ci: Add github action to publish docker images

[unidevel]

Description

Add the action to build and publish the docker images include presto java images(amd64/arm64/ppc64le), prestissimo dependency images(amd64/arm64), prestissimo runtime(amd64/arm64)
Also update release action to call this

Motivation and Context

N/A

Impact

New release

Test Plan

Release action(centos images): https://github.com/unix280/presto/actions/runs/19377487489
Publish ubuntu images: https://github.com/unix280/presto/actions/runs/19395470075

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Add prestissimo arm64 docker images

[sourcery-ai]

Reviewer's Guide

This PR refactors the CI by extracting Docker image publishing into a dedicated reusable workflow and updating the release-publish pipeline to invoke it, while also patching the Ubuntu dependency Dockerfile for ARM64 support.

Class diagram for workflow job structure after refactor

classDiagram
  class ReleasePublishWorkflow {
    +publish-maven-artifacts
    +publish-release-tag
    +publish-docker-images
    +publish-docs
  }
  class PublishDockerImagesWorkflow {
    +prepare
    +publish-dependency-image
    +create-dependency-manifest
    +publish-presto-image
    +publish-prestissimo-image
    +create-prestissimo-manifest
  }
  ReleasePublishWorkflow --> PublishDockerImagesWorkflow : uses

Loading

Flow diagram for ARM64 support in Ubuntu dependency Dockerfile

flowchart TD
  A["Start Docker build (ubuntu-22.04-dependency.dockerfile)"] --> B["Check architecture: dpkg --print-architecture"]
  B -->|arm64| C["Install gcc-12 and g++-12 via PPA"]
  B -->|not arm64| D["Skip ARM64-specific install"]
  C --> E["Continue with build"]
  D --> E

Loading

File-Level Changes

Change	Details	Files
Externalize Docker publish jobs into a reusable workflow	Removed inline publish-docker-image and publish-native-image jobs Replaced them with a single publish-docker-images job invoking a workflow_call Mapped existing inputs (tags, publish flags, branch/tag) into the reusable workflow	.github/workflows/presto-release-publish.yml
Add a new publish-docker-images reusable workflow	Introduced workflow_dispatch and workflow_call triggers Defined modular jobs: prepare checkout, build and publish multi-arch dependency, presto, prestissimo images Created multi-arch manifests and conditional tagging based on inputs	.github/workflows/publish-docker-images.yml
Enable ARM64 compiler toolchain in Ubuntu dependency Dockerfile	Added conditional block to detect arm64 architecture Installed software-properties-common, added GCC 12 PPA, and installed gcc-12/g++-12 on ARM builds	presto-native-execution/scripts/dockerfiles/ubuntu-22.04-dependency.dockerfile

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[unidevel]

@sourcery-ai review

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

Blocking issues:

• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)

General comments:

• Consider making the concurrency group dynamic (e.g. including ${{ inputs.branch_or_tag }} or ${{ inputs.os }}) so dispatches for different branches or OSes don’t block each other.
• You could simplify the Docker buildx/login/tag/push steps by using docker/build-push-action@v3 instead of scripting each step manually.
• Add a cache step for Maven dependencies (e.g. actions/cache on ~/.m2) to speed up the version extraction and submodule build processes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider making the concurrency group dynamic (e.g. including `${{ inputs.branch_or_tag }}` or `${{ inputs.os }}`) so dispatches for different branches or OSes don’t block each other.
- You could simplify the Docker buildx/login/tag/push steps by using docker/build-push-action@v3 instead of scripting each step manually.
- Add a cache step for Maven dependencies (e.g. actions/cache on ~/.m2) to speed up the version extraction and submodule build processes.

## Individual Comments

### Comment 1
<location> `.github/workflows/publish-dependency-image.yml:74-78` </location>
<code_context>
+      - name: Checkout submodules
+        run: |
+          df -h
+          cd presto-native-execution && make submodules
+          echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Check for submodule update failures to avoid silent errors.

Add 'set -e' or check the exit code to ensure the script fails if submodule updates do not succeed.

```suggestion
      - name: Checkout submodules
        run: |
          set -e
          df -h
          cd presto-native-execution && make submodules
          echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
```
</issue_to_address>

### Comment 2
<location> `.github/workflows/publish-dependency-image.yml:82-91` </location>
<code_context>
+
+      - name: Extract version
+        run: |
+          VERSION=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout)
+          echo "Raw version: $VERSION"
+
+          if [[ "$VERSION" == *"-SNAPSHOT" ]]; then
+            # Remove -SNAPSHOT and append commit SHA
+            CLEAN_VERSION=${VERSION%-SNAPSHOT}
+            TAG_VERSION="${CLEAN_VERSION}-${COMMIT_SHA}"
+            echo "SNAPSHOT version detected, using: $TAG_VERSION"
+          else
+            TAG_VERSION="$VERSION"
+            echo "Release version detected, using: $TAG_VERSION"
+          fi
+
+          echo "VERSION=$TAG_VERSION" >> $GITHUB_ENV
+
+      - name: Login to DockerHub
</code_context>

<issue_to_address>
**issue (bug_risk):** Handle possible mvn command failures to prevent propagating invalid version values.

