feat :Testing workflow to push images#405
Conversation
Signed-off-by: Rashid Kaleem <230885705+arekay-nv@users.noreply.github.com>
|
MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅ |
There was a problem hiding this comment.
Code Review
This pull request introduces a new bash script, scripts/push_docker_image.sh, designed to build and push the endpoints client Docker image to a registry with support for multi-platform builds, custom git refs, and registry authentication. The review feedback highlights two important shell scripting improvements: using printf instead of echo to safely pipe the registry login token, and properly quoting the BUILD_ARGS array expansion to prevent word splitting.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| LOGIN_TOKEN="${GHCR_TOKEN:-${GITHUB_TOKEN:-}}" | ||
| if [[ "$PUSH" == "1" && -n "$LOGIN_TOKEN" ]]; then | ||
| echo ">> Logging in to ${REGISTRY_HOST} as ${LOGIN_USER:-<token>}" | ||
| echo "$LOGIN_TOKEN" | docker login "$REGISTRY_HOST" -u "${LOGIN_USER:-x-access-token}" --password-stdin |
There was a problem hiding this comment.
Using echo to pipe sensitive tokens or arbitrary strings can lead to unexpected behavior if the token starts with a hyphen (e.g., -n or -e), as echo may interpret it as an option. It is safer and more robust to use printf '%s\n' instead.
| echo "$LOGIN_TOKEN" | docker login "$REGISTRY_HOST" -u "${LOGIN_USER:-x-access-token}" --password-stdin | |
| printf '%s\n' "$LOGIN_TOKEN" | docker login "$REGISTRY_HOST" -u "${LOGIN_USER:-x-access-token}" --password-stdin |
| -f "$DOCKERFILE" \ | ||
| -t "${IMAGE}:${SHORT_SHA}" \ | ||
| -t "${IMAGE}:${REF_TAG}" \ | ||
| ${BUILD_ARGS[@]+"${BUILD_ARGS[@]}"} \ |
There was a problem hiding this comment.
The array expansion ${BUILD_ARGS[@]+"${BUILD_ARGS[@]}"} is missing outer double quotes. Without outer double quotes, any array elements containing spaces or glob characters will undergo word splitting and pathname expansion when expanded. To safely preserve spaces within array elements while maintaining compatibility with set -u in older Bash versions, wrap the entire expansion in double quotes.
| ${BUILD_ARGS[@]+"${BUILD_ARGS[@]}"} \ | |
| "${BUILD_ARGS[@]+"${BUILD_ARGS[@]}"}" \ |
What does this PR do?
Adds a reproducible way to build and publish the endpoints client image to
ghcr.io/mlcommons/endpoints:scripts/push_docker_image.sh— buildsscripts/Dockerfile.devat a chosengit ref via
docker buildxand pushes it, tagged with both the short commit SHAand the ref name so consumers can pin either.
.github/workflows/publish-image.yml— a manually-triggered(
workflow_dispatch) workflow that runs the script, so a publish can be kickedoff from the Actions tab against any selected branch/tag/SHA without a local
Docker setup.
The workflow reuses the script (single source of truth for the tag scheme) rather
than duplicating build logic.
Behavior & design
linux/amd64(what benchmark clients run on); multi-arch is one flag/input away--multi-arch/linux/amd64,linux/arm64publishes a manifest list usable on x86 and arm:<short-sha>+:<sanitized-ref>docker-containerbuildx builder (the defaultdockerdriver can neither--pushnor build multi-platform)GHCR_USER/GHCR_TOKENif set, else assumesdocker login; workflow usesgithub.actor+ the automaticGITHUB_TOKEN:$SHAtag from a dirty tree (--allow-dirtyto override); optional ref checkout is restored on exitPROVISION_DSR11); set0for a lean client-only imageCI prerequisites (one-time, outside this PR)
permissions: packages: writeis set in the workflow; the org must allow theGITHUB_TOKENto write packages, and theendpointspackage must grant this repoWrite access (Package → Manage Actions access). Usually automatic since the
package lives under this repo's org.
Validation
--multi-arch --no-push): bothlinux/amd64(emulated)and
linux/arm64(native) compiled all stages, exit0.bash -n; the empty-arrayexpansion and tag sanitizer were unit-checked; the dirty-tree guard was exercised
across push/dry/allow-dirty/clean/checked-out cases.
ref resolution, Docker-tag sanitization beyond
/, bash-3.2 empty-array crash, andthe dirty-tree publish guard. Workflow security posture confirmed (inputs passed via
env:not inline${{ }}, actions pinned to SHAs, minimalcontents:read+packages:write).Type of change
Related issues
Testing
Checklist