Skip to content

docs(deployment): fix GitLab CI example - pin docker version, add registry login#214

Open
andrerfneves wants to merge 1 commit into
mainfrom
maintenance/fix-gitlab-ci-docker-20260625
Open

docs(deployment): fix GitLab CI example - pin docker version, add registry login#214
andrerfneves wants to merge 1 commit into
mainfrom
maintenance/fix-gitlab-ci-docker-20260625

Conversation

@andrerfneves

Copy link
Copy Markdown
Owner

Summary

Fixes the GitLab CI example in DEPLOYMENT_DOCKER.md to use pinned Docker versions, add registry authentication, and use commit SHA-based tagging.

Why

The example had multiple issues:

  1. docker:latest and docker:dind — Using the latest tag is a security anti-pattern. Pinning to a specific version ensures reproducible builds and avoids unexpected breaking changes when Docker updates.

  2. No registry login — The docker push command would fail without authentication. The example is now consistent with the GitHub Actions example above it, which already includes a login step.

  3. latest tag — Tagging images with :latest makes it impossible to trace which commit a running container corresponds to. Using $CI_COMMIT_SHORT_SHA creates uniquely identifiable and traceable image tags.

Changes

  • DEPLOYMENT_DOCKER.md: Updated the GitLab CI code block to:
    • Pin docker:latestdocker:27.2.0
    • Pin docker:dinddocker:27.2.0-dind
    • Add before_script with docker login using GitLab CI variables
    • Use $CI_COMMIT_SHORT_SHA for image tagging instead of :latest

Test Plan

  • No behavior change — documentation-only fix
  • YAML syntax is valid
  • GitLab CI variables ($DOCKER_USERNAME, $DOCKER_PASSWORD, $CI_COMMIT_SHORT_SHA) are standard GitLab CI predefined variables

…istry login

The GitLab CI example used unversioned `docker:latest` and `docker:dind`
images (security anti-pattern) and was missing a Docker registry login step,
which means the `docker push` command would fail with authentication errors.

Changes:
- Pin `docker:latest` → `docker:27.2.0` (specific, reproducible version)
- Pin `docker:dind` → `docker:27.2.0-dind`
- Add `docker login` before push (required for authentication)
- Use `$CI_COMMIT_SHORT_SHA` for image tagging (traceable, unique)
@vercel

vercel Bot commented Jun 25, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lightning-decoder Ready Ready Preview, Comment Jun 25, 2026 12:12pm

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 163b089bd4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread DEPLOYMENT_DOCKER.md
- docker:dind
- docker:27.2.0-dind
before_script:
- docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use GitLab's built-in registry credentials

When this sample is copied into a GitLab project without manually adding custom DOCKER_USERNAME and DOCKER_PASSWORD variables, this new before_script expands them to empty values and the job fails before the build. GitLab's container-registry docs use the predefined CI_REGISTRY, CI_REGISTRY_USER, and CI_REGISTRY_PASSWORD variables for CI authentication, so the example is no longer copy-pasteable for publishing from GitLab CI to the project's registry.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant