build(docker): unify per-platform deploys behind single GHCR image#378
Open
eleboucher wants to merge 1 commit into
Open
build(docker): unify per-platform deploys behind single GHCR image#378eleboucher wants to merge 1 commit into
eleboucher wants to merge 1 commit into
Conversation
|
@eleboucher is attempting to deploy a commit to the rohitg00's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughConsolidates per-platform Docker builds into a single published multi-arch container built by a new GitHub Actions workflow; deployment templates now pull ChangesCentralized Container Image and Deployment
sequenceDiagram
participant Dev as Developer
participant GH as GitHub
participant CI as GitHub Actions
participant Registry as GHCR
participant Platform as Deployment
participant Container as Container
Dev->>GH: push to main / tag / workflow_dispatch
GH->>CI: trigger Docker workflow
CI->>CI: checkout, setup QEMU & Buildx
CI->>CI: generate metadata tags and labels
CI->>CI: build multi-arch image (linux/amd64, linux/arm64)
CI->>Registry: push image (non-PR events)
Platform->>Registry: pull ghcr.io/rohitg00/agentmemory:latest
Platform->>Container: start container
Container->>Container: ensure /data is writable
Container->>Container: create or load HMAC if needed
Container->>Container: exec agentmemory
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
Dockerfile (1)
38-40: ⚡ Quick winConsider extracting the package.json rewriting to a separate script.
The inline Node.js one-liner that rewrites
package.jsonis functional but hard to read and maintain. For better clarity and testability, consider extracting this to a separate script file (e.g.,docker/set-overrides.js).♻️ Alternative approach
Create
docker/set-overrides.js:const fs = require('fs'); const p = require('./package.json'); p.overrides = Object.assign({}, p.overrides, { 'iii-sdk': process.env.III_VERSION }); fs.writeFileSync('package.json', JSON.stringify(p, null, 2));Then in Dockerfile:
-RUN node -e "const p=require('./package.json'); p.overrides=Object.assign({},p.overrides,{'iii-sdk':process.env.III_VERSION}); require('fs').writeFileSync('package.json',JSON.stringify(p,null,2));" \ - && III_VERSION="${III_VERSION}" npm install --omit=dev --legacy-peer-deps --no-audit --no-fund \ +COPY docker/set-overrides.js ./ +RUN node set-overrides.js \ + && npm install --omit=dev --legacy-peer-deps --no-audit --no-fund \ && ln -s /opt/agentmemory/dist/cli.mjs /usr/local/bin/agentmemory🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Dockerfile` around lines 38 - 40, The Dockerfile contains an inline Node one-liner that rewrites package.json (the RUN line invoking node -e and using process.env.III_VERSION) which is hard to maintain; extract that logic into a standalone script named set-overrides.js that reads package.json, merges/sets the overrides['iii-sdk'] value from process.env.III_VERSION, and writes package.json back, then update the Dockerfile RUN to call node docker/set-overrides.js before running npm install and creating the symlink to agentmemory.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Dockerfile`:
- Around line 17-20: Replace the fragile post-build sed in the Dockerfile by
adding a configurable bind address in the viewer server: in src/viewer/server.ts
change the hardcoded listen call to use an environment variable (e.g.,
process.env.VIEWER_HOST with default "127.0.0.1") when calling
server.listen(port, host) or app.listen(port, host), and remove the RUN find ...
sed ... step from the Dockerfile; ensure the Dockerfile documents/exports
VIEWER_HOST so containers can set it to "0.0.0.0" at runtime to expose :3113.
