add a container building step to the /autopilot-e2e command #6233
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c175d0e232
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| trigger-autopilot-e2e: | ||
| needs: | ||
| [check-containers, build-gateway-e2e, build-provider-proxy, build-ui-dev] | ||
| if: always() && !failure() && !cancelled() |
There was a problem hiding this comment.
Reapply repository guard to the dispatch job
This job no longer checks github.repository == 'tensorzero/tensorzero', so on non-canonical repos (for example, a fork running workflow_dispatch) check-containers is skipped but this if still evaluates true and the job proceeds to create-github-app-token with missing AUTOPILOT_DISPATCH_* secrets. That is a regression from the previous single-job guard and causes avoidable hard failures outside the main repo.
Useful? React with 👍 / 👎.
| TOKEN=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${image}:pull" | jq -r '.token') | ||
| local STATUS | ||
| STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ | ||
| -H "Authorization: Bearer $TOKEN" \ | ||
| -H "Accept: application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json" \ | ||
| "https://registry-1.docker.io/v2/${image}/manifests/${tag}") |
There was a problem hiding this comment.
Authenticate Docker Hub manifest checks for private images
The container-existence probe uses anonymous registry requests, but this workflow checks tensorzero/ui-dev, and the new build workflow documents -dev images as private; private manifests return unauthorized without login and will be treated as missing. In that case /autopilot-e2e rebuilds and pushes ui-dev every time even when the sha-* tag already exists, defeating the skip logic and adding unnecessary runtime.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| ref: ${{ inputs.ref || github.sha }} | ||
|
|
||
| # We use 'DOCKERHUB_LIMITED_TOKEN' to ensure that we can only push to our private '-dev' repos, | ||
| # not to any of the public production repos. |
There was a problem hiding this comment.
Single quotes wrap technical terms instead of backticks
Low Severity
The new comment in build-ui-dev-container.yml wraps DOCKERHUB_LIMITED_TOKEN and -dev in single quotes instead of backticks. This violates the team rule preferring backticks (`) over ticks (') for technical terms in comments.
Triggered by team rule: Prefer backticks (`) instead of ticks (') to wrap technical terms
| else | ||
| echo "missing" | ||
| fi | ||
| } |
There was a problem hiding this comment.
Anonymous auth may fail for private DockerHub repos
Medium Severity
The check_image function uses anonymous Docker Hub auth to check for existing container images. However, the build workflow comments describe these as "private" repos. If Docker Hub repo visibility is private, anonymous token requests won't grant pull access, causing the manifest check to always return non-200 — making check_image always report "missing" and every invocation rebuild all containers, defeating the optimization.
Note
Medium Risk
CI workflow behavior and permissions change (adds
id-token: write, cross-workflowrefhandling, and DockerHub API checks), which could impact build reliability or unintentionally push/tag the wrong images if misconfigured.Overview
The
/autopilot-e2eslash-command workflow now pre-checks DockerHub for commit-tagged images and conditionally builds/pushes missing containers (gateway-e2e,provider-proxy, and newui-dev) before dispatching the Autopilot E2E run.Container build workflows (
build-gateway-e2e-container.yml,build-provider-proxy-container.yml, and newbuild-ui-dev-container.yml) were updated to accept an optionalrefinput, check out that ref, and tag/push images usingsha-${ref}(falling back togithub.sha).Written by Cursor Bugbot for commit c175d0e. This will update automatically on new commits. Configure here.