Skip to content

Use apko and melange for container creation #932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MH0386 wants to merge 240 commits into
base: main
Choose a base branch
from
+144 −63
Open

Use apko and melange for container creation #932

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
240 commits
Select commit Hold shift + click to select a range
a9afcf1
feat: add initial apko.yaml configuration for vocalizr
MH0386 Nov 9, 2025
526c506
feat: add melange.yaml configuration for vocalizr
MH0386 Nov 9, 2025
3a2bf83
Merge branch 'main' into apko
mergify[bot] Nov 11, 2025
b4ddbf6
refactor: remove build-system and reorganize ruff configuration in py…
MH0386 Nov 11, 2025
69d6b3d
feat: add pycrucible_payload to .gitignore
MH0386 Nov 11, 2025
9d5d9f9
feat: update .gitignore to include launcher and *.rsa* files
MH0386 Nov 11, 2025
44557e9
feat: add initial pycrucible.toml configuration for environment setup
MH0386 Nov 11, 2025
c0d5362
Merge branch 'apko' of https://github.com/AlphaSphereDotAI/vocalizr i…
MH0386 Nov 11, 2025
289b580
Replace docfork configuration with new URL
MH0386 Nov 11, 2025
6d97a93
Fix missing newline at end of mcp.json
MH0386 Nov 11, 2025
63f4e07
Merge branch 'main' into apko
mergify[bot] Nov 11, 2025
0884e58
Refactor workflow to build APK with Melange and remove Dockerfile val…
MH0386 Nov 11, 2025
9f73683
Update streamline pipeline steps
MH0386 Nov 11, 2025
2870966
Update upload artifact action to version 5 in Docker workflow
MH0386 Nov 11, 2025
1968180
Change run command to shell in Docker workflow
MH0386 Nov 11, 2025
93258a3
Update Docker image and shell for Melange installation
MH0386 Nov 11, 2025
4485252
Update keygen command to use melange
MH0386 Nov 11, 2025
2e2d95c
Update Melange image to latest-dev and change run command to use bash
MH0386 Nov 11, 2025
fd12d0f
Add bash to the list of packages
MH0386 Nov 11, 2025
1f26a6e
Add debug pipeline to melange.yaml
MH0386 Nov 11, 2025
1d2876e
Add busybox to the melange.yaml dependencies
MH0386 Nov 11, 2025
992b1ba
Add step to create target directories in melange.yaml
MH0386 Nov 11, 2025
2a7fab9
Delete pycrucible_bin directory
MH0386 Nov 11, 2025
992b593
Replace Docker build and push action with Chainguard's apko-publish
MH0386 Nov 11, 2025
753b9e3
Rename apko.yaml to .apko.yaml configuration
MH0386 Nov 11, 2025
8342c29
Update .apko.yaml to include local repository and package, and change…
MH0386 Nov 11, 2025
9f57da6
Remove debug step from pipeline in melange.yaml
MH0386 Nov 11, 2025
a4139ad
Merge branch 'apko' of https://github.com/AlphaSphereDotAI/vocalizr i…
MH0386 Nov 11, 2025
59e5023
Merge branch 'main' into apko
mergify[bot] Nov 11, 2025
d4556f2
Update Docker workflow to include additional artifact and streamline …
MH0386 Nov 11, 2025
2b590e7
Refactor Docker workflow by removing unnecessary login and setup step…
MH0386 Nov 11, 2025
e55db47
List contents of packages in Docker workflow
MH0386 Nov 11, 2025
6c223ea
Refactor artifact upload and download steps in Docker workflow to imp…
MH0386 Nov 11, 2025
2a73374
Update .gitignore to include packages and tar files
MH0386 Nov 11, 2025
99e5dd2
Update repo path in apko config
MH0386 Nov 11, 2025
0f0308f
Merge branch 'main' into apko
mergify[bot] Nov 12, 2025
5f1d68a
Update local repo in .apko.yaml
MH0386 Nov 12, 2025
83ea9fa
Update .apko.yaml
MH0386 Nov 12, 2025
f9636ec
Update local package path in .apko.yaml
MH0386 Nov 12, 2025
a86b932
Add debug output for directory structure
MH0386 Nov 12, 2025
e0fe89f
Change download path for APK artifact
MH0386 Nov 12, 2025
6b6ab62
Merge branch 'main' into apko
mergify[bot] Nov 12, 2025
47ded06
Add Docker login step to workflow
MH0386 Nov 12, 2025
611511a
remove docker login action and pass credentials apko directly
MH0386 Nov 12, 2025
8f84319
Merge 611511a4eaff1fefe39d24eecff67c37320c36a8 into 7c15a919c663a016a…
MH0386 Nov 12, 2025
c827eb3
[Trunk] Apply linters fixes
MH0386 Nov 12, 2025
898c31a
Fix syntax for generic-pass in Docker workflow
MH0386 Nov 12, 2025
4cd5aff
Remove PATH from .apko.yaml
MH0386 Nov 12, 2025
d476383
Update pyproject.toml
MH0386 Nov 12, 2025
160953e
Add UV_VENV_CLEAR environment variable
MH0386 Nov 12, 2025
b2ea024
Change run-as user from 'nonroot' to UID 65532
MH0386 Nov 12, 2025
3738c45
Comment out shell for nonroot user
MH0386 Nov 12, 2025
b2a10e6
Change entrypoint command to cmd in .apko.yaml
MH0386 Nov 12, 2025
df823ba
Remove runtime dependencies from package definition in melange.yaml
MH0386 Nov 12, 2025
88f48fe
Remove redundant environment variable from package definition in mela…
MH0386 Nov 12, 2025
0a56458
Refactor pipeline steps in melange.yaml for installing uv deps
MH0386 Nov 12, 2025
8609a8c
Merge branch 'apko' of https://github.com/AlphaSphereDotAI/vocalizr i…
MH0386 Nov 12, 2025
0dd0cae
Merge branch 'main' into apko
mergify[bot] Nov 12, 2025
415b1ca
Add directory creation for vocalizr
MH0386 Nov 12, 2025
755c07d
Update symbolic link path in melange.yaml
MH0386 Nov 12, 2025
4884022
Move environment variable setup to Install dependencies
MH0386 Nov 12, 2025
9fc4770
Merge 4884022396789c5aa22f5f69c6fb35af3250750e into f67efa0d0a5f491c9…
MH0386 Nov 12, 2025
b62e203
[Trunk] Apply linters fixes
MH0386 Nov 12, 2025
2cac2c1
Refactor build steps in melange.yaml
MH0386 Nov 12, 2025
e338b7f
Merge 2cac2c1f7df03a54cd8c9162e2eb7ae1334799d0 into f67efa0d0a5f491c9…
MH0386 Nov 12, 2025
5ccd56a
[Trunk] Apply linters fixes
MH0386 Nov 12, 2025
644c251
Remove lock file after syncing pycrucible
MH0386 Nov 12, 2025
cca9c09
Remove completion.sh file during cleanup
MH0386 Nov 12, 2025
af14bed
Uncomment build-system configuration in pyproject.toml
MH0386 Nov 12, 2025
1f2fb1b
Refactor build steps in melange.yaml to install the package using uv
MH0386 Nov 12, 2025
54b312b
Merge branch 'apko' of https://github.com/AlphaSphereDotAI/vocalizr i…
MH0386 Nov 12, 2025
134bfd4
Specify Python version for uv tool installation
MH0386 Nov 12, 2025
dafb295
Add cargo to the list of dependencies
MH0386 Nov 12, 2025
6c1f662
Replace cargo with rustup in melange.yaml
MH0386 Nov 12, 2025
83e1a55
Export environment variables for build process
MH0386 Nov 12, 2025
8a9aabe
Remove lock file in UV tool directory