---
Nitpick comments:
In `@Dockerfile`:
- Around line 38-40: The Dockerfile contains an inline Node one-liner that
rewrites package.json (the RUN line invoking node -e and using
process.env.III_VERSION) which is hard to maintain; extract that logic into a
standalone script named set-overrides.js that reads package.json, merges/sets
the overrides['iii-sdk'] value from process.env.III_VERSION, and writes
package.json back, then update the Dockerfile RUN to call node
docker/set-overrides.js before running npm install and creating the symlink to
agentmemory.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 28296fa2-9dc1-45fd-aa4e-70fe0b58a87b
📒 Files selected for processing (15)
.github/workflows/docker.ymlDockerfiledeploy/README.mddeploy/coolify/Dockerfiledeploy/coolify/docker-compose.ymldeploy/coolify/entrypoint.shdeploy/fly/Dockerfiledeploy/fly/entrypoint.shdeploy/fly/fly.tomldeploy/railway/Dockerfiledeploy/railway/railway.jsondeploy/render/Dockerfiledeploy/render/entrypoint.shdeploy/render/render.yamldocker/entrypoint.sh
💤 Files with no reviewable changes (7)
- deploy/fly/Dockerfile
- deploy/render/Dockerfile
- deploy/coolify/Dockerfile
- deploy/coolify/entrypoint.sh
- deploy/render/entrypoint.sh
- deploy/railway/Dockerfile
- deploy/fly/entrypoint.sh
Comment on lines
+17
to
+20
| # Viewer binds 127.0.0.1 (hardcoded in src/viewer/server.ts). | ||
| # Rewrite the compiled literal so :3113 is reachable from outside the container. | ||
| RUN find dist -type f \( -name '*.mjs' -o -name '*.js' -o -name '*.cjs' \) \ | ||
| -exec sed -i 's/\.listen(port, *"127\.0\.0\.1"/.listen(port, "0.0.0.0"/g' {} + |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check for hardcoded 127.0.0.1 bind addresses in source
echo "=== Searching for hardcoded 127.0.0.1 listen calls in TypeScript source ==="
rg -n --type=ts '\.listen\([^)]*["\x27]127\.0\.0\.1["\x27]' src/
echo -e "\n=== Check if there are configurable alternatives ==="
rg -n --type=ts 'host.*=|bind.*=' src/viewer/Repository: rohitg00/agentmemory
Length of output: 262
🏁 Script executed:
# Look at the context around line 123 in src/viewer/server.ts
head -n 130 src/viewer/server.ts | tail -n 20Repository: rohitg00/agentmemory
Length of output: 574
🏁 Script executed:
# Check if there are other hardcoded 127.0.0.1 references
rg -n '127\.0\.0\.1' src/Repository: rohitg00/agentmemory
Length of output: 704
🏁 Script executed:
# Understand the port variable - where does it come from?
rg -n -B 5 -A 5 'server\.listen\(port' src/viewer/server.tsRepository: rohitg00/agentmemory
Length of output: 335
🏁 Script executed:
# Get the full function context
rg -n -B 20 'server.listen\(port, "127.0.0.1"' src/viewer/server.ts | head -n 50Repository: rohitg00/agentmemory
Length of output: 781
🏁 Script executed:
# Check if there's any config or environment variable handling for the bind address
rg -n 'process\.env|CONFIG|config' src/viewer/server.tsRepository: rohitg00/agentmemory
Length of output: 107
🏁 Script executed:
# Get the function definition
rg -n -B 5 'async function.*port|function.*port' src/viewer/server.ts | head -n 30Repository: rohitg00/agentmemory
Length of output: 46
🏁 Script executed:
# Check the Dockerfile to see how the port is passed
cat Dockerfile | grep -A 5 -B 5 "viewer\|3113\|listen"Repository: rohitg00/agentmemory
Length of output: 826
Make the bind address configurable via environment variable instead of patching compiled output.
The Dockerfile's sed rewrite of compiled JavaScript is fragile and couples the build process to specific compiler output patterns. If the TypeScript compilation output format changes, this workaround will break.
