11-11: Use of Maven Wrapper for Dev Mode
The command now uses ./mvnw clean quarkus:dev to start dev mode. This ensures that the build environment is consistent across systems.

---

51-52: JVM Docker Image Build Command Update
The Docker build command now references Dockerfile.jvm with the correct image tag. This change aligns with the Docker-centric approach. Confirm that the image metadata and context are correct.

---

58-59: Native Docker Image Build Command Update
The command to build native images now correctly points to Dockerfile.native. The accompanying note on build-time and memory requirements is informative.

.github/workflows/build.yml (4)

18-21: Renaming of Test Job to "Run Tests"
Renaming the job to "Run Tests" improves clarity. The updated steps (checkout, Node setup, frontend build/test, and backend Maven build) appear correctly sequenced.

---

66-71: Backend Maven Build Command Update
The backend build command now uses the Maven Wrapper (./mvnw -B clean verify ... --no-transfer-progress). This should provide more stable builds and cleaner logs.

---

76-147: New Job: Build and Push Native Images
The newly added build-native-image job is well structured with a matrix strategy for multi-architecture builds. Each step—from setting up Node and installing dependencies to configuring Docker metadata and pushing the container—seems properly orchestrated.

🧰 Tools

🪛 actionlint (1.7.4)

87-87: label "ubuntu-24.04-arm" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

148-187: New Job: Multi-Arch Image Manifest and Provenance
The multi-arch-image job correctly depends on the native image build, creates a multi-architecture manifest, and generates an artifact attestation. The step to extract a short commit SHA and use it for tagging is a neat touch.

backend/pom.xml (1)

271-274: Update to Uber-Jar Packaging Property
The change from <quarkus.package.type> to <quarkus.package.jar.type>uber-jar</quarkus.package.jar.type> in the "uber-jar" profile aligns with updated Quarkus conventions for packaging. Verify that downstream processes and documentation are updated to reflect this change.