MH0386 Nov 12, 2025
5ce5949
Update runtime dependency from 'uv' to 'python-as-3.12'
MH0386 Nov 12, 2025
c22da27
Merge branch 'main' into apko
mergify[bot] Nov 13, 2025
8b379d6
Add gcc python3 python3-dev
MH0386 Nov 13, 2025
d60681c
Merge branch 'main' into apko
mergify[bot] Nov 13, 2025
b5a7209
Add additional dependencies to melange.yaml
MH0386 Nov 13, 2025
ff7b648
Add UV_NO_CACHE and UV_NO_DEV exports
MH0386 Nov 13, 2025
38a0d73
Replace 'uv cache prune' with 'uv cache clean'
MH0386 Nov 13, 2025
a2ccd38
Add UV_LINK_MODE environment variable for build
MH0386 Nov 13, 2025
f6a0bfa
Update .apko.yaml
MH0386 Nov 13, 2025
1641d02
Add UV_NO_BUILD environment variable to build step
MH0386 Nov 13, 2025
5b676d0
Initial plan
Copilot Nov 13, 2025
3ee607c
Fix apko building by using relative path for local repository
Copilot Nov 13, 2025
2969af0
Add libfabric dependency for PyTorch runtime support
Copilot Nov 13, 2025
b52accb
Comment out libfabric dependency
MH0386 Nov 13, 2025
7973442
Merge branch 'main' into apko
mergify[bot] Nov 13, 2025
ae417b6
Merge branch 'apko' into copilot/fix-apko-building-issue
mergify[bot] Nov 13, 2025
efc725e
Merge branch 'main' into apko
mergify[bot] Nov 13, 2025
c42deec
Merge branch 'apko' into copilot/fix-apko-building-issue
mergify[bot] Nov 13, 2025
f79f1b6
Merge branch 'main' into apko
mergify[bot] Nov 13, 2025
1957359
Merge branch 'apko' into copilot/fix-apko-building-issue
mergify[bot] Nov 13, 2025
02eb5d3
Remove libfabric dependency - not available in Wolfi repos
Copilot Nov 13, 2025
f4e26c3
Remove git installation steps from pipeline
MH0386 Nov 13, 2025
87a0690
Disable automatic dependency scanning in melange to avoid libfabric i…
Copilot Nov 13, 2025
874e191
Merge branch 'main' into apko
mergify[bot] Nov 14, 2025
afdb669
Merge branch 'apko' into copilot/fix-apko-building-issue
mergify[bot] Nov 14, 2025
0285803
Merge branch 'main' into apko
mergify[bot] Nov 14, 2025
184a825
Merge branch 'apko' into copilot/fix-apko-building-issue
mergify[bot] Nov 14, 2025
e047b28
Clean up runtime dependencies in melange.yaml
MH0386 Nov 14, 2025
eace663
Add no-depends option to melange.yaml
MH0386 Nov 14, 2025
e4a886a
Reorganize no-depends option in melange.yaml
MH0386 Nov 14, 2025
d8b8de6
Update .apko.yaml by removing unused packages
MH0386 Nov 14, 2025
e9e5f05
Comment out condition for Free Disk Space step
MH0386 Nov 14, 2025
ac975a7
Replace Free Disk Space action with enhanced version
MH0386 Nov 14, 2025
2f49861
Merge ac975a7b9d69b3d2cb7805296b4f60c14b05d2bc into 0285803d80e52583a…
Copilot Nov 14, 2025
b9382e7
[Trunk] Apply linters fixes
MH0386 Nov 14, 2025
cc0d417
Update command path in .apko.yaml
MH0386 Nov 14, 2025
c618dd7
Fix container start: use full path for vocalizr command
Copilot Nov 14, 2025
56868b2
Add UV_SYSTEM_PYTHON environment variable
MH0386 Nov 14, 2025
bed97a0
Change UV_SYSTEM_PYTHON from 1 to true
MH0386 Nov 14, 2025
8934136
Configure UV tool environment and update install command
MH0386 Nov 14, 2025
4af737f
Modify uv tool install command syntax
MH0386 Nov 14, 2025
5c9d8bb
Change UV_SYSTEM_PYTHON to 1 and add UV_NO_MANAGED_PYTHON
MH0386 Nov 14, 2025
4a268ea
Update Python dependency to python-as-3.12
MH0386 Nov 14, 2025
24dad00
Merge branch 'main' into apko
mergify[bot] Nov 15, 2025
0c0f230
Merge branch 'apko' into copilot/fix-apko-building-issue
mergify[bot] Nov 15, 2025
e3e2c26
Update Python version in melange.yaml
MH0386 Nov 15, 2025
9e343b9
Merge branch 'main' into apko
mergify[bot] Nov 15, 2025
dce342d
Merge branch 'apko' into copilot/fix-apko-building-issue
mergify[bot] Nov 15, 2025
148075c
Update Python dependencies in melange.yaml
MH0386 Nov 15, 2025
7fdd512
Fix melange build: export env vars in pipeline and add --python flag
Copilot Nov 15, 2025
eb3c9b5
Update environment settings and build pipeline
MH0386 Nov 15, 2025
cdc74b6
Add strip usage in melange.yaml
MH0386 Nov 15, 2025
12eb793
Update melange.yaml
MH0386 Nov 15, 2025
256739a
Update UV_TOOL_DIR to use package name
MH0386 Nov 15, 2025
c977419
Enhance build pipeline with echo command
MH0386 Nov 15, 2025
b7c3662
Update melange.yaml
MH0386 Nov 15, 2025
2b3b4d7
Refactor environment variables in melange.yaml
MH0386 Nov 15, 2025
f9bff59
Change variable assignment to export in melange.yaml
MH0386 Nov 15, 2025
5992826
Set execute permission for package binary
MH0386 Nov 15, 2025
ed99f6f
Comment out uv cache clean and strip usage
MH0386 Nov 15, 2025
276271f
Merge ed99f6fc5320d7b76ce11b7c56ac186d102dbaa9 into 9e343b9c2db8fbdd1…
Copilot Nov 15, 2025
de61020
[Trunk] Apply linters fixes
MH0386 Nov 15, 2025
334feb4
Fix UV_TOOL_BIN_DIR and UV_TOOL_DIR paths
MH0386 Nov 15, 2025
970db06
Refactor UV tool installation and directory handling
MH0386 Nov 15, 2025
e6f6e56
Update melange.yaml
MH0386 Nov 15, 2025
b8fad78
Remove commented lock file removal from melange.yaml
MH0386 Nov 15, 2025
f066504
Refactor tool directory setup in melange.yaml
MH0386 Nov 15, 2025
78b77ea
Remove package directory after copying
MH0386 Nov 15, 2025
c6747c9
Change rm command to use -rf option
MH0386 Nov 15, 2025
9d4a9c2
Update work directory paths in .apko.yaml
MH0386 Nov 15, 2025
1a61159
Change shell for nonroot user and update run-as
MH0386 Nov 15, 2025
35f48e6
Update user and group IDs in .apko.yaml
MH0386 Nov 15, 2025
21474ae
Update .apko.yaml
MH0386 Nov 15, 2025
f2f3613
Add curl
MH0386 Nov 15, 2025
d7fbe74
Add `python -m spacy download en_core_web_sm`
MH0386 Nov 15, 2025
c1b94ce
Modify condition for Cleaning GHCR job
MH0386 Nov 16, 2025
d45242b
Refactor remove_folders to a single line in docker.yaml
MH0386 Nov 16, 2025
3b8d0d0
Remove health check options for vocalizr service
MH0386 Nov 16, 2025
442f7c2
Merge 3b8d0d01aac81c7469fdced866f56476fbcdc802 into 9e343b9c2db8fbdd1…
Copilot Nov 16, 2025
287e24d
[Trunk] Apply linters fixes
MH0386 Nov 16, 2025
20fdee8
Add sleep step before checking out repository
MH0386 Nov 16, 2025
72a23c5
Update Python dependency and clean cache commands
MH0386 Nov 16, 2025
8791f43
Refactor remove_folders list in docker.yaml
MH0386 Nov 16, 2025
518ec75
Merge 8791f4386985c887563d879f24f7d5cc1e064a4d into 9e343b9c2db8fbdd1…
Copilot Nov 16, 2025
9528e9f
[Trunk] Apply linters fixes