Check if VERSION is set after running the mvn command, and fail the workflow if it is empty to prevent publishing images with invalid tags.
</issue_to_address>

### Comment 3
<location> `.github/workflows/publish-dependency-image.yml:109-112` </location>
<code_context>
+
+      - name: Set up builder
+        run: |
+          docker buildx create --name container --use
+          docker buildx inspect --bootstrap
+
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Avoid creating a new buildx builder if one already exists.

Creating a builder with a fixed name can lead to conflicts during retries or concurrent runs. Check for an existing builder before creating one, or use a unique name for each run.

```suggestion
      - name: Set up builder
        run: |
          BUILDER_NAME="container-${GITHUB_RUN_ID}"
          if ! docker buildx inspect "$BUILDER_NAME" > /dev/null 2>&1; then
            docker buildx create --name "$BUILDER_NAME" --use
          else
            docker buildx use "$BUILDER_NAME"
          fi
          docker buildx inspect --bootstrap
```
</issue_to_address>

### Comment 4
<location> `.github/workflows/publish-dependency-image.yml:147-157` </location>
<code_context>
+
+      - name: Publish image
+        run: |
+          docker tag ${{ env.LOCAL_IMAGE_TAG }} ${{ env.IMAGE_TAG }}
+          docker push ${{ env.IMAGE_TAG }}
+
+          if [[ "${{ inputs.tag_latest }}" == "true" ]]; then
+            LATEST_TAG="${{ env.ORG_NAME }}/${{ env.IMAGE_NAME }}:${{ inputs.os }}-${{ matrix.arch }}-latest"
+            docker tag ${{ env.LOCAL_IMAGE_TAG }} ${LATEST_TAG}
+            docker push ${LATEST_TAG}
+            echo "Tagged and pushed as latest: ${LATEST_TAG}"
+          fi
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Consider adding error handling for docker push failures.

To prevent silent failures, ensure the workflow stops if 'docker push' fails by using 'set -e' or explicitly checking the exit code.

```suggestion
      - name: Publish image
        run: |
          set -e
          docker tag ${{ env.LOCAL_IMAGE_TAG }} ${{ env.IMAGE_TAG }}
          docker push ${{ env.IMAGE_TAG }}

          if [[ "${{ inputs.tag_latest }}" == "true" ]]; then
            LATEST_TAG="${{ env.ORG_NAME }}/${{ env.IMAGE_NAME }}:${{ inputs.os }}-${{ matrix.arch }}-latest"
            docker tag ${{ env.LOCAL_IMAGE_TAG }} ${LATEST_TAG}
            docker push ${LATEST_TAG}
            echo "Tagged and pushed as latest: ${LATEST_TAG}"
          fi
```
</issue_to_address>

### Comment 5
<location> `.github/workflows/publish-dependency-image.yml:98` </location>
<code_context>
        uses: docker/login-action@v3
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

### Comment 6
<location> `.github/workflows/publish-dependency-image.yml:104` </location>
<code_context>
        uses: docker/setup-qemu-action@v3
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

### Comment 7
<location> `.github/workflows/publish-dependency-image.yml:107` </location>
<code_context>
        uses: docker/setup-buildx-action@v3
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[unidevel]

@sourcery-ai review

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

Blocking issues:

• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)

General comments:

• Consider leveraging docker/build-push-action for multi-arch builds instead of hand-rolling buildx and push steps to simplify the workflow.
• In the Dockerfile, group your apt update+install commands into single RUN layers and extract the ARM-specific gcc-12 setup into a script to improve readability and layer caching.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider leveraging docker/build-push-action for multi-arch builds instead of hand-rolling buildx and push steps to simplify the workflow.
- In the Dockerfile, group your apt update+install commands into single RUN layers and extract the ARM-specific gcc-12 setup into a script to improve readability and layer caching.

## Individual Comments

### Comment 1
<location> `.github/workflows/publish-dependency-image.yml:104` </location>
<code_context>
        uses: docker/login-action@v3
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

### Comment 2
<location> `.github/workflows/publish-dependency-image.yml:110` </location>
<code_context>
        uses: docker/setup-qemu-action@v3
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

### Comment 3
<location> `.github/workflows/publish-dependency-image.yml:113` </location>
<code_context>
        uses: docker/setup-buildx-action@v3
</code_context>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[unidevel]

@sourcery-ai review

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[unidevel]

@sourcery-ai dismiss

Automated Sourcery review dismissed.

