[CI-CD] Update github actions

[networkfusion]

Description

• Update docker/build-push-action to V6
• Update actions/checkout to V6

Motivation and Context

Keeps GH actions up-to-date

How Has This Been Tested?

CI

Screenshots

Types of changes

• Improvement (non-breaking change that improves a feature, code or algorithm)
• Bug fix (non-breaking change which fixes an issue with code or algorithm)
• New feature (non-breaking change which adds functionality to code)
• Breaking change (fix or feature that would cause existing functionality to change)
• Config and build (change in the configuration and build system, has no impact on code or features)
• Dev Containers (changes related with Dev Containers, has no impact on code or features)
• Dependencies/declarations (update dependencies or assembly declarations and changes associated, has no impact on code or features)
• Documentation (changes or updates in the documentation, has no impact on code or features)

Checklist

• My code follows the code style of this project (only if there are changes in source code).
• My changes require an update to the documentation (there are changes that require the docs website to be updated).
• I have updated the documentation accordingly (the changes require an update on the docs in this repo).
• I have read the CONTRIBUTING document.
• I have tested everything locally and all new and existing tests passed (only if there are changes in source code).

Summary by CodeRabbit

• Chores
  • CI workflows upgraded to newer GitHub Actions versions for improved reliability and support.
  • Container publishing now emits both a version-specific tag and a "latest" tag to simplify image consumption.
  • Tag specification formatting updated; no functional or user-facing behavior changed.

[coderabbitai]

Walkthrough

Updated devcontainer GitHub Actions: bumped actions/checkout from v4 → v5 across workflows and upgraded docker/build-push-action from v5 → v6; several workflows now supply two image tags (versioned and :latest) in the build-and-push step. No other control-flow changes.

Changes

Cohort / File(s)	Change Summary
Devcontainer workflows .github/workflows/devcontainer-all.yaml, .github/workflows/devcontainer-azurertos.yaml, .github/workflows/devcontainer-chibios.yaml, .github/workflows/devcontainer-esp32.yml, .github/workflows/devcontainer-freertos-nxp.yaml, .github/workflows/devcontainer-ti.yaml, .github/workflows/devcontainer-smoketest.yaml	Upgraded actions/checkout from v4 → v5 in all workflows; upgraded docker/build-push-action from v5 → v6 where used. In the Build and Push step some workflows now pass two tags (a versioned tag using ${GCR_VERSION} or equivalent and :latest). No other logic or error handling changes.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub Actions
    participant Checkout as actions/checkout@v5
    participant BuildPush as docker/build-push-action@v6
    participant Registry as Container Registry

    GH->>Checkout: checkout repository (actions/checkout@v5)
    Checkout-->>GH: source checked out
    GH->>BuildPush: build + push (context, file, push, tags)
    note right of BuildPush `#F3F8FF`: tags input now includes\nversioned tag and `:latest` where configured
    BuildPush->>Registry: push image :${GCR_VERSION}
    BuildPush->>Registry: push image :latest
    Registry-->>BuildPush: push acknowledged
    BuildPush-->>GH: step completed

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify tags formatting and interpolation in workflows that added tags.
• Confirm actions/checkout@v5 compatibility with any workflow-specific inputs (if present).
• Spot-check docker/build-push-action@v6 usage to ensure required inputs (context, file, push) are unchanged.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[CI-CD] Update github actions' is directly related to the main changeset, which updates GitHub Actions workflows by upgrading docker/build-push-action and actions/checkout versions.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-docker-build-push-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (6)

.github/workflows/devcontainer-all.yaml (1)

55-63: Confirm v6 input/output parity & pin digest for reproducibility

docker/build-push-action v6 removes some deprecated inputs and introduces new defaults (e.g., load: true auto-loads images). The current with: block (file, push, tags) is still supported, but please double-check the v6 release notes to ensure no silent behaviour changes affect this workflow.
For supply-chain stability, consider pinning to the major tag + digest, e.g. docker/build-push-action@v6@sha256:<digest>.

.github/workflows/devcontainer-ti.yaml (1)

55-63: Same v6 compatibility & digest pinning considerations

Replicate the v6 release-notes check and digest pinning suggestion here to maintain consistent, reproducible builds across all dev-container workflows.

.github/workflows/devcontainer-azurertos.yaml (1)

55-63: Validate behaviour change after upgrading to v6

Ensure push: true and tag handling behave exactly as before; v6 tweaks cache-related defaults that could impact build time or registry content. Pin to a digest for immutability if possible.

.github/workflows/devcontainer-esp32.yml (1)

55-63: Upgrade sanity-check and optional digest pin

Confirm no deprecated inputs (e.g., context, platforms) are implicitly relied upon. Consider locking the action to @v6@sha256:<digest> to avoid unexpected future changes.