MH0386 Nov 16, 2025
03e92b4
Merge branch 'main' into apko
mergify[bot] Nov 16, 2025
61d8f61
Merge 03e92b4f84f4c9483e23eb2069ccf50d7d7668e6 into c8952846983b3a6be…
MH0386 Nov 16, 2025
96c6cd9
Merge branch 'apko' into copilot/fix-apko-building-issue
MH0386 Nov 16, 2025
904bff6
Merge 96c6cd93c43be05b915001a75fcf7245446b799b into 03e92b4f84f4c9483…
Copilot Nov 16, 2025
4ca5102
[Trunk] Apply linters fixes
mergify[bot] Nov 16, 2025
ecf4914
[Trunk] Apply linters fixes
MH0386 Nov 16, 2025
a7e5dc0
Format
MH0386 Nov 16, 2025
9e10417
Merge branch 'apko' into copilot/fix-apko-building-issue
MH0386 Nov 16, 2025
02a2373
Merge 9e104177379eef8b494d113a643f7639f9080a9d into 4ca510255d2765979…
Copilot Nov 16, 2025
3ed752c
[Trunk] Apply linters fixes
MH0386 Nov 16, 2025
66f9787
Improve formatting of remove_folders in docker.yaml
MH0386 Nov 16, 2025
f364df7
Merge 66f97876312bdc083ea739b3393cf5b741498f9a into 4ca510255d2765979…
Copilot Nov 16, 2025
a8721ef
[Trunk] Apply linters fixes
MH0386 Nov 16, 2025
474c82d
Change max line length from 120 to 100
MH0386 Nov 16, 2025
3c2dc22
Merge 474c82de839a27dc5e6860b374fa5605bc0930fb into 4ca510255d2765979…
Copilot Nov 16, 2025
e2edee1
[Trunk] Apply linters fixes
MH0386 Nov 16, 2025
659d5a1
Remove max_line_length setting from yamlfmt config
MH0386 Nov 16, 2025
860344d
Merge 659d5a1d0dc4390576421d6903a90a51ef7ae6a6 into 4ca510255d2765979…
Copilot Nov 16, 2025
1baae8d
[Trunk] Apply linters fixes
MH0386 Nov 16, 2025
049a71e
Comment out max line length setting
MH0386 Nov 16, 2025
243e491
Add max_line_length setting to yamlfmt config
MH0386 Nov 16, 2025
87402a4
Merge 243e4912951e7c515f6d562fd5a34fd19750ee90 into 4ca510255d2765979…
Copilot Nov 16, 2025
5184667
[Trunk] Apply linters fixes
MH0386 Nov 16, 2025
02121bb
Merge pull request #939 from AlphaSphereDotAI/copilot/fix-apko-buildi…
MH0386 Nov 16, 2025
9090cfd
Clean up package list in melange.yaml
MH0386 Nov 16, 2025
9e96713
Add 'sh' package to melange.yaml
MH0386 Nov 16, 2025
ab0b15f
Replace 'sh' with 'bash' in melange.yaml
MH0386 Nov 16, 2025
7f89d5d
Add ca-certificates-bundle to melange.yaml
MH0386 Nov 16, 2025
da18099
Replace ca-certificates-bundle and bash with busybox
MH0386 Nov 16, 2025
309f67b
Remove curl from package list in .apko.yaml
MH0386 Nov 16, 2025
87d0c59
Remove ca-certificates-bundle and wolfi-baselayout
MH0386 Nov 17, 2025
2a7deec
Remove shell for nonroot user in .apko.yaml
MH0386 Nov 17, 2025
7d61a04
Remove libstdc++ from dependencies
MH0386 Nov 17, 2025
1cef106
Update Python dependency to use variable for version
MH0386 Nov 17, 2025
4de211a
Use uv managed python
MH0386 Nov 17, 2025
0986ee1
Add UV_PYTHON environment variable to melange.yaml
MH0386 Nov 17, 2025
b77ddfd
Add libstdc++ to the package list
MH0386 Nov 17, 2025
4d2bd0a
Replace libstdc++ with build-base in melange.yaml
MH0386 Nov 17, 2025
3a4a1d8
Remove runtime dependencies from melange.yaml
MH0386 Nov 17, 2025
a300402
Add Python 3 dependency and update pipeline
MH0386 Nov 17, 2025
4e76350
Merge a300402d0c2eb85efd1489b08caef2769dc7083a into 02121bb9f1a93f715…
MH0386 Nov 17, 2025
9a590cf
[Trunk] Apply linters fixes
MH0386 Nov 17, 2025
9fbae1b
Change python_version to a string format
MH0386 Nov 17, 2025
19ebae2
Fix python3 version syntax in melange.yaml
MH0386 Nov 17, 2025
b2f6c38
Fix Python version in melange.yaml
MH0386 Nov 17, 2025
a499522
Change python3 version specification in melange.yaml
MH0386 Nov 17, 2025
fd40545
Fix Python package name in melange.yaml
MH0386 Nov 17, 2025
b550efb
Parameterize Python version in melange.yaml
MH0386 Nov 17, 2025
0afb548
Merge branch 'main' into apko
MH0386 Nov 18, 2025
56acf03
Uncomment max line length in yamllint config
MH0386 Nov 18, 2025
1761b1b
Merge branch 'apko' into size
mergify[bot] Nov 18, 2025
7efd1c2
Merge branch 'main' into apko
mergify[bot] Nov 19, 2025
8fea989
Merge branch 'apko' into size
mergify[bot] Nov 19, 2025
b548f51
Merge branch 'main' into apko
mergify[bot] Nov 19, 2025
f923ad8
Merge branch 'apko' into size
mergify[bot] Nov 19, 2025
cf118cf
Merge branch 'main' into apko
mergify[bot] Nov 19, 2025
f6e7328
Merge branch 'apko' into size
mergify[bot] Nov 19, 2025
078f04d
Merge branch 'main' into apko
mergify[bot] Nov 20, 2025
e458298
Merge branch 'apko' into size
mergify[bot] Nov 20, 2025
7e0b728
Merge pull request #950 from AlphaSphereDotAI/size
MH0386 Nov 20, 2025
9405934
Add strip usage in melange.yaml
MH0386 Nov 20, 2025
0cad593
Add layering strategy and budget to .apko.yaml
MH0386 Nov 20, 2025
e3c64cb
Update .apko.yaml
MH0386 Nov 20, 2025
b3b944e
Add cleanup for __pycache__ directories
MH0386 Nov 20, 2025
f7e033e
Merge branch 'apko' into layering
mergify[bot] Nov 20, 2025
cba77e7
Update melange.yaml
MH0386 Nov 20, 2025
b392220
Merge branch 'apko' into layering
mergify[bot] Nov 20, 2025
aad130c
Merge branch 'main' into apko
mergify[bot] Nov 21, 2025
3b7d62b
Merge branch 'apko' into layering
mergify[bot] Nov 21, 2025
888a60e
Merge branch 'main' into apko
mergify[bot] Nov 22, 2025
739462d
Merge branch 'apko' into layering
mergify[bot] Nov 22, 2025
864be6a
Merge branch 'main' into apko
mergify[bot] Nov 22, 2025
afb4baa
Merge branch 'apko' into layering
mergify[bot] Nov 22, 2025
359d00e
Merge branch 'main' into apko
mergify[bot] Nov 23, 2025
aade8e6
Merge branch 'apko' into layering
mergify[bot] Nov 23, 2025
fd13715
Merge pull request #965 from AlphaSphereDotAI/layering
MH0386 Nov 23, 2025
afcfd37
Merge branch 'main' into apko
mergify[bot] Nov 23, 2025
c115929
Merge branch 'main' into apko
mergify[bot] Nov 23, 2025
4f9d4ff
Merge branch 'main' into apko
mergify[bot] Nov 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions .apko.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
contents:
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
- ./melange.rsa.pub
repositories:
- https://packages.wolfi.dev/os
- '@local ./work/packages'
packages:
- vocalizr@local
cmd: /usr/bin/vocalizr
archs:
- amd64
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The architecture is limited to 'amd64' only, but the melange.yaml specifies 'all' architectures. These should be consistent. Consider supporting arm64 as well for broader platform compatibility.

Suggested change
- amd64
- amd64
- arm64

Copilot uses AI. Check for mistakes.
environment:
GRADIO_SERVER_PORT: 7860
GRADIO_SERVER_NAME: 0.0.0.0
HF_HOME: /home/nonroot/hf
accounts:
groups:
- groupname: nonroot
gid: 10000
users:
- username: nonroot
uid: 10000
run-as: nonroot
work-dir: /home/nonroot
paths:
- path: /home/nonroot
type: directory
uid: 10000
gid: 10000
permissions: 0o777
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fix permissions syntax and reduce overly permissive settings.

Lines 31 and 36 use Python octal notation (0o777) which YAML parsers may not recognize. Additionally, 777 permissions (read/write/execute for everyone) violates the principle of least privilege. Use 0755 (or decimal 493) for both directories to allow the nonroot user full access while restricting write permissions for others.

  - path: /home/nonroot
    type: directory
    uid: 10000
    gid: 10000
-   permissions: 0o777
+   permissions: 0755
  - path: /usr/share/vocalizr
    type: directory
    uid: 10000
    gid: 10000
-   permissions: 0o777
+   permissions: 0755

Also applies to: 36-36

🤖 Prompt for AI Agents 
In .apko.yaml around lines 31 and 36, replace the Python-style octal literal
`0o777` with a YAML-friendly, least-privilege permission such as `0755` (as a
quoted string) or the decimal equivalent `493`; update both occurrences so
directories grant owner full access and restrict write for group/others instead
of world-writable.

Copy link

Copilot AI Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting permissions to 0o777 (world-writable) on /home/nonroot poses a security risk as it allows any user to modify the home directory contents. Consider using more restrictive permissions like 0o755 or 0o700.

Suggested change
permissions: 0o777
permissions: 0o700

Copilot uses AI. Check for mistakes.
- path: /usr/share/vocalizr
type: directory
uid: 10000
gid: 10000
permissions: 0o777
Comment on lines +31 to +36
Copy link

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overly permissive permissions: Setting permissions to 0o777 (read, write, execute for everyone) on /home/nonroot and /usr/share/vocalizr is a security risk. These directories should use more restrictive permissions like 0o755 (rwxr-xr-x) or 0o700 (rwx------) to follow the principle of least privilege.

Suggested change
permissions: 0o777
- path: /usr/share/vocalizr
type: directory
uid: 10000
gid: 10000
permissions: 0o777
permissions: 0o755
- path: /usr/share/vocalizr
type: directory
uid: 10000
gid: 10000
permissions: 0o755

Copilot uses AI. Check for mistakes.
Comment on lines +31 to +36
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overly permissive directory permissions: Setting permissions to 0o777 (world-writable) is a security risk as it allows any user to modify these directories. Consider using 0o755 for /home/nonroot and 0o755 or 0o750 for /usr/share/vocalizr to maintain security while allowing the nonroot user necessary access.

Suggested change
permissions: 0o777
- path: /usr/share/vocalizr
type: directory
uid: 10000
gid: 10000
permissions: 0o777
permissions: 0o755
- path: /usr/share/vocalizr
type: directory
uid: 10000
gid: 10000
permissions: 0o755

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting permissions to 0o777 (world-writable) on /usr/share/vocalizr poses a security risk. Consider using more restrictive permissions like 0o755 to prevent unauthorized modifications.

Suggested change
permissions: 0o777
permissions: 0o755

Copilot uses AI. Check for mistakes.
layering:
strategy: origin
budget: 5
113 changes: 51 additions & 62 deletions .github/workflows/.docker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ permissions:
attestations: write
id-token: write
jobs:
check_dockerfile:
name: Validate Dockerfile
build_apk:
name: Build APK with Melange
runs-on: ubuntu-latest
if: ${{ inputs.is_test }}
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build_apk job only runs when inputs.is_test is true (line 26), but build_image depends on it (line 64) and always runs (if: ${{ always() && !cancelled() }}). This means the build_image job will run even when build_apk is skipped in non-test scenarios, causing the workflow to fail when trying to download the APK artifact that was never created.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build_apk job only runs when is_test is true, but build_image job depends on it and runs with if: ${{ always() && !cancelled() }}. This means that in non-test mode (production), the build_apk job will be skipped, but build_image will still try to run and fail because it won't have the required APK and melange key artifacts. Consider removing the condition on line 26 or adjusting the build_image job's condition to handle the case when build_apk is skipped.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Resolve artifact availability mismatch between build_apk and build_image jobs.

The build_apk job only runs when inputs.is_test is true (line 26), but build_image unconditionally runs (line 65) and attempts to download APK artifacts (lines 94–101). This causes the workflow to fail in non-test mode because the artifacts are never created.

