build(actions): AS-771 build internal images for vuln scannings

[afoley587]

What changes are proposed in this pull request?

We perform vulnerability assessments on our images. We can perform a weekly build off of develop for OSS to bring these images under our scanning window.

This action will build an internal only image on Thursday mornings (4AM) which we can then include in our vulnerability reports. This action will only build a python3.11, AMD64 image. The multiple python / multiple platform versions are reserved for releases.

Image tags will look like fiftyone:1.7.0-abc123-python3.11-20250716 which indicates this was based on version 1.7 / git hash of abc123, python 3.11, and built on 07/16/2025.

How is this patch tested? If it is not, please explain why.

This will be tested via GHA.

Release Notes

Is this a user-facing change that should be mentioned in the release notes?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release
  notes for FiftyOne users.

(Details in 1-2 sentences. You can just refer to another PR with a description
if this PR is part of a larger change.)

What areas of FiftyOne does this PR affect?

• App: FiftyOne application changes
• Build: Build and test infrastructure changes
• Core: Core fiftyone Python library changes
• Documentation: FiftyOne documentation changes
• Other

Summary by CodeRabbit

• Chores
  • Added a new automated workflow to build and push internal Docker images weekly or on demand, including generation of a software bill of materials (SBOM).
  • Updated repository ownership rules to include the GitHub configuration directory.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow is added to automate building and pushing internal Docker images for security scanning. The workflow supports manual and scheduled triggers, authenticates with Google Cloud, sets up necessary build environments, builds the Docker image using project-specific arguments, and pushes the image to the internal Google Cloud Artifact Registry. Additionally, the .github/ directory is now owned by the @voxel51/aloha-shirts team via an update to the CODEOWNERS file.

Changes

File(s)	Change Summary
.github/workflows/build-docker-internal.yml	Added new workflow for building and pushing internal Docker images to Google Cloud Artifact Registry.
.github/CODEOWNERS	Added ownership of the .github/ directory to the @voxel51/aloha-shirts team.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant GitHub Actions
    participant Google Cloud
    participant Docker Registry

    Developer->>GitHub Actions: Trigger workflow (manual or scheduled)
    GitHub Actions->>GitHub Actions: Checkout repository
    GitHub Actions->>Google Cloud: Authenticate (Workload Identity/Secrets)
    GitHub Actions->>GitHub Actions: Set up Google Cloud SDK and Docker auth
    GitHub Actions->>GitHub Actions: Extract build metadata (version, SHA, date)
    GitHub Actions->>GitHub Actions: Set up Docker Buildx
    GitHub Actions->>Docker Registry: Build and push Docker image with tags
    GitHub Actions->>Docker Registry: Generate and push SBOM

Loading

Poem

🐇
In the warren, code does churn,
A Docker build, it’s now our turn!
With clouds and tags and secrets tight,
Images rise before the light.
Thursday dawns, the job runs through—
Security checked, as rabbits do!
🥕

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 56a8987 and 1313df8.

📒 Files selected for processing (1)

• .github/CODEOWNERS (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .github/CODEOWNERS

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

.github/workflows/build-docker-internal.yml (4)

22-23: Add a concurrency block to avoid overlapping weekly builds

A long-running manual build kicked off shortly before the cron job will cause two identical image pushes.
Including a concurrency group (e.g. concurrency: build-internal-image) with cancel-in-progress: true prevents that race.

---

35-35: Harden Docker auth step against region typos

gcloud auth configure-docker "${{ env.GCP_LOCATION }}-docker.pkg.dev" fails silently if the location is wrong.
A quick set -euo pipefail or explicit gcloud artifacts repositories list --location="$GCP_LOCATION" check can fail fast and save minutes of CI time.

---

44-46: Leverage Buildx cache to cut repeated build time

Adding cache-from / cache-to with the same registry significantly speeds this weekly job with negligible cost.

Example:

      - name: Build and push internal image
        uses: docker/build-push-action@v6
        with:
          cache-from: type=registry,ref=${{ env.GCP_LOCATION }}-docker.pkg.dev/.../fiftyone:cache
          cache-to:   type=registry,ref=${{ env.GCP_LOCATION }}-docker.pkg.dev/.../fiftyone:cache,mode=max

---

54-58: Remove trailing spaces to satisfy YAML-lint

Line 55 is flagged by YAML-lint (trailing-spaces).
Strip the extra space after scanning. to keep CI green.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 67f9846 and 14bb14e.

📒 Files selected for processing (1)

• .github/workflows/build-docker-internal.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: kevin-dimichel
PR: voxel51/fiftyone#5173
File: .github/workflows/build-docs.yml:54-54
Timestamp: 2024-11-21T20:59:53.855Z
Learning: The `RO_FOT_FG_PAT` token used in `.github/workflows/build-docs.yml` has the necessary permissions to checkout the `voxel51/fiftyone-teams` repository.

.github/workflows/build-docker-internal.yml (1)

Learnt from: kevin-dimichel
PR: voxel51/fiftyone#5173
File: .github/workflows/build-docs.yml:54-54
Timestamp: 2024-11-21T20:59:53.855Z
Learning: The `RO_FOT_FG_PAT` token used in `.github/workflows/build-docs.yml` has the necessary permissions to checkout the `voxel51/fiftyone-teams` repository.

🪛 YAMLlint (1.37.1)

.github/workflows/build-docker-internal.yml

[error] 55-55: trailing spaces

(trailing-spaces)

🔇 Additional comments (2)

.github/workflows/build-docker-internal.yml (2)

4-6: Cron schedule runs in UTC — confirm it matches the intended 04:05 local time

GitHub Actions interprets cron expressions in UTC.
If the 04:05 schedule is meant to be US-central time (or any other TZ), it will actually fire at a different local hour. Consider adding a comment clarifying the UTC intent or switching to a workflow-dispatch plus a separate, time-zone–aware scheduler.

---

61-62: Guard against unsafe characters sneaking into the tag

If fo_version ever contains a pre-release suffix (e.g. 1.8.0-beta), Docker will happily accept it, but downstream scanners sometimes choke on multiple dashes. Consider normalising or URL-encoding the tag components.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/build-docker-internal.yml (1)

38-43: Parsing VERSION remains fragile – see previous review
The earlier suggestion to replace the grep | awk chain with a small Python snippet (or python -m setup --version) hasn’t been incorporated, so the command will still break on minor formatting changes or single-quotes.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14bb14e and 4968b04.

📒 Files selected for processing (1)

• .github/workflows/build-docker-internal.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: kevin-dimichel
PR: voxel51/fiftyone#5173
File: .github/workflows/build-docs.yml:54-54
Timestamp: 2024-11-21T20:59:53.855Z
Learning: The `RO_FOT_FG_PAT` token used in `.github/workflows/build-docs.yml` has the necessary permissions to checkout the `voxel51/fiftyone-teams` repository.

.github/workflows/build-docker-internal.yml (1)

Learnt from: kevin-dimichel
PR: voxel51/fiftyone#5173
File: .github/workflows/build-docs.yml:54-54
Timestamp: 2024-11-21T20:59:53.855Z
Learning: The `RO_FOT_FG_PAT` token used in `.github/workflows/build-docs.yml` has the necessary permissions to checkout the `voxel51/fiftyone-teams` repository.

🪛 YAMLlint (1.37.1)

.github/workflows/build-docker-internal.yml

[error] 55-55: trailing spaces

(trailing-spaces)