.github/workflows/devcontainer-chibios.yaml (1)

55-63: Consistency check after bump to v6

Double-check the ChibiOS image still builds & pushes as expected with the new major version and apply digest pinning for deterministic CI runs.

.github/workflows/devcontainer-freertos-nxp.yaml (1)

55-57: Verify v6 migration settings (provenance, sbom, cache) before merging

docker/build-push-action@v6 introduces new defaults (provenance: true, sbom: true, different cache-from/to syntax).
If you don’t explicitly want provenance/SBOM generation or intend to keep the current cache behaviour, add the relevant inputs:

-    - name: Build and Push Docker Image
-      uses: docker/build-push-action@v6
+    - name: Build and Push Docker Image
+      uses: docker/build-push-action@v6
+      with:
+        provenance: false   # disable SLSA attestation if not required
+        sbom: false         # disable SBOM upload if not required
+        # cache-from / cache-to examples:
+        # cache-from: type=registry,ref=${{ env.CONTAINER_REPO }}/...:cache
+        # cache-to:   type=registry,ref=${{ env.CONTAINER_REPO }}/...:cache,mode=max

(Or keep them enabled deliberately—just make the choice explicit.)

Also consider pinning to a full semver tag or SHA for supply-chain safety, e.g. docker/[email protected].

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e8b977d and 1af8585.

📒 Files selected for processing (6)

• .github/workflows/devcontainer-all.yaml (1 hunks)
• .github/workflows/devcontainer-azurertos.yaml (1 hunks)
• .github/workflows/devcontainer-chibios.yaml (1 hunks)
• .github/workflows/devcontainer-esp32.yml (1 hunks)
• .github/workflows/devcontainer-freertos-nxp.yaml (1 hunks)
• .github/workflows/devcontainer-ti.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
• GitHub Check: nf-interpreter (Check_Build_Options)
• GitHub Check: build-target (ESP32_C3, Debug, ESP32)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
• GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
• GitHub Check: build-target (M5Core2, Debug, ESP32)
• GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)
• GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
• GitHub Check: build-target (ESP32_S3, Debug, ESP32)
• GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
• GitHub Check: build-target (SL_STK3701A, Debug, All)
• GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/devcontainer-esp32.yml (1)

58-65: Optional: enable SBOM/provenance attestations with v6.

Adds supply‑chain metadata with minimal overhead.
Apply within this block:

       with:
         file: ${{ env.CONTAINER_SRC_FILE }}
         push: true # Will only build if this is not here
         tags: |
           ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }}
           ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest
+        sbom: true
+        provenance: true

Docs: SBOM/provenance on build-push-action@v6; v6 also emits a job summary by default. (docs.docker.com)

.github/workflows/devcontainer-azurertos.yaml (2)

58-65: Optional: add SBOM/provenance generation.

Strengthens image traceability; simple toggle with v6.

       with:
         file: ${{ env.CONTAINER_SRC_FILE }}
         push: true # Will only build if this is not here
         tags: |
           ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }}
           ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest
+        sbom: true
+        provenance: true

See guidance. (docs.docker.com)

---

58-65: Heads-up: v6 build record artifact.

Same note as the ESP32 workflow—ensure any actions/download-artifact steps don’t unintentionally fetch “*.dockerbuild” artifacts.

Use the audit script from the previous comment; it covers all workflows. (github.com)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1af8585 and 051a2bd.

📒 Files selected for processing (6)

• .github/workflows/devcontainer-all.yaml (1 hunks)
• .github/workflows/devcontainer-azurertos.yaml (1 hunks)
• .github/workflows/devcontainer-chibios.yaml (1 hunks)
• .github/workflows/devcontainer-esp32.yml (1 hunks)
• .github/workflows/devcontainer-freertos-nxp.yaml (1 hunks)
• .github/workflows/devcontainer-ti.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/workflows/devcontainer-chibios.yaml
• .github/workflows/devcontainer-freertos-nxp.yaml
• .github/workflows/devcontainer-ti.yaml
• .github/workflows/devcontainer-all.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
• GitHub Check: nf-interpreter (Check_Build_Options)
• GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
• GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)
• GitHub Check: build-target (ESP32_C3, Debug, ESP32)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
• GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
• GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)
• GitHub Check: build-target (ESP32_S3, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
• GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
• GitHub Check: build-target (M5Core2, Debug, ESP32)
• GitHub Check: build-target (SL_STK3701A, Debug, All)

🔇 Additional comments (3)

.github/workflows/devcontainer-esp32.yml (2)

58-58: Upgrade to docker/build-push-action@v6 looks good.

Inputs used here (file, push, tags) are compatible with v6; no breaking changes for this step.
See: docker/build-push-action docs. (github.com)

---

58-65: Heads-up: docker/build-push-action@v6 uploads build-record artifacts — no action required now.

