docs(deployment): fix GitLab CI example - pin docker version, add registry login#214
docs(deployment): fix GitLab CI example - pin docker version, add registry login#214andrerfneves wants to merge 1 commit into
Conversation
…istry login The GitLab CI example used unversioned `docker:latest` and `docker:dind` images (security anti-pattern) and was missing a Docker registry login step, which means the `docker push` command would fail with authentication errors. Changes: - Pin `docker:latest` → `docker:27.2.0` (specific, reproducible version) - Pin `docker:dind` → `docker:27.2.0-dind` - Add `docker login` before push (required for authentication) - Use `$CI_COMMIT_SHORT_SHA` for image tagging (traceable, unique)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 163b089bd4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - docker:dind | ||
| - docker:27.2.0-dind | ||
| before_script: | ||
| - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD |
There was a problem hiding this comment.
Use GitLab's built-in registry credentials
When this sample is copied into a GitLab project without manually adding custom DOCKER_USERNAME and DOCKER_PASSWORD variables, this new before_script expands them to empty values and the job fails before the build. GitLab's container-registry docs use the predefined CI_REGISTRY, CI_REGISTRY_USER, and CI_REGISTRY_PASSWORD variables for CI authentication, so the example is no longer copy-pasteable for publishing from GitLab CI to the project's registry.
Useful? React with 👍 / 👎.
Summary
Fixes the GitLab CI example in
DEPLOYMENT_DOCKER.mdto use pinned Docker versions, add registry authentication, and use commit SHA-based tagging.Why
The example had multiple issues:
docker:latestanddocker:dind— Using thelatesttag is a security anti-pattern. Pinning to a specific version ensures reproducible builds and avoids unexpected breaking changes when Docker updates.No registry login — The
docker pushcommand would fail without authentication. The example is now consistent with the GitHub Actions example above it, which already includes a login step.latesttag — Tagging images with:latestmakes it impossible to trace which commit a running container corresponds to. Using$CI_COMMIT_SHORT_SHAcreates uniquely identifiable and traceable image tags.Changes
DEPLOYMENT_DOCKER.md: Updated the GitLab CI code block to:docker:latest→docker:27.2.0docker:dind→docker:27.2.0-dindbefore_scriptwithdocker loginusing GitLab CI variables$CI_COMMIT_SHORT_SHAfor image tagging instead of:latestTest Plan
$DOCKER_USERNAME,$DOCKER_PASSWORD,$CI_COMMIT_SHORT_SHA) are standard GitLab CI predefined variables