chore(ci): Add Docker image publishing for fern-cli

[pgragg]

Description

Adds Docker image publishing to the CLI release workflow so that fernapi/fern and fernapi/fern-dev images are available on Docker Hub. This enables customer GitHub Actions workflows to use container: image: fernapi/fern:latest instead of running npm install -g fern-api on every run, saving ~10s per workflow execution.

Companion PR: fern-api/fern-platform#9604 (updates customer workflow templates to use the container-based approach).

Changes Made

• packages/cli/cli/Dockerfile: New Dockerfile based on node:22-slim with git and the Fern CLI pre-installed. Uses build args (FERN_CLI_PACKAGE, FERN_CLI_VERSION) to support both prod and dev CLI variants. FERN_CLI_VERSION is a required build arg with no default — the build fails explicitly if not supplied, ensuring hermetic builds. ENTRYPOINT [] allows GitHub Actions to run arbitrary commands in the container. Placed adjacent to versions.yml for consistency with the SDK generator setup.

• .github/workflows/publish-cli-docker.yml: New reusable workflow_call workflow that builds and pushes Docker images to Docker Hub. Accepts version (string) and is_dev (boolean) inputs. Tags images with both the specific version and latest. Uses Docker Buildx with GHA cache.

• .github/workflows/publish-cli.yml: Hooks the new Docker publish workflow into every CLI release path:

  • dev → publishes fernapi/fern-dev at the git version
  • prod → publishes both fernapi/fern and fernapi/fern-dev at the release version
  • manual → publishes both images at the input version
  • Adds job outputs to dev and prod jobs to pass the resolved version to downstream Docker jobs
  • prod job's get_cli_version step uses yq '.[0].version' for robust version extraction from versions.yml

Updates Since Last Revision

Addressed review feedback:

• Removed latest default from FERN_CLI_VERSION Dockerfile ARG. The build now fails explicitly if the version is not supplied, ensuring the installed CLI version is always in lock-step with the Docker image tag.
• Replaced fragile head | grep | awk version extraction in the prod job's get_cli_version step with yq '.[0].version'. The old grep "version:" pattern could match irVersion: lines.

Human Review Checklist

• dev job refactor: The version computation was split from the publish step into a separate get_git_version step so it can be exposed as a job output. Verify the publish step still correctly consumes the version via ${{ steps.get_git_version.outputs.git_version }}.
• secrets: inherit: All Docker jobs use secrets: inherit to pass FERN_API_DOCKERHUB_PASSWORD to the reusable workflow. Confirm this secret is available in the repo (it's already used by seed-dockers.yml).
• Dockerfile ENTRYPOINT []: Required for GitHub Actions container: directive to work—without it, Actions can't run arbitrary shell commands.
• yq usage: The prod job now uses yq '.[0].version' to extract the CLI version. yq is pre-installed on ubuntu-latest runners. Note: the bulk-update-cli job still uses the old grep/awk pattern (tracked in chore(ci): replace fragile grep/awk version extraction with yq #14860).

Testing

• Manual testing not possible for workflow changes, but pushed up an image from local https://hub.docker.com/repository/docker/fernapi/fern-cli-dev/tags
• Docker Hub credentials (fernapi / FERN_API_DOCKERHUB_PASSWORD) are consistent with existing usage in seed-dockers.yml

Link to Devin session: https://app.devin.ai/sessions/9750ac886908477394299692162b2aa8
Requested by: @pgragg

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[devin-ai-integration]

Re: Issue #2 — prod-docker-dev and the dev CLI publish

No changes needed for this. The prod job already publishes @fern-api/fern-api-dev at the prod version before the Docker jobs run:

# Line 164 in publish-cli.yml (prod job)
pnpm seed publish cli --changelog ... --dev

The publishDev config in seed/fern-cli/seed.yml builds and publishes the dev npm package, and the prod job calls it with the --dev flag before publishing the prod package. Since prod-docker-dev has needs: [prod], it only runs after both npm publishes (dev + prod) have completed — so the dev package is already available on npm when the Docker build installs it.

---

Separate fix: fragile grep/awk version extraction

The new get_cli_version step in the prod job (added by this PR) uses the same fragile pattern:

version=$(head -n 20 packages/cli/cli/versions.yml | grep -m 1 "version:" | awk '{print $3}')

This should be replaced with yq (pre-installed on ubuntu-latest):

version=$(yq '.[0].version' packages/cli/cli/versions.yml)

The grep "version:" pattern also matches irVersion: lines. See #14860 which fixes the same pattern in the bulk-update-cli job — the same fix should be applied here.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.