ci: add Docker image publishing workflow

[giwaov]

Summary

Adds a GitHub Actions workflow that automatically builds and publishes multi-platform Docker images to GitHub Container Registry (GHCR) whenever a version tag (v*) is pushed.

Closes #61

What this does

• Trigger: Fires on any v* tag push (e.g. v7.2.0)
• Registry: Pushes to ghcr.io/kiichain/kiichain
• Platforms: linux/amd64 and linux/arm64 (matches the wasmvm libs already in the Dockerfile)
• Tags: Semver (7.2.0), minor (7.2), and git SHA
• Caching: GitHub Actions cache (BuildKit type=gha) for faster rebuilds
• Auth: Uses the built-in GITHUB_TOKEN — no extra secrets required

Files changed

File	Change
.github/workflows/docker-publish.yml	New workflow
CHANGELOG.md	Unreleased entry

[coderabbitai]

Walkthrough

A new GitHub Actions workflow is added to automate Docker image publishing to GitHub Container Registry on tagged releases. The workflow is triggered by push events matching v* tags, configures multi-platform builds for linux/amd64 and linux/arm64, authenticates to ghcr.io, generates semantic version tags and commit SHA identifiers, builds and pushes the container image with GitHub Actions caching enabled. The CHANGELOG.md is updated to document this new CI feature.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a CI workflow for Docker image publishing.
Description check	✅ Passed	The description clearly relates to the changeset, explaining what the workflow does and which files are modified.
Linked Issues check	✅ Passed	The PR fully implements issue #61 requirements: automated Docker publishing on tagged releases to GHCR with multi-platform support.
Out of Scope Changes check	✅ Passed	All changes are within scope: the new workflow file and CHANGELOG update directly address the Docker publishing automation requirement.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds CI automation to publish multi-arch Docker images to GHCR on version tag pushes, aligning releases with a consistent container distribution path.

Changes:

• Introduces a new GitHub Actions workflow to build and push linux/amd64 + linux/arm64 images on v* tag pushes.
• Uses docker/metadata-action for semver/minor/SHA tagging and BuildKit GHA cache for faster rebuilds.
• Updates CHANGELOG.md with an Unreleased entry describing the new workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/docker-publish.yml	New workflow to build/push multi-platform images to GHCR on tag pushes.
CHANGELOG.md	Adds an Unreleased “Added” entry for the new Docker publish workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

images: ghcr.io/${{ github.repository }} will expand to ghcr.io/KiiChain/kiichain in this repo, and Docker image references must be lowercase. This can cause invalid reference format and prevent publishing. Use an explicit lowercase image name (e.g. ghcr.io/kiichain/kiichain, per the PR description) or otherwise ensure the value is lowercased before passing it to metadata-action.

Suggested change

	images: ghcr.io/${{ github.repository }}
	images: ghcr.io/kiichain/kiichain

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/docker-publish.yml (1)

16-43: Pin third-party GitHub Actions to immutable SHAs for publish security.

Using floating tags (@v3/@v4/@v5/@v6) in a release-publish workflow weakens supply-chain guarantees. Please pin these actions to full commit SHAs and let Dependabot/Renovate handle updates.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-publish.yml around lines 16 - 43, The workflow uses
floating action tags (actions/checkout@v4, docker/setup-qemu-action@v3,
docker/setup-buildx-action@v3, docker/login-action@v3,
docker/metadata-action@v5, docker/build-push-action@v6) which should be replaced
with immutable commit SHAs; update each uses: line to reference the
corresponding full commit SHA for the specific release you want to lock to (for
example replace actions/checkout@v4 with actions/checkout@<full-sha>), commit
the updated .github/workflows/docker-publish.yml, and rely on
Dependabot/Renovate to propose future SHA upgrades rather than using floating
tags.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/docker-publish.yml:
- Line 47: The Dockerfile uses uname -m in the RUN cp
"/lib/libwasmvm_muslc.$(uname -m).a" step which picks the build host arch and
breaks cross-platform builds; add ARG TARGETARCH near the top of the Dockerfile,
replace the uname usage with the BuildKit variable (use ${TARGETARCH} in the
COPY/CP step), and add a small mapping step in the Dockerfile to translate
TARGETARCH values to the library naming convention (map amd64 -> x86_64 and
arm64 -> aarch64) so RUN cp "/lib/libwasmvm_muslc.${LIB_ARCH}.a"
/lib/libwasmvm_muslc.a uses the correct suffix at build time.