[BryanCutler]

The setup-ubuntu.sh will perform an update, are you trying to install a sudo package?
I'm not sure what you are trying to do here, can you explain the reason for changing this?

[unidevel]

Because the file scripts/setup-ubuntu.sh has a bug, should use $SUDO in the script.

And this dependency is only used for dev purpose.

[unidevel]

There is a PR to fix this, but not merged.

[czentgr]

I suppose we can fix this once the PR was merged and is available through the submodule. Maybe open an issue for that so we don't forget?

[czentgr]

Looks good.

[czentgr]

I suppose we can fix this once the PR was merged and is available through the submodule. Maybe open an issue for that so we don't forget?

[BryanCutler]

Looks ok to me with the followup issue once fixed in Velox

[unidevel]

Thanks @czentgr and @BryanCutler , I'll update this after the velox fix merged.

[unidevel]

Seem the sudo fix merged, let me update the script and do the tests

[unidevel]

Testing with: https://github.com/unix280/presto/actions/runs/19245354424

[unidevel]

@sourcery-ai review

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The publish-dependency-image.yml, publish-presto-image.yml, and publish-prestissimo-image.yml workflows share a lot of identical steps—consider merging them into a single reusable workflow with parameters to reduce duplication and maintenance overhead.
• The publish-presto-image workflow still offers 'ubuntu' as an OS choice but immediately errors out on ubuntu; either remove that option or gate it at the trigger level to avoid confusing failures.
• There are trailing "# Made with Bob" comments in several workflow files—these generator artifacts can be removed to keep the files clean.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The publish-dependency-image.yml, publish-presto-image.yml, and publish-prestissimo-image.yml workflows share a lot of identical steps—consider merging them into a single reusable workflow with parameters to reduce duplication and maintenance overhead.
- The publish-presto-image workflow still offers 'ubuntu' as an OS choice but immediately errors out on ubuntu; either remove that option or gate it at the trigger level to avoid confusing failures.
- There are trailing "# Made with Bob" comments in several workflow files—these generator artifacts can be removed to keep the files clean.

## Individual Comments

### Comment 1
<location> `.github/workflows/publish-presto-image.yml:227-230` </location>
<code_context>
+          MANIFEST_TAG="${ORG_NAME}/${IMAGE_NAME}:${VERSION}${TAG_SUFFIX}"
+          
+          echo "Creating manifest: ${MANIFEST_TAG}"
+          docker manifest create ${MANIFEST_TAG} \
+            ${MANIFEST_TAG}@$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "amd64").digest') \
+            ${MANIFEST_TAG}@$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "arm64").digest') \
+            ${MANIFEST_TAG}@$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "ppc64le").digest')
+          
+          docker manifest push ${MANIFEST_TAG}
</code_context>

<issue_to_address>
**suggestion:** Using jq to extract digests for manifest creation may fail if images are not yet available.

Add error handling or pre-checks to verify all required images are available before running manifest creation to prevent failures.

Suggested implementation:

```
          # Create manifest for the versioned tag
          MANIFEST_TAG="${ORG_NAME}/${IMAGE_NAME}:${VERSION}${TAG_SUFFIX}"

          AMD64_DIGEST=$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "amd64").digest')
          ARM64_DIGEST=$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "arm64").digest')
          PPC64LE_DIGEST=$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "ppc64le").digest')

          if [[ -z "${AMD64_DIGEST}" || -z "${ARM64_DIGEST}" || -z "${PPC64LE_DIGEST}" ]]; then
            echo "Error: One or more required image digests are missing for manifest creation."
            echo "amd64 digest: ${AMD64_DIGEST}"
            echo "arm64 digest: ${ARM64_DIGEST}"
            echo "ppc64le digest: ${PPC64LE_DIGEST}"
            exit 1
          fi

          echo "Creating manifest: ${MANIFEST_TAG}"
          docker manifest create ${MANIFEST_TAG} \
            ${MANIFEST_TAG}@${AMD64_DIGEST} \
            ${MANIFEST_TAG}@${ARM64_DIGEST} \
            ${MANIFEST_TAG}@${PPC64LE_DIGEST}

          docker manifest push ${MANIFEST_TAG}

