ci: add cloak build workflow

[Thegaram]

Since this workflow can be triggered manually (workflow_dispatch), it needs to be added to the default branch.

Summary by CodeRabbit

• Chores
  • Introduced a new workflow to build and publish Docker images on demand, improving release reliability and consistency.
  • Supports manual triggers to create images from the current commit, enhancing traceability of builds.
  • Streamlines the deployment pipeline by automating authentication, build, and push steps.
  • No user-facing changes; this update improves operational efficiency and release management.

[coderabbitai]

Walkthrough

Introduces a new GitHub Actions workflow (.github/workflows/cloak.yml) that can be manually triggered to build and push a Docker image to Docker Hub. It checks out the repo, logs into Docker Hub, derives an 8-char short SHA, and uses docker/build-push-action to build/push linux/amd64 images tagged with the short SHA.

Changes

Cohort / File(s)	Summary
CI workflow: Docker build and push .github/workflows/cloak.yml	Adds “Cloak Docker” workflow triggered via workflow_dispatch. Job builds and pushes Docker image to Docker Hub. Steps: checkout, Docker Hub login (secrets), compute 8-char SHA output, build and push via docker/build-push-action for linux/amd64 with tag scrolltech/cloak-l2geth:${{ steps.vars.outputs.sha8 }}.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer
    participant GH as GitHub Actions (Cloak Docker)
    participant DH as Docker Hub Registry

    Dev->>GH: Trigger workflow_dispatch
    GH->>GH: Checkout repository
    GH->>DH: Login with Docker Hub credentials (secrets)
    GH->>GH: Derive short SHA (8 chars)
    GH->>DH: Build & push image (linux/amd64)<br/>tag: scrolltech/cloak-l2geth:<sha8>
    DH-->>GH: Image stored and tag created

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitched my whiskers at the docker breeze,
Packed up bytes like carrots with ease.
A tiny SHA upon the tag I drew,
Then hopped to Hub with something new.
“Ship it!” thumped my fluffy feet—
Cloaked, compiled, container complete.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-cloak-docker-action

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description is a single sentence and does not follow the repository's required template. It lacks a filled "1. Purpose or design rationale" section, does not confirm the PR title uses a conventional-commit type, and omits the deployment tag versioning and breaking-change checkbox answers required by the template. It also omits operational details reviewers need such as Docker image name/tagging, required secrets/permissions, and the justification for adding the workflow to the default branch.	Please update the PR description to follow the repository template: provide a complete "Purpose or design rationale" explaining what the workflow does and why it must be on the default branch, present the PR title in conventional-commit format (e.g., "ci: add cloak build workflow"), and answer the deployment tag versioning and breaking-change checkboxes. Also include operational and security details reviewers need such as the Docker image name and tag pattern, the secrets and permissions required, and any release/rollback considerations.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Title Check	✅ Passed	The title "ci: add cloak build workflow" accurately and concisely describes the primary change—adding a CI workflow to build/push the Cloak Docker image, uses the conventional "ci:" scope, and is clear for reviewers scanning history.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

.github/workflows/cloak.yml (3)

15-15: Good: persist-credentials: false mitigates token persistence.

This addresses the prior GHAS finding about credential persistence. Nice.

---

12-16: Pin actions/checkout to a commit SHA (supply‑chain hardening).

actions/checkout@v4 is an unpinned version tag. Pin to the v4.2.2 commit SHA. (github.com)

Apply this diff:

-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

---

9-10: Fix GITHUB_TOKEN permissions (checkout will lack contents:read).

When you declare a permissions block, unspecified scopes default to none. With permissions: {}, actions/checkout may fail to read the repo. Set the minimal contents: read. (docs.github.com)

Apply this diff:

     runs-on: ubuntu-latest
-    permissions: {}
+    permissions:
+      contents: read

🧹 Nitpick comments (5)

.github/workflows/cloak.yml (5)

27-33: Enable SBOM/provenance and registry build cache for better security/perf.

Add SBOM/provenance attestation and a registry cache to speed rebuilds. (docs.docker.com)

Apply this diff:

       - name: Build and Push Docker image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           platforms: linux/amd64
           push: true
-          tags: scrolltech/cloak-l2geth:${{ steps.vars.outputs.sha8 }}
+          tags: scrolltech/cloak-l2geth:${{ steps.vars.outputs.sha8 }}
+          sbom: true
+          provenance: true
+          cache-from: type=registry,ref=scrolltech/cloak-l2geth:buildcache
+          cache-to: type=registry,ref=scrolltech/cloak-l2geth:buildcache,mode=max

---

23-26: Nit: step name doesn’t match behavior.

This extracts a short SHA, not a “digest.” Consider renaming.

Apply this diff:

-      - name: Extract commit digest
+      - name: Extract short SHA
         id: vars
         run: echo "sha8=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT

---

6-8: Optional: add a job timeout.

Prevents hung builds from tying up runners.

Apply this diff:

   docker:
     runs-on: ubuntu-latest
+    timeout-minutes: 30

---

27-33: Optional: clearer tag prefix.

Prefixing the SHA tag avoids collisions with future semantic tags.

Apply this diff:

-          tags: scrolltech/cloak-l2geth:${{ steps.vars.outputs.sha8 }}
+          tags: scrolltech/cloak-l2geth:sha-${{ steps.vars.outputs.sha8 }}

---

6-7: Optional: add concurrency to avoid overlapping pushes per ref.

Prevents two manual runs for the same ref from racing.

Apply this diff:

 on:
   workflow_dispatch:
 
+concurrency:
+  group: cloak-${{ github.ref }}
+  cancel-in-progress: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between afbbad7 and 257022c.

📒 Files selected for processing (1)

• .github/workflows/cloak.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test
• GitHub Check: Analyze (go)