Skip to content

Refactor container workflows to use dynamic registry and repository owner#10

Merged
ypriverol merged 2 commits intodevfrom
claude/review-quantms-pr-P0aD2
Apr 10, 2026
Merged

Refactor container workflows to use dynamic registry and repository owner#10
ypriverol merged 2 commits intodevfrom
claude/review-quantms-pr-P0aD2

Conversation

@ypriverol
Copy link
Copy Markdown
Member

@ypriverol ypriverol commented Apr 10, 2026
edited by coderabbitai bot
Loading

Summary

This PR refactors the quantms-containers GitHub Actions workflow to use dynamic registry and repository owner variables instead of hardcoded values. This enables the workflow to be more flexible and work across different organizations and registries.

Key Changes

  • Added environment variable for registry: Introduced REGISTRY: ghcr.io as a workflow-level environment variable for consistency
  • Dynamic repository owner: Replaced all hardcoded bigbio references with ${{ github.repository_owner }} to support forked repositories and different organizations
  • Improved authentication: Updated login credentials to use ${{ github.repository_owner }} instead of ${{ github.actor }} and switched from custom GHCR_TOKEN to standard ${{ secrets.GITHUB_TOKEN }}
  • Enhanced Singularity setup: Replaced inline apt-get installation with dedicated eWaterCycle/setup-singularity@v7 action for better reliability and maintainability
  • Improved step naming: Added descriptive names to all workflow steps for better readability and debugging
  • Better Singularity authentication: Updated Singularity login to use singularity remote login command with piped token instead of environment variables
  • Added repository owner guards: Added github.repository_owner == 'bigbio' conditions to build-relink and sync-openms jobs to prevent unauthorized pushes
  • Enhanced error handling: Added success and failure notification steps in the build-diann job
  • Improved file handling: Updated Singularity conversion to use context-specific filenames instead of generic image.tar

Notable Implementation Details

  • The workflow now supports running in forked repositories while maintaining security by restricting certain operations to the original bigbio organization
  • All container image references now dynamically resolve to the appropriate registry and repository owner
  • Singularity setup is now more robust using a dedicated GitHub Action instead of system package installation
  • Step names are now more descriptive and follow a consistent naming convention for better workflow visibility

https://claude.ai/code/session_01UFH8ge5154Z8q4DCEbQCTX

Summary by CodeRabbit

  • Chores
    • Updated container build workflow for improved flexibility and dynamic registry handling
    • Streamlined Singularity container setup and conversion process
    • Enhanced build status notifications for better visibility into container build outcomes

@claude
fix: correct push conditions and standardize CI workflow
be24948 
- Fix critical bug: push condition used broken input comparison that
  would push images on pull_request events. Restored safe guard:
  github.event_name != 'pull_request' (build always, push only on merge)
- Remove dead code: unused metadata-action step, date tag step,
  RETRY_TIMES/RETRY_DELAY env vars, and IMAGE_NAME/SINGULARITY_IMAGE_NAME
- Standardize Docker login to use github.repository_owner across all jobs
- Standardize Singularity install (eWaterCycle/setup-singularity@v7) and
  auth (singularity remote login --password-stdin) across all jobs,
  replacing fragile apt-get || true and env-var-based auth
- Replace all hardcoded bigbio refs in push URIs with github.repository_owner
- Remove redundant docker pull (image already loaded via load: true)

https://claude.ai/code/session_01UFH8ge5154Z8q4DCEbQCTX
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 10, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ae640c8a-b00d-4271-93eb-835faf1f43cf

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The workflow configuration was refactored to use dynamic registry namespacing (github.repository_owner instead of hardcoded bigbio), centralized registry environment variables, switched container authentication to GITHUB_TOKEN with github.repository_owner, replaced inline OS package installation with a Singularity setup action, and added job-gating conditions and build notifications.

Changes

Cohort / File(s) Summary
Registry and Namespace Configuration
.github/workflows/quantms-containers.yml		 Centralized env.REGISTRY to ghcr.io and updated all image/tag references to use dynamic ${{ github.repository_owner }} namespace instead of hardcoded bigbio across DIA-NN, Relink, and OpenMS jobs.
Container Registry Authentication
.github/workflows/quantms-containers.yml		 Replaced github.actor + secrets.GHCR_TOKEN with github.repository_owner + secrets.GITHUB_TOKEN for login steps in build-diann, build-relink, and sync-openms jobs.
Singularity Setup and Conversion
.github/workflows/quantms-containers.yml		 Replaced inline OS package installation with eWaterCycle/setup-singularity@v7 action; refactored conversion to save Docker layers to tar file, build .sif from tar, and verify output via ls.
Job Gating and Notifications
.github/workflows/quantms-containers.yml		 Added repository owner gating condition (github.repository_owner == 'bigbio') to build-relink and sync-openms jobs; added success/failure notification steps to build-diann job.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

  • PR #5: Overlaps with this PR on registry configuration, namespace migration to github.repository_owner, GITHUB_TOKEN authentication, and Singularity setup refactoring in the same workflow file.