```

```
          # Create latest manifest if requested
          if [[ "${{ inputs.tag_latest }}" == "true" ]]; then
            LATEST_MANIFEST="${ORG_NAME}/${IMAGE_NAME}:latest"

            # Reuse the digests from above, or re-fetch if needed
            if [[ -z "${AMD64_DIGEST}" || -z "${ARM64_DIGEST}" || -z "${PPC64LE_DIGEST}" ]]; then
              AMD64_DIGEST=$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "amd64").digest')
              ARM64_DIGEST=$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "arm64").digest')
              PPC64LE_DIGEST=$(docker manifest inspect ${MANIFEST_TAG} | jq -r '.manifests[] | select(.platform.architecture == "ppc64le").digest')
            fi

            if [[ -z "${AMD64_DIGEST}" || -z "${ARM64_DIGEST}" || -z "${PPC64LE_DIGEST}" ]]; then
              echo "Error: One or more required image digests are missing for latest manifest creation."
              echo "amd64 digest: ${AMD64_DIGEST}"
              echo "arm64 digest: ${ARM64_DIGEST}"
              echo "ppc64le digest: ${PPC64LE_DIGEST}"
              exit 1
            fi

            echo "Creating latest manifest: ${LATEST_MANIFEST}"
            docker manifest create ${LATEST_MANIFEST} \
              ${MANIFEST_TAG}@${AMD64_DIGEST} \
              ${MANIFEST_TAG}@${ARM64_DIGEST} \
              ${MANIFEST_TAG}@${PPC64LE_DIGEST}

```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[unidevel]

@sourcery-ai review

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The new publish-docker-images.yml is over 600 lines and combines multiple jobs—consider refactoring shared steps into composite actions or splitting it into smaller workflow files to improve readability and maintainability.
• Add caching for Maven dependencies (actions/cache) and Docker buildx layer caching to speed up builds and reduce load on CI runners.
• The concurrency group is currently a static string (‘publish-docker-images’), which can block parallel releases—consider incorporating the branch_or_tag input into the group key so different releases don’t cancel each other.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new publish-docker-images.yml is over 600 lines and combines multiple jobs—consider refactoring shared steps into composite actions or splitting it into smaller workflow files to improve readability and maintainability.
- Add caching for Maven dependencies (actions/cache) and Docker buildx layer caching to speed up builds and reduce load on CI runners.
- The concurrency group is currently a static string (‘publish-docker-images’), which can block parallel releases—consider incorporating the branch_or_tag input into the group key so different releases don’t cancel each other.

## Individual Comments

### Comment 1
<location> `.github/workflows/publish-docker-images.yml:546-555` </location>
<code_context>
+          fi
+
+          # Build the prestissimo image using standard Docker build
+          docker build \
+            --build-arg EXTRA_CMAKE_FLAGS="$EXTRA_CMAKE_FLAGS" \
+            --build-arg DEPENDENCY_IMAGE=${{ env.DEPENDENCY_IMAGE }} \
+            --build-arg BASE_IMAGE=$BASE_IMAGE \
+            --build-arg OSNAME=${{ inputs.os }} \
+            --build-arg BUILD_TYPE=Release \
+            --build-arg NUM_THREADS=2 \
+            ${BUILD_ARGS} \
+            -f scripts/dockerfiles/prestissimo-runtime.dockerfile \
+            -t ${{ env.IMAGE_TAG }} \
+            .
+
</code_context>

<issue_to_address>
**suggestion:** Direct use of docker build for prestissimo image may limit multi-arch support compared to buildx.

Consider using Buildx instead of 'docker build' for the prestissimo image to enable multi-arch support and maintain consistency with other image builds.

Suggested implementation:

```
          # Build the prestissimo image using Docker Buildx for multi-arch support
          docker buildx build \
            --build-arg EXTRA_CMAKE_FLAGS="$EXTRA_CMAKE_FLAGS" \
            --build-arg DEPENDENCY_IMAGE=${{ env.DEPENDENCY_IMAGE }} \
            --build-arg BASE_IMAGE=$BASE_IMAGE \
            --build-arg OSNAME=${{ inputs.os }} \
            --build-arg BUILD_TYPE=Release \
            --build-arg NUM_THREADS=2 \
            ${BUILD_ARGS} \
            --platform ${{ matrix.arch }} \
            -f scripts/dockerfiles/prestissimo-runtime.dockerfile \
            -t ${{ env.IMAGE_TAG }} \
            --push \
            .

```

- Ensure that a Buildx builder is set up and available in the workflow before this step. If not, add a step to create and use a Buildx builder.
- Confirm that `${{ matrix.arch }}` resolves to a valid platform string (e.g., `linux/amd64`, `linux/arm64`). If not, map it accordingly.
- If you do not want to push the image immediately, remove the `--push` flag.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[unidevel]

Convert to draft since need testing and refactoring.