Choose one of the following approaches:

Option A: Make build_apk always run (recommended if APK is always needed)

  build_apk:
    name: Build APK with Melange
    runs-on: ubuntu-latest
-   if: ${{ inputs.is_test }}
    environment:
      name: code_quality

Option B: Add if-no-files-found: ignore to artifact downloads (if APK is optional)

      - name: Download APK artifact
        uses: actions/download-artifact@v6.0.0
+       if: ${{ inputs.is_test }}
        with:
          name: apk
          path: work/packages/
      - name: Download Melange key artifact
        uses: actions/download-artifact@v6.0.0
+       if: ${{ inputs.is_test }}
        with:
          name: melange

Option C: Make build_image conditional on is_test (if image only needed for testing)

  build_image:
    name: Build and push Docker image to ${{ inputs.registry }}
    needs: build_apk
-   if: ${{ always() && !cancelled() }}
+   if: ${{ inputs.is_test && always() && !cancelled() }}
    runs-on: ubuntu-latest

Also applies to: 64-65, 94-101

🤖 Prompt for AI Agents 
.github/workflows/.docker.yaml lines 26, 64-65, 94-101: the workflow currently
gates the build_apk job on inputs.is_test (line 26) but build_image runs
unconditionally (lines 64-65) and later tries to download APK artifacts (lines
94-101), causing failures when APK artifacts don't exist; fix by choosing one of
the three options: Option A (recommended) — remove or change the if on the
build_apk job so it always runs (delete the "if: ${{ inputs.is_test }}" at line
26 or set it to true) so the APK artifact is always produced; Option B — keep
current job gating but add if-no-files-found: ignore to the artifact download
steps at lines 94-101 so missing artifacts don’t fail the job; Option C — make
the build_image job conditional by adding the same "if: ${{ inputs.is_test }}"
at lines 64-65 so it only runs when APKs exist; apply the chosen change
consistently for both artifact downloads and job conditionals referenced above.

environment:
Expand All @@ -32,33 +32,36 @@ jobs:
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Log in to ${{ inputs.registry }} Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ${{ inputs.registry }}
username: mh0386
password: ${{ inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER
}}
- name: Validate build configuration
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
call: check
- name: Job Summary (Success)
if: ${{ success() }}
run: |
echo "# Dockerfile Check" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "No issues found :heavy_check_mark:" >> $GITHUB_STEP_SUMMARY
- name: Job Summary (Failure)
if: ${{ failure() }}
run: |
echo "# Dockerfile Check" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Check failed :x:" >> $GITHUB_STEP_SUMMARY
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Install Melange
uses: addnab/docker-run-action@v3
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using @v3 without a commit hash is inconsistent with the security practices followed elsewhere in this workflow. All other actions are pinned to specific commit hashes. Consider pinning to a specific commit hash for reproducibility and security, following the same pattern as other actions in this file (e.g., actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8).

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The action reference addnab/docker-run-action@v3 should use a commit hash instead of a mutable tag for better security and reproducibility, consistent with other actions in this workflow (e.g., line 31 uses commit hashes). Consider pinning to a specific commit SHA.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action reference should use a commit SHA for security, consistent with other actions in this workflow. Consider pinning to a specific commit instead of using @v3.

Copilot uses AI. Check for mistakes.
with:
registry: cgr.dev
image: chainguard/melange:latest-dev
options: --rm -v ${{ github.workspace }}:/work
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The melange keygen command (line 42) generates signing keys in the current working directory, but the docker-run-action doesn't specify a working directory. By default, melange will generate melange.rsa and melange.rsa.pub in the container's working directory. The volume mount maps ${{ github.workspace }} to /work, so you should add --work-dir /work to the options or change the run command to cd /work && keygen to ensure the keys are generated in the correct location.

Suggested change
options: --rm -v ${{ github.workspace }}:/work
options: --rm -v ${{ github.workspace }}:/work -w /work

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add working directory flags to docker-run-action options.

The Melange commands (melange keygen and melange build) need to execute in /work where the workspace is mounted, but the current options don't set the working directory. Without -w /work, commands will run in the container's root and fail to find/generate configuration files and keys.

      - name: Install Melange
        uses: addnab/docker-run-action@v3
        with:
          registry: cgr.dev
          image: chainguard/melange:latest-dev
-         options: --rm -v ${{ github.workspace }}:/work
+         options: --rm -w /work -v ${{ github.workspace }}:/work
          run: melange keygen
          shell: bash
      - name: Build APK
        uses: addnab/docker-run-action@v3
        with:
          registry: cgr.dev
          image: chainguard/melange:latest-dev
-         options: --privileged --rm -v ${{ github.workspace }}:/work
+         options: --privileged --rm -w /work -v ${{ github.workspace }}:/work
          run: melange build melange.yaml --arch amd64 --signing-key melange.rsa
          shell: bash

Also applies to: 49-49

🤖 Prompt for AI Agents 
.github/workflows/.docker.yaml around lines 41 and 49: the docker-run-action
options mount the workspace but don't set the container working directory, so
Melange commands run in the container root and can't find/generate files; update
the options values to include the working-dir flag (add -w /work) so the
container's process runs in the mounted workspace directory for both
occurrences.

run: melange keygen
Comment on lines +36 to +42
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The addnab/docker-run-action@v3 action is being used without a commit SHA pin, which goes against the security best practices evident in the rest of the workflow (all other actions use commit SHA pins like @08c6903cd8c0fde910a37f88322edcfb5dd907a8). Consider pinning this action to a specific commit SHA for security and reproducibility.

Copilot uses AI. Check for mistakes.
shell: bash
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The shell: bash parameter appears unnecessary for the keygen command. The addnab/docker-run-action uses sh by default and the keygen command doesn't require bash-specific features.

Suggested change
shell: bash

Copilot uses AI. Check for mistakes.
- name: Build APK
uses: addnab/docker-run-action@v3
Comment on lines +37 to +45
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The action reference addnab/docker-run-action@v3 is missing a commit SHA for security pinning. All other actions in this workflow use commit SHA pinning (e.g., actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8). For consistency and security best practices, this action should also be pinned to a specific commit SHA.

Suggested change
uses: addnab/docker-run-action@v3
with:
registry: cgr.dev
image: chainguard/melange:latest
options: --rm -v ${{ github.workspace }}:/work
run: keygen
- name: Build APK
uses: addnab/docker-run-action@v3
uses: addnab/docker-run-action@b6d6b2c7e6e6e2c3e2e2e2e2e2e2e2e2e2e2e2e2 # v3
with:
registry: cgr.dev
image: chainguard/melange:latest
options: --rm -v ${{ github.workspace }}:/work
run: keygen
- name: Build APK
uses: addnab/docker-run-action@b6d6b2c7e6e6e2c3e2e2e2e2e2e2e2e2e2e2e2e2 # v3

Copilot uses AI. Check for mistakes.
Comment on lines +37 to +45
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The action reference addnab/docker-run-action@v3 is missing a commit SHA for security pinning. All other actions in this workflow use commit SHA pinning (e.g., actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8). For consistency and security best practices, this action should also be pinned to a specific commit SHA.

Suggested change
uses: addnab/docker-run-action@v3
with:
registry: cgr.dev
image: chainguard/melange:latest
options: --rm -v ${{ github.workspace }}:/work
run: keygen
- name: Build APK
uses: addnab/docker-run-action@v3
uses: addnab/docker-run-action@240b7b6e7e2e8e7e1e2c2e7e2e7e2e7e2e7e2e7e # v3
with:
registry: cgr.dev
image: chainguard/melange:latest
options: --rm -v ${{ github.workspace }}:/work
run: keygen
- name: Build APK
uses: addnab/docker-run-action@240b7b6e7e2e8e7e1e2c2e7e2e7e2e7e2e7e2e7e # v3

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using @v3 without a commit hash is inconsistent with the security practices followed elsewhere in this workflow. All other actions are pinned to specific commit hashes. Consider pinning to a specific commit hash for reproducibility and security, following the same pattern as other actions in this file (e.g., actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8).

