ci: build expirable images for pull-requests

[mangelajo]

This PR enables the creation of a pr- tagged set of images in quay for each PR, those expire after a week.

The images are only built if the "build-pr-images" is applied. This avoid unnecessary builds, CO2 and wasted storage space in quay.

Summary by CodeRabbit

• Chores
  • CI workflow updated to run image build/push for pull requests and main/release branches, increasing validation coverage.
  • PR builds gated by a label to control when preview images are produced.
  • Pull-request-aware image tagging and expiry metadata added so PR preview images are identifiable and short-lived.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds pull_request as a workflow trigger and updates the Docker build-and-push flow to detect PRs, produce PR-derived tags/metadata (including expiry labels), and conditionally run PR builds only when labeled accordingly.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow \.github/workflows/build-images.yaml	Added pull_request trigger; broadened PUSH condition to include PRs from the same repo; gated image build/push for PRs by label; added PR-specific metadata outputs (type=ref,event=pr,prefix=pr-) and quay.expires-after label; adjusted tag selection to prefer PR-derived tags when event is a PR.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub Event
    participant Actions as GitHub Actions
    participant Meta as Tag/Meta Step
    participant Builder as docker/build-push
    participant Registry as Container Registry

    GitHub->>Actions: push or pull_request event
    Actions->>Actions: evaluate PUSH/gate conditions (include PR head repo & label)
    Actions->>Meta: extract metadata (use PR data when event=pr)
    Meta-->>Actions: outputs.tags, outputs.meta (including quay.expires-after)
    Actions->>Builder: build with selected tags and metadata
    Builder->>Registry: push image(s) and labels
    Registry-->>Actions: push status

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• jumpstarter-dev/jumpstarter#410: Modifies CI tag-generation and Docker build-push steps; closely related to PR-aware tag handling here.
• jumpstarter-dev/jumpstarter#422: Adjusts workflow tagging/branch logic for release-* and push conditions; overlaps with trigger/branch changes in this PR.

Poem

🐰 I hopped into CI with a tiny cheer,
PR tags and expiry now whisper clear,
Builds will wait for a label's wink,
Then prance to the registry in a blink,
Carrots for tags—and a flourish of cheer! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'ci: build expirable images for pull-requests' directly and clearly describes the main change: enabling CI to build expirable Docker images for pull requests with automatic expiry labels.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch build-prs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[bennyz]

can we trigger deletion when the PR is closed (merged or otherwise)?

[mangelajo]

can we trigger deletion when the PR is closed (merged or otherwise)?

Probably, but it would require additional work :)

that would be better since as long as the PR is up, the image would be up..

[mangelajo]

nice! :D

[mangelajo]

let me rebase

[bennyz]

@mangelajo what does this do? 😄

[mangelajo]

Sorry, that should not be added, removing

It's from a tool I use with cursor but it's supposed to be a local "issue" tracker to organize work, should not be posted here (at least for our workflow, may be other people will commit it)

[mangelajo]

Done

[mangelajo]

not done.. why is it still here.. hmmm

[mangelajo]

bd had a git pre-commit hook installed 🤦

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/build-images.yaml:
- Around line 17-18: The PUSH environment boolean allows PR runs from forks
because it only checks github.repository_owner and event type; update the
env.PUSH expression so PR-triggered runs are allowed only when the PR head repo
is the same repo (i.e., not a fork). Edit the env.PUSH value (symbol: env.PUSH)
to include an extra clause that, for github.event_name == 'pull_request',
requires github.event.pull_request.head.repo.full_name == github.repository (so
secrets like secrets.QUAY_TOKEN used later during the login step are only used
for same-repo PRs); keep the existing main/tag/release checks unchanged.

🧹 Nitpick comments (1)

.github/workflows/build-images.yaml (1)

126-129: Avoid emitting an empty quay.expires-after label on non‑PR builds.

The current code produces quay.expires-after= (empty value) on non-PR events, and docker/metadata-action does not auto-drop labels with empty values—they are included in the output as-is. To omit the label entirely when not a PR, conditionally construct the entire labels: input.

♻️ Suggested refactor

-          labels: |
-            quay.expires-after=${{ github.event_name == 'pull_request' && '7d' || '' }}
+          labels: ${{ github.event_name == 'pull_request' && 'quay.expires-after=7d' || '' }}