While the hardcoded 127.0.0.1 in src/viewer/server.ts:123 appears intentional (secure-by-default for local development), a better approach is to add an environment variable for the bind address (e.g., VIEWER_HOST) that defaults to "127.0.0.1" but can be overridden at container runtime. This preserves the security-by-default in source code while eliminating the fragile sed post-processing step.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Dockerfile` around lines 17 - 20, Replace the fragile post-build sed in the
Dockerfile by adding a configurable bind address in the viewer server: in
src/viewer/server.ts change the hardcoded listen call to use an environment
variable (e.g., process.env.VIEWER_HOST with default "127.0.0.1") when calling
server.listen(port, host) or app.listen(port, host), and remove the RUN find ...
sed ... step from the Dockerfile; ensure the Dockerfile documents/exports
VIEWER_HOST so containers can set it to "0.0.0.0" at runtime to expose :3113.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
Dockerfile (1)
20-23: ⚡ Quick winConsider removing
gosuif privilege dropping is not implemented.The package
gosuis typically used to drop privileges in entrypoint scripts, but this Dockerfile does not include aUSERdirective or usegosuin the entrypoint. If privilege dropping is not part of the deployment strategy, consider removinggosuto reduce the image size and attack surface.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Dockerfile` around lines 20 - 23, The Dockerfile installs the gosu package but never uses it to drop privileges; either remove gosu from the apt-get install list in the RUN layer (delete "gosu" from the package list) to reduce image size/attack surface, or implement privilege dropping by adding a USER directive and invoking gosu in the entrypoint/startup script (ensure the entrypoint script calls gosu to switch to the non-root user); update the RUN line and corresponding entrypoint/USER usage to keep them consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Dockerfile`:
- Around line 17-52: The image runs as root; add a non-root system user/group
(e.g., agentmemory) and chown runtime dirs then switch to that user: create
group/user with useradd/groupadd, ensure /data and /opt/agentmemory exist and
are owned by that user (chown -R agentmemory:agentmemory /data
/opt/agentmemory), and add a USER agentmemory directive before the
HEALTHCHECK/ENTRYPOINT so the container runs unprivileged; keep gosu installed
if you still need runtime privilege escalation in entrypoint.
---
Nitpick comments:
In `@Dockerfile`:
- Around line 20-23: The Dockerfile installs the gosu package but never uses it
to drop privileges; either remove gosu from the apt-get install list in the RUN
layer (delete "gosu" from the package list) to reduce image size/attack surface,
or implement privilege dropping by adding a USER directive and invoking gosu in
the entrypoint/startup script (ensure the entrypoint script calls gosu to switch
to the non-root user); update the RUN line and corresponding entrypoint/USER
usage to keep them consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: a255b819-0699-4cc5-ab0b-aca7b94c2b26
📒 Files selected for processing (15)
.github/workflows/docker.ymlDockerfiledeploy/README.mddeploy/coolify/Dockerfiledeploy/coolify/docker-compose.ymldeploy/coolify/entrypoint.shdeploy/fly/Dockerfiledeploy/fly/entrypoint.shdeploy/fly/fly.tomldeploy/railway/Dockerfiledeploy/railway/railway.jsondeploy/render/Dockerfiledeploy/render/entrypoint.shdeploy/render/render.yamldocker/entrypoint.sh
💤 Files with no reviewable changes (7)
- deploy/railway/Dockerfile
- deploy/fly/Dockerfile
- deploy/fly/entrypoint.sh
- deploy/coolify/entrypoint.sh
- deploy/render/Dockerfile
- deploy/render/entrypoint.sh
- deploy/coolify/Dockerfile
✅ Files skipped from review due to trivial changes (1)
- deploy/README.md
🚧 Files skipped from review as they are similar to previous changes (6)
- deploy/fly/fly.toml
- deploy/coolify/docker-compose.yml
- deploy/render/render.yaml
- .github/workflows/docker.yml
- docker/entrypoint.sh
- deploy/railway/railway.json
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
deploy/coolify/docker-compose.yml (1)
13-13: ⚡ Quick winAvoid
:latestfor the deployed image; pin to an immutable tag or digest.Pulling
ghcr.io/rohitg00/agentmemory:latestmakes deploys non-reproducible and complicates rollback — two stacks brought up minutes apart can end up on different image contents, anddocker compose pullwill silently shift the running version. Prefer a version tag (e.g.,:v1.2.3) or, ideally, an immutable digest (@sha256:...) so each deploy is deterministic. Note theinitservice correctly pinsbusybox:1.36.♻️ Example pinning
- image: ghcr.io/rohitg00/agentmemory:latest + image: ghcr.io/rohitg00/agentmemory:v1.0.0 # or pin by digest: `@sha256`:<digest>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@deploy/coolify/docker-compose.yml` at line 13, The docker-compose image reference uses an unstable tag "image: ghcr.io/rohitg00/agentmemory:latest"; replace this with a fixed version tag or immutable digest (for example change the image value used by the service that currently declares "image: ghcr.io/rohitg00/agentmemory:latest") so deployments are reproducible and rollbackable—prefer a semver tag like ":v1.2.3" or an "@sha256:..." digest similar to how the "init" service pins "busybox:1.36".