Copilot uses AI. Check for mistakes.
Comment on lines +37 to +45
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The addnab/docker-run-action@v3 action is used without a commit SHA pin. For security and consistency, consider using the full commit SHA as done with other actions in this workflow (e.g., line 35 uses a commit SHA for checkout action).

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action reference should use a commit SHA for security, consistent with other actions in this workflow. Consider pinning to a specific commit instead of using @v3.

Copilot uses AI. Check for mistakes.
with:
registry: cgr.dev
image: chainguard/melange:latest-dev
Comment on lines +40 to +48
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using latest-dev tag for the melange Docker image (lines 40 and 48) introduces unpredictability and potential breaking changes in builds. Consider pinning to a specific version for reproducible builds.

Copilot uses AI. Check for mistakes.
options: --privileged --rm -v ${{ github.workspace }}:/work
run: melange build melange.yaml --arch amd64 --signing-key melange.rsa
Comment on lines +44 to +50
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The addnab/docker-run-action@v3 action is being used without a commit SHA pin, which goes against the security best practices evident in the rest of the workflow (all other actions use commit SHA pins). Consider pinning this action to a specific commit SHA for security and reproducibility.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The melange build command needs to run from the correct working directory. Since the workspace is mounted at /work, the command should either change directory first or specify the working directory: run: cd /work && melange build melange.yaml --arch amd64 --signing-key melange.rsa to ensure melange can find the configuration file and signing key.

Suggested change
run: melange build melange.yaml --arch amd64 --signing-key melange.rsa
run: cd /work && melange build melange.yaml --arch amd64 --signing-key melange.rsa

Copilot uses AI. Check for mistakes.
shell: bash
Comment on lines +37 to +51
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The addnab/docker-run-action@v3 action is used without a specific commit SHA. For security best practices, GitHub Actions should be pinned to specific commit SHAs, not floating tags like v3, similar to how other actions in this workflow are pinned.

Copilot uses AI. Check for mistakes.
Comment on lines +44 to +51
Copy link

Copilot AI Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The addnab/docker-run-action@v3 action is used without specifying security-relevant parameters. The melange keygen step (lines 36-43) runs without --privileged, but the build step (lines 44-51) uses --privileged. Consider whether privileged mode is truly necessary for the build step, as it poses security risks. If required, document why it's needed.

Copilot uses AI. Check for mistakes.
- name: Upload APK artifact
uses: actions/upload-artifact@v5
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using @v5 without a commit hash is inconsistent with the security practices followed elsewhere in this workflow. All other actions are pinned to specific commit hashes. Consider pinning to a specific commit hash for reproducibility and security, following the same pattern as other actions in this file (e.g., actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8).

Suggested change
uses: actions/upload-artifact@v5
uses: actions/upload-artifact@c3a1b7c3e2e6e7e2e2c3a1b7c3e2e6e7e2e2c3a1b7c3e2e6e7e2e2c3a1b7 # v5.0.0

Copilot uses AI. Check for mistakes.
with:
name: apk
path: packages/
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fix artifact path mismatch between upload and download.

APK artifacts are uploaded from packages/ (line 56) but downloaded to work/packages/ (line 97). Update the upload path to match:

      - name: Upload APK artifact
        uses: actions/upload-artifact@v5
        with:
          name: apk
-         path: packages/
+         path: work/packages/

Also applies to: 97-97

🤖 Prompt for AI Agents 
.github/workflows/.docker.yaml around line 56 (and also line 97): the artifact
upload path currently uses "packages/" but the workflow downloads from
"work/packages/" at line 97; update the upload step to use the same path by
changing the upload path to "work/packages/" so upload and download paths match
(ensure both occurrences reference the identical "work/packages/" directory).

- name: Upload Melange key artifact
uses: actions/upload-artifact@v5
with:
name: melange
path: melange.rsa.pub
Comment on lines +57 to +61
Copy link

Copilot AI Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The melange public key is uploaded as an artifact but the corresponding private key (melange.rsa) is not handled. While the private key should not be uploaded as an artifact (for security reasons), ensure it's properly secured during the workflow and cleaned up afterwards. The workflow should also verify that the key is properly available for the signing step.

Copilot uses AI. Check for mistakes.
build_image:
name: Build and push Docker image to ${{ inputs.registry }}
needs: check_dockerfile
needs: build_apk
if: ${{ always() && !cancelled() }}
Comment on lines +64 to 65
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build_apk job is only executed when inputs.is_test is true (line 26), but the build_image job depends on it unconditionally (line 57). This means that when is_test is false, the build_apk job is skipped, and the build_image job will still run due to the always() && !cancelled() condition. However, the APK artifact will not be available. If the image build is intended to use the APK artifact, this logic needs to be reconsidered. Otherwise, if the APK build is only for testing purposes and not needed for the image, this dependency should be removed or made conditional.

Suggested change
needs: build_apk
if: ${{ always() && !cancelled() }}
if: ${{ (!inputs.is_test) || (inputs.is_test && always() && !cancelled()) }}

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency logic issue: The build_image job needs build_apk but uses 'always()' condition. When is_test is false, build_apk is skipped (line 26), but build_image will still attempt to download APK artifacts that don't exist. The condition should account for whether build_apk ran, or the job dependency should be conditional based on inputs.is_test.

Suggested change
if: ${{ always() && !cancelled() }}
if: ${{ inputs.is_test && !cancelled() }}

Copilot uses AI. Check for mistakes.
runs-on: ubuntu-latest
outputs:
Expand Down Expand Up @@ -86,24 +89,17 @@ jobs:
/usr/local/julia /usr/local/aws-cli /usr/local/aws-sam-cli /usr/share/gradle

- name: Checkout repository
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Get Python version from pyproject.toml
id: get_python_version
uses: mikefarah/yq@796317b885ae219215caa36e9bdacc87c9962c15 # v4.48.2
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Download APK artifact
uses: actions/download-artifact@v6.0.0
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actions/download-artifact@v6.0.0 uses a non-standard versioning pattern (semantic version instead of just v6). GitHub Actions typically use major version tags like v6 or commit SHAs. Verify that v6.0.0 is a valid tag for this action. The standard practice would be to use @v6 or pin to a specific commit SHA.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The action reference actions/download-artifact@v6.0.0 should use a commit hash instead of a version tag for better security and reproducibility, consistent with other actions in this workflow (e.g., line 92 uses commit hashes). Consider pinning to a specific commit SHA.

Copilot uses AI. Check for mistakes.
with:
cmd: yq -roy '.project.requires-python' pyproject.toml
- name: Log in to ${{ inputs.registry }} Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
name: apk
path: work/packages/
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Path mismatch: APK artifact is uploaded from packages/ (line 56) but downloaded to work/packages/ (line 86). This inconsistency will cause the apko build to fail as it expects packages at /home/runner/work/vocalizr/vocalizr/work/packages (as configured in .apko.yaml line 7), but the artifact will be downloaded to a different location. Consider either:

  1. Downloading to packages/ to match the upload path, or
  2. Updating the .apko.yaml repository path to match where artifacts are downloaded.
Suggested change
path: work/packages/
path: packages/

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The artifact download path work/packages/ doesn't match the upload path packages/. This path mismatch will cause the downloaded artifacts to be placed in the wrong location. The path should be packages/ to match the upload configuration on line 56.

