feat: add workflow to promote docker image to stable

[ngovinh2k2]

What?

Add workflow to promote docker image to stable

Why?

From the request

How?

Testing?

• Functional Testing
• Security
• Performance
• Error Handling
• Code Quality
• Documentation
• Database
• Deployment
• Final Review

Anything Else?

[claude]

Claude finished @ngovinh2k2's task —— View job

---

PR Review Analysis

I've completed my review of the new Docker image promotion workflow. Here's my comprehensive feedback:

Todo List:

• Read and analyze the new workflow file
• Check existing workflows for context and consistency
• Review against GitHub Actions best practices
• Identify security concerns
• Check for potential bugs or issues
• Provide comprehensive feedback

Review Feedback

✅ What Works Well

1. Clear Purpose: The workflow serves a specific need to promote tested versions to stable
2. Consistent Authentication: Uses the same GHCR login pattern as existing workflows
3. Appropriate Permissions: Correctly sets packages: write permission
4. Manual Trigger: workflow_dispatch is appropriate for promotion workflows

⚠️ Issues & Recommendations

Critical Issues

1. Missing Input Validation (.github/workflows/cd-promote-stable.yml:6-8)

   # Current - no validation
   version:
     description: "Docker image version (ex: 0.0.1)"
     required: true

   Problem: Users can input any string, potentially causing failures or security issues.

   Fix: Add input validation pattern:

   version:
     description: "Docker image version (ex: 0.0.1)"
     required: true
     type: string
     pattern: '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-]+)?$'

2. No Source Image Verification (.github/workflows/cd-promote-stable.yml:30-32)

   docker buildx imagetools create \
     -t $IMAGE:stable \
     $IMAGE:$VERSION

   Problem: The workflow doesn't verify the source image exists before promotion.

   Fix: Add image existence check:

   # Verify source image exists
   if ! docker manifest inspect $IMAGE:$VERSION >/dev/null 2>&1; then
     echo "Error: Source image $IMAGE:$VERSION does not exist"
     exit 1
   fi
   
   docker buildx imagetools create \
     -t $IMAGE:stable \
     $IMAGE:$VERSION

Security Concerns

3. Overprivileged Token Usage

   • Uses GITHUB_TOKEN which has broad repository access
   • Recommendation: Consider using a dedicated token with minimal permissions for package operations only

4. No Audit Trail

   • Missing step to log what version was promoted and when
   • Fix: Add logging step:

   - name: Log promotion
     run: |
       echo "Promoted $IMAGE:${{ inputs.version }} to stable at $(date)"
       echo "Actor: ${{ github.actor }}"

Best Practice Improvements

5. Missing Error Handling

   • No cleanup if promotion fails partially
   • Fix: Add error handling and potentially rollback logic

6. Inconsistent with Build Workflow

   • Build workflow uses semantic versioning patterns, but promotion doesn't validate semantic versions
   • Consider aligning validation with the patterns used in cd-build-image.yml:46-48

7. Missing Workflow Dependencies

   • No check to ensure the source version was actually built by the official build workflow
   • Could promote manually pushed images

🚀 Suggested Enhancements

1. Add dry-run option:

   dry_run:
     description: "Dry run mode (just validate, don't promote)"
     required: false
     default: 'false'
     type: boolean

2. Add notification on completion (optional)

3. Consider adding latest tag promotion alongside stable

Overall Assessment

The workflow is functional but needs security and validation improvements before production use. The core logic is sound, but the lack of input validation and source verification could lead to runtime failures or security issues.

Recommendation: Address the critical issues (input validation and source verification) before merging. The security concerns are lower priority but should be considered for production environments.