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docker/entrypoint.sh`:
- Around line 13-18: The generated III config (referenced by III_CONFIG in
entrypoint.sh) currently hardcodes /data paths while the script validates and
uses $DATA_DIR/AGENTMEMORY_DATA_DIR; update the config-generation logic to
substitute the actual $DATA_DIR (or AGENTMEMORY_DATA_DIR env) into the generated
iii-config.yaml so all paths (e.g., where secrets and state are stored) use the
runtime $DATA_DIR value; locate the config write/templating code in
entrypoint.sh around the checks that reference DATA_DIR and change the
hard-coded "/data/..." strings to use the variable (ensure you handle both
AGENTMEMORY_DATA_DIR and fallback DATA_DIR) so the worker config, volumes, and
any other writes remain consistent with the validated directory.
- Around line 15-20: The writability check runs before the directory exists so
custom AGENTMEMORY_DATA_DIR can fail; change the script logic in entrypoint.sh
to create the directory first (use mkdir -p on DATA_DIR/AGENTMEMORY_DATA_DIR) or
ensure existence before running [ -w "$DATA_DIR" ], then perform the writability
check and only exit if still not writable; update references to DATA_DIR and the
mkdir -p invocation accordingly so the check validates an existing directory.
- Around line 80-83: The script currently echoes the generated HMAC secret
("AGENTMEMORY_SECRET=$SECRET") which leaks it to logs; remove that echo and stop
printing $SECRET in docker/entrypoint.sh, instead ensure the secret is written
to the HMAC_FILE with strict permissions (chmod 600) and only log that the
secret was stored (e.g., reference HMAC_FILE) without revealing
AGENTMEMORY_SECRET; also keep exporting or sourcing the secret into the
environment if other processes need it but do so without printing the value.
---
Nitpick comments:
In `@deploy/coolify/docker-compose.yml`:
- Line 13: The docker-compose image reference uses an unstable tag "image:
ghcr.io/rohitg00/agentmemory:latest"; replace this with a fixed version tag or
immutable digest (for example change the image value used by the service that
currently declares "image: ghcr.io/rohitg00/agentmemory:latest") so deployments
are reproducible and rollbackable—prefer a semver tag like ":v1.2.3" or an
"@sha256:..." digest similar to how the "init" service pins "busybox:1.36".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 60cd8b27-024d-41da-9105-cadaf14cbed9
📒 Files selected for processing (15)
.github/workflows/docker.ymlDockerfiledeploy/README.mddeploy/coolify/Dockerfiledeploy/coolify/docker-compose.ymldeploy/coolify/entrypoint.shdeploy/fly/Dockerfiledeploy/fly/entrypoint.shdeploy/fly/fly.tomldeploy/railway/Dockerfiledeploy/railway/railway.jsondeploy/render/Dockerfiledeploy/render/entrypoint.shdeploy/render/render.yamldocker/entrypoint.sh
💤 Files with no reviewable changes (7)
- deploy/coolify/entrypoint.sh
- deploy/railway/Dockerfile
- deploy/render/entrypoint.sh
- deploy/fly/entrypoint.sh
- deploy/fly/Dockerfile
- deploy/coolify/Dockerfile
- deploy/render/Dockerfile
✅ Files skipped from review due to trivial changes (3)
- deploy/README.md
- deploy/render/render.yaml
- deploy/fly/fly.toml
🚧 Files skipped from review as they are similar to previous changes (3)
- .github/workflows/docker.yml
- Dockerfile
- deploy/railway/railway.json
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
docker/entrypoint.sh (1)
21-72: 💤 Low valueConfig is regenerated unconditionally on every container start.
