Create Docker.yml

[Dargon789]

Summary by Sourcery

CI:

• Introduce a Docker GitHub Actions workflow that authenticates to Docker Hub, builds images with Buildx, tags them using metadata, and pushes or locally loads them depending on the event type.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
sequence-js-docs	Ready	Preview, Comment	Jan 18, 2026 10:14am
sequence-js-web	Ready	Preview, Comment	Jan 18, 2026 10:14am

[sourcery-ai]

Reviewer's Guide

Adds a new GitHub Actions workflow to build and publish Docker images to Docker Hub on pushes (tags and main) and build-only on pull requests, including metadata tagging, SBOM/provenance control, and registry authentication.

Flow diagram for Docker.yml GitHub Actions job execution

flowchart TD
  Start["Workflow trigger"]
  Triggers{"Event type"}
  PushMain["push to main"]
  PushTag["push tag *"]
  PullRequest["pull_request to any branch"]

  JobStart["Start job build\n(runs-on ubuntu-latest)"]
  Auth["Authenticate to registry\n docker/login-action@v3\n uses REGISTRY, REGISTRY_USER, REGISTRY_TOKEN"]
  SetupBuildx["Setup Docker buildx\n docker/setup-buildx-action@v3"]
  Meta["Extract Docker metadata\n docker/metadata-action@v5\n images: REGISTRY/IMAGE_NAME\n labels: image.revision=SHA\n tags: edge, semver, sha"]
  BuildPush["Build Docker image\n docker/build-push-action@v6"]
  PushDecision{"Event is pull_request?"}
  SBOMProvenance["Set sbom/provenance flags"]
  End["Job finished"]

  Start --> Triggers
  Triggers -->|push main| PushMain
  Triggers -->|push tag| PushTag
  Triggers -->|pull_request| PullRequest

  PushMain --> JobStart
  PushTag --> JobStart
  PullRequest --> JobStart

  JobStart --> Auth --> SetupBuildx --> Meta --> SBOMProvenance
  SBOMProvenance --> PushDecision

  PushDecision -->|Yes, pull_request| BuildPush
  PushDecision -->|No, push main/tag| BuildPush

  BuildPush --> End

  %% Internal logic of BuildPush
  subgraph BuildPushConfig["docker/build-push-action@v6 configuration"]
    PRCheck{"github.event_name == pull_request"}
    SBOMFlag["sbom = (not PR)"]
    ProvFlag["provenance = (not PR)"]
    PushFlag["push = (not PR)"]
    LoadFlag["load = PR"]
    TagsLabels["tags, labels from meta.outputs"]
    CacheFrom["cache-from: type=gha"]
    CacheTo["cache-to: type=gha, mode=max"]
  end

  PushDecision --> PRCheck
  PRCheck --> SBOMFlag
  PRCheck --> ProvFlag
  PRCheck --> PushFlag
  PRCheck --> LoadFlag
  SBOMFlag --> TagsLabels
  ProvFlag --> TagsLabels
  PushFlag --> TagsLabels
  LoadFlag --> TagsLabels
  TagsLabels --> CacheFrom
  CacheFrom --> CacheTo

Loading

File-Level Changes

Change	Details	Files
Introduce a Docker build-and-publish GitHub Actions workflow triggered on pushes and pull requests.	Add Docker workflow triggered on tag and main branch pushes plus all pull requests Define shared environment variables for registry hostname, image name based on repository, and commit SHA resolution for pushes and PRs Configure a single build job running on ubuntu-latest with pull-request write permissions	.github/workflows/Docker.yml
Configure authentication and buildx for Docker builds in CI.	Authenticate to Docker registry using docker/login-action with registry URL and credentials from secrets Set up Docker Buildx via docker/setup-buildx-action to enable advanced build features	.github/workflows/Docker.yml
Add metadata extraction and conditional Docker image build/push behavior.	Use docker/metadata-action to compute image tags and labels, including OCI revision label from SHA and tags for default branch, semantic versions, and short SHA Use docker/build-push-action to build images with registry cache, enabling SBOM/provenance and push only for non-PR events, and load images instead of pushing on pull requests	.github/workflows/Docker.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The workflow never checks out the repository, so docker/build-push-action will have nothing to build; add an actions/checkout step before the build.
• In the Docker metadata step, branch=$repo.default_branch uses an undefined repo variable; replace this with an appropriate GitHub context value (for example from github or github.event.repository).

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The workflow never checks out the repository, so `docker/build-push-action` will have nothing to build; add an `actions/checkout` step before the build.
- In the Docker metadata step, `branch=$repo.default_branch` uses an undefined `repo` variable; replace this with an appropriate GitHub context value (for example from `github` or `github.event.repository`).

## Individual Comments

### Comment 1
<location> `.github/workflows/Docker.yml:33-34` </location>
<code_context>
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+      
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Extract metadata (tags, labels) for Docker
</code_context>

<issue_to_address>
**issue (bug_risk):** Repository is never checked out, so the Docker build context will be empty

Because this workflow never runs `actions/checkout`, `docker/build-push-action` will see an empty build context (its default `context: .` will only include the empty workspace). This can cause the build to fail or produce an empty image. Add a `- uses: actions/checkout@v4` step before setting up buildx.
</issue_to_address>

### Comment 2
<location> `.github/workflows/Docker.yml:26-31` </location>
<code_context>
+
+    steps:
+      # Authenticate to the container registry
+      - name: Authenticate to registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+      
+      - name: Setup Docker buildx
</code_context>

<issue_to_address>
**issue:** Logging into Docker Hub on pull_request runs will fail for forks due to unavailable secrets

Because this job runs on `pull_request` events, secrets like `REGISTRY_USER` and `REGISTRY_TOKEN` won’t be available for PRs from forks, so the login step will always fail there. If you only need to push on non-PR runs, consider adding a condition (e.g. `if: github.event_name != 'pull_request'`) or splitting the workflow so forked PRs build without attempting a registry login.
</issue_to_address>

### Comment 3
<location> `.github/workflows/Docker.yml:44-45` </location>
<code_context>
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.revision=${{ env.SHA }}
+          tags: |
+            type=edge,branch=$repo.default_branch
+            type=semver,pattern=v{{version}}
+            type=sha,prefix=,suffix=,format=short
</code_context>

<issue_to_address>
**question (bug_risk):** The edge tag configuration references `$repo.default_branch`, which may not be a valid placeholder

`docker/metadata-action` examples use explicit branch names like `type=edge,branch=main`. It’s unclear whether `branch=$repo.default_branch` is a supported placeholder, so this may fail to resolve and break edge tagging. Please switch to the actual default branch name (e.g. `main`) or a documented expression that resolves the repo’s default branch.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}