---

Nitpick comments:
In @.github/workflows/docker-publish.yml:
- Around line 16-43: The workflow uses floating action tags
(actions/checkout@v4, docker/setup-qemu-action@v3,
docker/setup-buildx-action@v3, docker/login-action@v3,
docker/metadata-action@v5, docker/build-push-action@v6) which should be replaced
with immutable commit SHAs; update each uses: line to reference the
corresponding full commit SHA for the specific release you want to lock to (for
example replace actions/checkout@v4 with actions/checkout@<full-sha>), commit
the updated .github/workflows/docker-publish.yml, and rely on
Dependabot/Renovate to propose future SHA upgrades rather than using floating
tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 753b4af3-c1de-484d-a5a0-cbc90188613e

📥 Commits

Reviewing files that changed from the base of the PR and between 988d05f and 2d0798d.

📒 Files selected for processing (2)

• .github/workflows/docker-publish.yml
• CHANGELOG.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether arch selection is target-aware before publishing multi-arch images.
# Expected: TARGETARCH/TARGETPLATFORM usage should exist in Dockerfile/build path.
# Risk signal: `uname -m` present but TARGETARCH/TARGETPLATFORM absent.

set -euo pipefail

echo "== Dockerfile arch-related checks =="
fd -i '^Dockerfile$' --exec rg -n 'uname -m|TARGETARCH|TARGETPLATFORM|GOARCH|GOOS|libwasmvm_muslc'

echo
echo "== Makefile cross-compile signal checks =="
fd -i '^Makefile$' --exec rg -n 'GOARCH|GOOS|CGO_ENABLED|make build|BUILD_TAGS'

Repository: KiiChain/kiichain

Length of output: 885

---

🏁 Script executed:

#!/bin/bash
# Get the full Dockerfile to check BuildKit syntax and architecture handling
echo "== Full Dockerfile =="
fd -i '^Dockerfile$' --exec cat {}

echo
echo "== docker-publish.yml complete workflow =="
cat .github/workflows/docker-publish.yml

echo
echo "== Makefile build targets (lines around 'docker-build' or 'build' targets) =="
fd -i '^Makefile$' --exec sed -n '160,220p' {}

Repository: KiiChain/kiichain

Length of output: 4676

---

Broken linux/arm64 publish path: Dockerfile uses uname -m instead of TARGETARCH.

The workflow at line 47 enables multi-arch publishing (linux/amd64,linux/arm64), but the Dockerfile line 16 uses RUN cp "/lib/libwasmvm_muslc.$(uname -m).a" /lib/libwasmvm_muslc.a, which executes at build time and returns the build host's architecture, not the target platform. This will fail when cross-compiling: building linux/arm64 on an amd64 host will attempt to link the x86_64 library into an arm64 binary.

Fix by replacing $(uname -m) with BuildKit's TARGETARCH variable:

• Add ARG TARGETARCH near the top of the Dockerfile
• Change line 16 to: RUN cp "/lib/libwasmvm_muslc.${TARGETARCH}.a" /lib/libwasmvm_muslc.a

This requires mapping the BuildKit TARGETARCH values (amd64 and arm64) to the downloaded library naming convention (x86_64 and aarch64).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-publish.yml at line 47, The Dockerfile uses uname
-m in the RUN cp "/lib/libwasmvm_muslc.$(uname -m).a" step which picks the build
host arch and breaks cross-platform builds; add ARG TARGETARCH near the top of
the Dockerfile, replace the uname usage with the BuildKit variable (use
${TARGETARCH} in the COPY/CP step), and add a small mapping step in the
Dockerfile to translate TARGETARCH values to the library naming convention (map
amd64 -> x86_64 and arm64 -> aarch64) so RUN cp
"/lib/libwasmvm_muslc.${LIB_ARCH}.a" /lib/libwasmvm_muslc.a uses the correct
suffix at build time.

[giwaov]

Hi @jhelison — friendly ping! This PR is ready for review whenever you have a moment. All CI checks are passing. Happy to address any feedback. Thanks!

[giwaov]

Hey @Thaleszh, would love to get your eyes on this when you have a moment. Thanks!