cat > "$III_CONFIG"(line 21) overwrites/opt/agentmemory/dist/iii-config.yamlon every boot without checking if it already exists. The Dockerfile does make/opt/agentmemorywritable by thenodeuser (viachown -R node:node /opt/agentmemoryon line 37), so write failures are not a concern; however, any runtime modifications to the config would be lost on restart.Consider:
- Write the file only when absent (
[ -f "$III_CONFIG" ] || cat > "$III_CONFIG" <<EOF ... EOF) if operators need to mount and persist config edits.- Or template-substitute only dynamic values (e.g.,
${DATA_DIR}paths) and treat the rest as a baked image asset.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker/entrypoint.sh` around lines 21 - 72, The entrypoint currently unconditionally overwrites the config via the cat > "$III_CONFIG" block; change it to only create/write III_CONFIG when the file is missing so runtime edits aren't clobbered: guard the cat > "$III_CONFIG" heredoc with a check like testing -f "$III_CONFIG" and skip the heredoc if the file exists, or alternatively split dynamic values (e.g., DATA_DIR substitution) into a small templating step that only writes missing placeholders while leaving an existing /opt/agentmemory/dist/iii-config.yaml untouched; update the entrypoint.sh logic around the cat > "$III_CONFIG" section to implement this conditional write.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@deploy/fly/fly.toml`:
- Line 15: Replace the floating image tag in the image field
("ghcr.io/rohitg00/agentmemory:latest") with a fixed, immutable reference—either
a specific version tag (e.g., match the sibling compose tag
"ghcr.io/rohitg00/agentmemory:0.9.12") or, preferably, a digest form
("ghcr.io/rohitg00/agentmemory@sha256:...") so deployments are reproducible and
deterministic.
In `@docker/entrypoint.sh`:
- Around line 5-9: Update the shell case in docker/entrypoint.sh so commands
that require AGENTMEMORY_SECRET are not bypassed: remove "mcp" and
"import-jsonl" from the exec agentmemory "$@" bypass branch. The issue is that
MCP endpoints (registered by registerMcpEndpoints and authenticated via
checkAuth) and the import-jsonl CLI (which reads AGENTMEMORY_SECRET and sets
Authorization headers) require secrets to be loaded; keep only status, doctor,
demo, help/--help/-h and version/--version/-V in the bypass list so
AGENTMEMORY_SECRET and config are loaded before running those commands.