Poem

🐰 A workflow springs forth, with registry care,
Where github.repository_owner floats through the air!
No hardcoded paths in the bigbio past—
With Singularity's setup and tokens so fast,
The containers now dance at the pull of a gate. 🎭

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title accurately summarizes the main refactoring objective: replacing hardcoded registry and repository owner values with dynamic variables throughout the container workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/review-quantms-pr-P0aD2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ypriverol ypriverol changed the base branch from main to dev April 10, 2026 06:40
@ypriverol ypriverol requested review from Copilot and enryH April 10, 2026 06:41
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors the quantms-containers GitHub Actions workflow to reduce hardcoded GHCR/org values by introducing a workflow-level registry variable and using the repository owner dynamically, while also updating Singularity setup/auth steps.

Changes:

  • Introduces a workflow-level REGISTRY env var and replaces hardcoded org/repo references with ${{ github.repository_owner }} in multiple image operations.
  • Updates container publish/auth flows to rely on ${{ secrets.GITHUB_TOKEN }} and uses eWaterCycle/setup-singularity@v7 instead of inline package installs.
  • Adds/adjusts job guards and refactors Docker→Singularity conversion/push steps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/quantms-containers.yml Outdated
Comment thread .github/workflows/quantms-containers.yml
Comment on lines 132 to 137
- name: Build and Push DiaNN ${{ matrix.context }} image
uses: docker/build-push-action@v5
with:
context: ./${{ matrix.context }}
push: ${{ (github.event.inputs.push_images == true || github.event.inputs.push_images == '') }}
push: ${{ github.event_name != 'pull_request' }}
load: true
Comment thread .github/workflows/quantms-containers.yml
Comment on lines 164 to 170
- name: Login and Deploy Container
if: ${{ (github.event.inputs.push_images == true || github.event.inputs.push_images == '') }}
if: github.event_name != 'pull_request'
run: |
echo ${{ secrets.GITHUB_TOKEN }} | singularity remote login -u ${{ github.actor }} --password-stdin oras://ghcr.io
echo ${{ secrets.GITHUB_TOKEN }} | singularity remote login -u ${{ github.repository_owner }} --password-stdin oras://ghcr.io

# Push with version tag
singularity push ${{ matrix.context }}.sif oras://${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.sif }}
Comment thread .github/workflows/quantms-containers.yml
Comment on lines 234 to 236
run: |
sudo apt-get update && sudo apt-get install -y singularity-container || true
docker save ${{ matrix.tag }} -o image.tar
singularity build image.sif docker-archive://image.tar
Comment thread .github/workflows/quantms-containers.yml
Comment on lines 275 to +277
docker pull ghcr.io/openms/openms-tools-thirdparty:latest
docker tag ghcr.io/openms/openms-tools-thirdparty:latest ghcr.io/bigbio/openms-tools-thirdparty:${{ env.OPENMS_VERSION }}
docker push ghcr.io/bigbio/openms-tools-thirdparty:${{ env.OPENMS_VERSION }}
docker tag ghcr.io/openms/openms-tools-thirdparty:latest ghcr.io/${{ github.repository_owner }}/openms-tools-thirdparty:${{ env.OPENMS_VERSION }}
docker push ghcr.io/${{ github.repository_owner }}/openms-tools-thirdparty:${{ env.OPENMS_VERSION }}
Comment thread .github/workflows/quantms-containers.yml
Comment on lines 291 to +293
run: |
sudo apt-get update && sudo apt-get install -y singularity-container || true
export SINGULARITY_DOCKER_USERNAME=${{ github.actor }}
export SINGULARITY_DOCKER_PASSWORD=${{ secrets.GITHUB_TOKEN }}
echo ${{ secrets.GITHUB_TOKEN }} | singularity remote login -u ${{ github.repository_owner }} --password-stdin oras://ghcr.io

@claude
fix: use github.actor for GHCR auth instead of repository_owner
511ef0a 
secrets.GITHUB_TOKEN is scoped to the workflow actor, so the login
username must match. Using github.repository_owner causes 401 errors
when the actor differs from the owner (e.g. collaborators, bots).

Applies to all 3 Docker logins and all 3 Singularity logins.

https://claude.ai/code/session_01UFH8ge5154Z8q4DCEbQCTX
@ypriverol ypriverol merged commit df0d2ba into dev Apr 10, 2026
1 check passed
@coderabbitai coderabbitai bot mentioned this pull request Apr 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@enryH enryH Awaiting requested review from enryH

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ypriverol @claude