Suggested change
path: work/packages/
path: packages/

Copilot uses AI. Check for mistakes.
- name: Download Melange key artifact
uses: actions/download-artifact@v6.0.0
Copy link

Copilot AI Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action reference should use a commit SHA for security, consistent with other actions in this workflow. Consider pinning to a specific commit instead of using @v6.0.0.

Copilot uses AI. Check for mistakes.
with:
registry: ${{ inputs.registry }}
username: mh0386
password: ${{ inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER
}}
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
- name: Docker meta
name: melange
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The Melange key artifact is downloaded without specifying a path, which means it will be downloaded to the current directory. However, the .apko.yaml file expects the key at ./melange.rsa.pub (line 4). This should work, but for consistency and clarity, consider adding an explicit path: . to match the expectation.

Suggested change
name: melange
name: melange
path: .

Copilot uses AI. Check for mistakes.
- name: Container metadata
id: meta
uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5
with:
Expand All @@ -114,23 +110,18 @@ jobs:
type=ref,event=tag
type=ref,event=branch
- name: Build and Push to ${{ inputs.registry }}
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
id: push
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
build-args: |
INSTALL_SOURCE=${{ inputs.install_source }}
PYTHON_VERSION=${{ steps.get_python_version.outputs.result }}
uses: chainguard-images/actions/apko-publish@v1.0.7
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Using chainguard-images/actions/apko-publish@v1.0.7 with a semantic version tag instead of a commit hash, while other actions in the workflow use full commit hashes for security. Consider pinning this action to a specific commit hash for consistency with the project's security practices.

Suggested change
uses: chainguard-images/actions/apko-publish@v1.0.7
uses: chainguard-images/actions/apko-publish@b7e2e2c2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e # v1.0.7

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The action reference chainguard-images/actions/apko-publish@v1.0.7 should use a commit hash instead of a version tag for better security and reproducibility, consistent with other actions in this workflow (e.g., line 92 uses commit hashes). Consider pinning to a specific commit SHA.

Suggested change
uses: chainguard-images/actions/apko-publish@v1.0.7
uses: chainguard-images/actions/apko-publish@e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2 # v1.0.7

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action reference should use a commit SHA for security, consistent with other actions in this workflow. Consider pinning to a specific commit instead of using @v1.0.7.

Suggested change
uses: chainguard-images/actions/apko-publish@v1.0.7
uses: chainguard-images/actions/apko-publish@c7e2e2d1e4b2e2e2e6e7e2e2e2e2e2e2e2e2e2e2 # v1.0.7

Copilot uses AI. Check for mistakes.
id: apko
with:
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apko-publish action is missing the required 'config' parameter to specify the apko configuration file (.apko.yaml). According to typical apko-publish usage, a 'config' input pointing to the apko configuration file path is required.

Suggested change
with:
with:
config: .apko.yaml

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing 'config' parameter for apko-publish action. The action needs to know which apko configuration file to use. Add 'config: .apko.yaml' to the 'with' block.

Suggested change
with:
with:
config: .apko.yaml

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apko-publish action is missing the required config parameter. This should point to the apko configuration file, likely .apko.yaml.

Suggested change
with:
with:
config: .apko.yaml

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing required configuration for the apko-publish action. The action requires either:

  1. A config parameter pointing to the apko configuration file (e.g., .apko.yaml)
  2. Or inline configuration

Without specifying the configuration file, the action won't know how to build the container image. Add:

config: .apko.yaml
Suggested change
with:
with:
config: .apko.yaml

Copilot uses AI. Check for mistakes.
tag: ${{ steps.meta.outputs.tags }}
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apko-publish action is missing the required 'config' parameter to specify the apko configuration file. Add 'config: .apko.yaml' to ensure the build uses the correct configuration.

Suggested change
tag: ${{ steps.meta.outputs.tags }}
tag: ${{ steps.meta.outputs.tags }}
config: .apko.yaml

Copilot uses AI. Check for mistakes.
Comment on lines +115 to +116
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apko-publish action configuration is incomplete. It's missing:

  1. The config parameter to specify the path to the apko configuration file (should be config: .apko.yaml)
  2. Registry authentication credentials - the workflow removed the docker/login-action step but didn't add equivalent authentication. You need to add registry: ${{ inputs.registry }}, username: mh0386, and password: ${{ inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER }} to the with section.
Suggested change
with:
tag: ${{ steps.meta.outputs.tags }}
with:
config: .apko.yaml
tag: ${{ steps.meta.outputs.tags }}
registry: ${{ inputs.registry }}
username: mh0386
password: ${{ inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER }}

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing Docker registry authentication. The previous workflow logged into the registry before pushing images, but this step has been removed. The apko-publish action will need authentication to push to the registry. Add the registry login credentials configuration.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apko-publish action is missing the required config parameter to specify the apko configuration file. Add config: .apko.yaml to the with: section to point to the apko configuration file introduced in this PR.

Suggested change
tag: ${{ steps.meta.outputs.tags }}
tag: ${{ steps.meta.outputs.tags }}
config: .apko.yaml

Copilot uses AI. Check for mistakes.
generic-user: mh0386
generic-pass: ${{inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER}}
Copy link

Copilot AI Nov 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apko-publish action is missing the required config parameter to specify the apko configuration file path. This should be set to .apko.yaml to use the configuration file added in this PR.

Suggested change
generic-pass: ${{inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER}}
generic-pass: ${{inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER}}
config: .apko.yaml

Copilot uses AI. Check for mistakes.
- name: Generate artifact attestation
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
if: ${{ inputs.is_test == false }}
with:
subject-name: ${{ inputs.registry == 'docker.io' && 'index.docker.io' || inputs.registry }}/${{ github.repository
}}
subject-digest: ${{ steps.push.outputs.digest }}
subject-name: ${{inputs.registry == 'docker.io' && 'index.docker.io' || inputs.registry}}/${{github.repository}}
subject-digest: ${{ steps.apko.outputs.digest }}
push-to-registry: true
- name: Update Docker Hub Description
if: ${{ inputs.registry == 'docker.io' }}
Expand Down Expand Up @@ -168,8 +159,7 @@ jobs:
with:
registry: ${{ inputs.registry }}
username: mh0386
password: ${{ inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER
}}
password: ${{inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER}}
- name: Docker Scout
uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1
continue-on-error: true
Expand All @@ -191,16 +181,15 @@ jobs:
image: ${{ needs.build_image.outputs.image_tag }}
ports:
- 7860:7860
Copy link

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The removal of health check options may cause issues with service readiness detection. The container no longer has automated health monitoring, which could lead to race conditions when the service hasn't fully started before tests run. Consider adding health check configuration to the apko.yaml or adding retry logic to the API tests.

Copilot uses AI. Check for mistakes.
options: >-
--health-cmd "curl -o /dev/null -f -s -w 'Status: %{http_code}, Time: %{time_total}s' http://localhost:7860/" --health-interval
10s --health-timeout 10s --health-start-period 20s --health-retries 15
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: audit
- name: Echo URL
run: echo "Vocalizr available on localhost:${{ job.services.vocalizr.ports['7860'] }}"
- name: Sleep for 10 seconds
run: sleep 10s
- name: Checkout repository
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent action version: This uses actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd while the same action at lines 35 and 92 uses actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8. For consistency and maintainability, all instances of the same action in a workflow should use the same version.