---
Nitpick comments:
In `@docker/entrypoint.sh`:
- Around line 21-72: The entrypoint currently unconditionally overwrites the
config via the cat > "$III_CONFIG" block; change it to only create/write
III_CONFIG when the file is missing so runtime edits aren't clobbered: guard the
cat > "$III_CONFIG" heredoc with a check like testing -f "$III_CONFIG" and skip
the heredoc if the file exists, or alternatively split dynamic values (e.g.,
DATA_DIR substitution) into a small templating step that only writes missing
placeholders while leaving an existing /opt/agentmemory/dist/iii-config.yaml
untouched; update the entrypoint.sh logic around the cat > "$III_CONFIG" section
to implement this conditional write.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3a593824-8eb9-43db-a0dd-d26d7583920d
📒 Files selected for processing (16)
.github/workflows/docker.ymlDockerfiledeploy/README.mddeploy/coolify/Dockerfiledeploy/coolify/docker-compose.ymldeploy/coolify/entrypoint.shdeploy/fly/Dockerfiledeploy/fly/entrypoint.shdeploy/fly/fly.tomldeploy/railway/Dockerfiledeploy/railway/entrypoint.shdeploy/railway/railway.jsondeploy/render/Dockerfiledeploy/render/entrypoint.shdeploy/render/render.yamldocker/entrypoint.sh
💤 Files with no reviewable changes (8)
- deploy/render/Dockerfile
- deploy/fly/entrypoint.sh
- deploy/coolify/entrypoint.sh
- deploy/coolify/Dockerfile
- deploy/railway/entrypoint.sh
- deploy/fly/Dockerfile
- deploy/railway/Dockerfile
- deploy/render/entrypoint.sh
✅ Files skipped from review due to trivial changes (2)
- deploy/README.md
- deploy/railway/railway.json
🚧 Files skipped from review as they are similar to previous changes (3)
- deploy/render/render.yaml
- .github/workflows/docker.yml
- Dockerfile
There was a problem hiding this comment.
🧹 Nitpick comments (1)
deploy/render/render.yaml (1)
6-7: ⚡ Quick winPin the container image to an immutable digest instead of
:latest.Using
ghcr.io/rohitg00/agentmemory:latestmakes deployments non-deterministic (same config can pull different bytes over time), which hurts rollback safety and incident debugging. Prefer a version tag plus digest (or digest-only).Suggested change
image: - url: ghcr.io/rohitg00/agentmemory:latest + url: ghcr.io/rohitg00/agentmemory@sha256:<published-image-digest>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@deploy/render/render.yaml` around lines 6 - 7, The image URL is using a floating tag ("image.url" with ghcr.io/rohitg00/agentmemory:latest), make it immutable by pinning to a digest or a specific version tag with digest (e.g., replace ":latest" with a semver tag and sha256 digest or use the digest-only form "ghcr.io/rohitg00/agentmemory@sha256:..."); update the "image.url" value accordingly and ensure any CI/release process that builds/pushes the image records and injects the resolved digest into this field.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@deploy/render/render.yaml`:
- Around line 6-7: The image URL is using a floating tag ("image.url" with
ghcr.io/rohitg00/agentmemory:latest), make it immutable by pinning to a digest
or a specific version tag with digest (e.g., replace ":latest" with a semver tag
and sha256 digest or use the digest-only form
"ghcr.io/rohitg00/agentmemory@sha256:..."); update the "image.url" value
accordingly and ensure any CI/release process that builds/pushes the image
records and injects the resolved digest into this field.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c5c669d7-05e5-4b09-8af0-b0bc1511c5f2
📒 Files selected for processing (16)
.github/workflows/docker.ymlDockerfiledeploy/README.mddeploy/coolify/Dockerfiledeploy/coolify/docker-compose.ymldeploy/coolify/entrypoint.shdeploy/fly/Dockerfiledeploy/fly/entrypoint.shdeploy/fly/fly.tomldeploy/railway/Dockerfiledeploy/railway/entrypoint.shdeploy/railway/railway.jsondeploy/render/Dockerfiledeploy/render/entrypoint.shdeploy/render/render.yamldocker/entrypoint.sh
💤 Files with no reviewable changes (8)
- deploy/render/Dockerfile
- deploy/fly/entrypoint.sh
- deploy/coolify/entrypoint.sh
- deploy/render/entrypoint.sh
- deploy/railway/Dockerfile
- deploy/railway/entrypoint.sh
- deploy/coolify/Dockerfile
- deploy/fly/Dockerfile
✅ Files skipped from review due to trivial changes (2)
- deploy/README.md
- deploy/railway/railway.json
🚧 Files skipped from review as they are similar to previous changes (4)
- .github/workflows/docker.yml
- deploy/coolify/docker-compose.yml
- Dockerfile
- docker/entrypoint.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
New Features
Infrastructure & Deployment
Bug Fixes