Suggested change
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

Copilot uses AI. Check for mistakes.
- name: Install uv
Expand All @@ -224,7 +213,7 @@ jobs:
needs:
- api_test
- docker_scout
if: ${{ always() && !cancelled() && inputs.registry == 'ghcr.io' }}
if: ${{ inputs.registry == 'ghcr.io' }}
Copy link

Copilot AI Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed conditional logic may cause issues: The condition was changed from ${{ always() && !cancelled() && inputs.registry == 'ghcr.io' }} to just ${{ inputs.registry == 'ghcr.io' }}. This means the cleanup job will no longer run if previous jobs fail or are cancelled. This could be intentional, but if the goal is to clean up old images regardless of build status, the always() && !cancelled() conditions should be retained.

Suggested change
if: ${{ inputs.registry == 'ghcr.io' }}
if: ${{ always() && !cancelled() && inputs.registry == 'ghcr.io' }}

Copilot uses AI. Check for mistakes.
runs-on: ubuntu-latest
environment:
name: docker_image
Expand Down
6 changes: 5 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,8 @@
.venv/
logs/
results/
pycrucible_payload/
pycrucible_payload/
launcher
*.rsa*
packages/
*.tar
49 changes: 49 additions & 0 deletions melange.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
package:
name: vocalizr
version: 0.0.13
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package version in melange.yaml (0.0.13) is inconsistent with the project version in pyproject.toml (0.1.0). These versions should be synchronized or the melange version should reference the pyproject.toml version using a variable like ${{package.version}} in the build pipeline.

Suggested change
version: 0.0.13
version: ${{package.version}}

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Verify version consistency with pyproject.toml.

The package version is declared as 0.0.13 here, but past reviews flagged a mismatch with pyproject.toml (0.1.0). Confirm that versions are synchronized. If they differ intentionally, add a comment explaining the divergence.

Run the following script to verify the current version in pyproject.toml:

🏁 Script executed:

#!/bin/bash
# Check version in pyproject.toml
if [ -f "pyproject.toml" ]; then
  grep "^version" pyproject.toml || grep 'version = ' pyproject.toml | head -1
else
  echo "pyproject.toml not found"
fi

Length of output: 17

Synchronize package versions or document intentional divergence.

Version mismatch confirmed: melange.yaml declares 0.0.13, while pyproject.toml declares 0.1.0. Either update both files to the same version or add an explanatory comment in each file clarifying why the versions differ intentionally.

🤖 Prompt for AI Agents 
In melange.yaml around line 3, the declared version 0.0.13 conflicts with
pyproject.toml's 0.1.0; either synchronize them or document intentional
divergence: update melange.yaml to 0.1.0 (or pyproject.toml to 0.0.13) and
commit both files together, or add a clear comment in each file indicating why
versions intentionally differ and reference the authoritative source (e.g.,
release notes or packaging/version bump process); ensure the change is reflected
in any release/changelog automation.

description: Voice Generator part of the Chatacter Backend
Comment thread
MH0386 marked this conversation as resolved.
Comment thread
MH0386 marked this conversation as resolved.
Copy link

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo in package description: "Chatacter" should be "Character".

Copilot uses AI. Check for mistakes.
copyright:
- license: MIT
dependencies:
runtime:
- python-${{vars.python_version}}
options:
no-depends: true
vars:
python_version: 3.12
environment:
Comment thread
MH0386 marked this conversation as resolved.
contents:
Comment on lines +14 to +15
Copy link

Copilot AI Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nested environment key appears to be incorrectly structured. The YAML has environment: at line 10, then environment: again at line 11, followed by contents: at line 13. According to Melange configuration schema, environment should contain contents, environment (for env vars), etc. as siblings, not nested. This should likely be:

environment:
  environment:
    UV_VENV_CLEAR: 1
  contents:
    ...

However, having two environment keys seems redundant. Review the Melange documentation to ensure the correct structure.

Copilot uses AI. Check for mistakes.
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
- ./melange.rsa.pub
repositories:
- https://packages.wolfi.dev/os
packages:
- busybox
Comment on lines +21 to +22
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Add missing git package for git-checkout step.

The pipeline uses git-checkout on line 21, but git is not in the packages list. The git-checkout step will fail without git installed in the build environment.

     packages:
       - ca-certificates-bundle
       - uv
       - build-base
       - bash
       - busybox
+      - git
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
packages:
- ca-certificates-bundle
- uv
- build-base
- bash
- busybox
packages:
- ca-certificates-bundle
- uv
- build-base
- bash
- busybox
- git
🤖 Prompt for AI Agents 
In melange.yaml around lines 14 to 19, the packages list is missing git which is
required by the git-checkout step at line 21; add the git package to the
packages array (e.g., include "- git") so the build environment has git
installed before running git-checkout.

- uv
- python-${{vars.python_version}}
pipeline:
- name: Build
runs: |-
set -x
export UV_LINK_MODE="copy"
export UV_NO_BUILD="1"
export UV_NO_CACHE="1"
export UV_NO_DEV="1"
export UV_SYSTEM_PYTHON="1"
export UV_NO_MANAGED_PYTHON="1"
export UV_TOOL_BIN_DIR="/usr/bin"
export UV_TOOL_DIR="/usr/share"
export TOOL_BIN_DIR="${{targets.destdir}}${UV_TOOL_BIN_DIR}"
export TOOL_DIR="${{targets.destdir}}${UV_TOOL_DIR}"
uv tool install ${{package.name}}
${UV_TOOL_DIR}/${{package.name}}/bin/python -m spacy download en_core_web_sm
find ${UV_TOOL_DIR}/${{package.name}} -type d -name "__pycache__" -exec rm -rf {} +
find ${UV_TOOL_DIR}/${{package.name}} -type d -name "tests" -exec rm -rf {} +
rm $UV_TOOL_DIR/.lock
Copy link

Copilot AI Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The build step removes the .lock file from $UV_TOOL_DIR/.lock (line 64). This could cause issues if the lock file is required for proper functioning of the tool or if multiple builds run concurrently. Consider documenting why this removal is necessary, or verify if there's a cleaner approach (e.g., using uv tool install flags to avoid lock file creation).

Suggested change
rm $UV_TOOL_DIR/.lock
# Remove the .lock file created by uv tool install.
# This is necessary to avoid issues with subsequent runs, but may cause problems if multiple builds run concurrently.
# If uv adds a flag to avoid lock file creation, use that instead.
if [ -f "$UV_TOOL_DIR/.lock" ]; then rm "$UV_TOOL_DIR/.lock"; fi

Copilot uses AI. Check for mistakes.
mkdir -p $TOOL_BIN_DIR $TOOL_DIR
ln -s "${UV_TOOL_DIR}/${{package.name}}/bin/${{package.name}}" "${TOOL_BIN_DIR}/${{package.name}}"
cp -r "${UV_TOOL_DIR}/${{package.name}}" "${TOOL_DIR}/${{package.name}}"
rm -rf "${UV_TOOL_DIR}/${{package.name}}"
rm -rf ~/.cache
- uses: strip
Loading