• v6 present in: .github/workflows/devcontainer-esp32.yml, .github/workflows/devcontainer-all.yaml, .github/workflows/devcontainer-azurertos.yaml, .github/workflows/devcontainer-chibios.yaml, .github/workflows/devcontainer-freertos-nxp.yaml, .github/workflows/devcontainer-ti.yaml
• No occurrences of actions/download-artifact were found in .github/workflows. To ignore build-record artifacts in any download-artifact steps use:
  with:
  pattern: "!*.dockerbuild"

.github/workflows/devcontainer-azurertos.yaml (1)

58-58: Upgrade to docker/build-push-action@v6 looks good.

Inputs here remain valid with v6; behavior is unchanged for build/push/tags.
Docs reference. (github.com)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 051a2bd and bdbde28.

📒 Files selected for processing (7)

• .github/workflows/devcontainer-all.yaml (2 hunks)
• .github/workflows/devcontainer-azurertos.yaml (2 hunks)
• .github/workflows/devcontainer-chibios.yaml (2 hunks)
• .github/workflows/devcontainer-esp32.yml (2 hunks)
• .github/workflows/devcontainer-freertos-nxp.yaml (2 hunks)
• .github/workflows/devcontainer-smoketest.yaml (1 hunks)
• .github/workflows/devcontainer-ti.yaml (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/devcontainer-smoketest.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

• .github/workflows/devcontainer-ti.yaml
• .github/workflows/devcontainer-all.yaml
• .github/workflows/devcontainer-chibios.yaml
• .github/workflows/devcontainer-azurertos.yaml
• .github/workflows/devcontainer-freertos-nxp.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
• GitHub Check: nf-interpreter (Check_Build_Options)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
• GitHub Check: build-target (SL_STK3701A, Debug, All)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
• GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
• GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
• GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)
• GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
• GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
• GitHub Check: build-target (ESP32_C3, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)
• GitHub Check: build-target (M5Core2, Debug, ESP32)
• GitHub Check: build-target (ESP32_S3, Debug, ESP32)

🔇 Additional comments (1)

.github/workflows/devcontainer-esp32.yml (1)

62-64: Multi-tag push strategy is idiomatic. The workflow now pushes both a versioned tag (${{ env.GCR_VERSION }}) and latest, which is a standard pattern for container images and maintains backward compatibility for consumers relying on the latest tag.

All referenced environment variables are properly defined (lines 6–9) and the GCR_VERSION is populated dynamically in the prior step (lines 39–45).

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/devcontainer-chibios.yaml (1)

62-64: Clarify tags format: prefer explicit single-line CSV over YAML folded scalar.

The current YAML > (folded scalar) converts the multi-line block into a single line with spaces: "ghcr.io/owner/name:version, ghcr.io/owner/name:latest". While this produces valid CSV, the non-standard presentation and reliance on YAML's implicit folding behavior makes it less clear and potentially fragile.

Recommendation: Replace the folded scalar with an explicit single-line CSV string for clarity and consistency with standard GitHub Actions patterns.

-        tags: >
-          ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }},
-          ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest
+        tags: ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }},${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest

Alternatively, for readability on long lines, introduce an intermediate step to build the CSV string in a env: block or as a separate step output.

.github/workflows/devcontainer-ti.yaml (1)

62-64: Tags format consistency issue across workflows.

Same YAML folded scalar pattern as .github/workflows/devcontainer-chibios.yaml. See note there regarding clarification to explicit single-line CSV.

-        tags: >
-          ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }},
-          ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest
+        tags: ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }},${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest

.github/workflows/devcontainer-azurertos.yaml (1)

62-64: Tags format: consistent with other workflow changes in this PR.

Recommend refactoring to explicit single-line CSV (see .github/workflows/devcontainer-chibios.yaml for details).

-        tags: >
-          ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }},
-          ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest
+        tags: ${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:${{ env.GCR_VERSION }},${{ env.CONTAINER_REPO }}/${{ github.repository_owner }}/${{ env.CONTAINER_NAME }}:latest

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bdbde28 and 4325845.

📒 Files selected for processing (6)

• .github/workflows/devcontainer-all.yaml (2 hunks)
• .github/workflows/devcontainer-azurertos.yaml (2 hunks)
• .github/workflows/devcontainer-chibios.yaml (2 hunks)
• .github/workflows/devcontainer-esp32.yml (2 hunks)
• .github/workflows/devcontainer-freertos-nxp.yaml (2 hunks)
• .github/workflows/devcontainer-ti.yaml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/devcontainer-freertos-nxp.yaml
• .github/workflows/devcontainer-all.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: nf-interpreter (Nightly build) (Check_Build_Options)
• GitHub Check: nf-interpreter (Check_Build_Options)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, All, 915)
• GitHub Check: build-target (TI_CC1352R1_LAUNCHXL, Debug, TI, 915)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, All)
• GitHub Check: build-target (ESP32_C3, Debug, ESP32)
• GitHub Check: build-target (NXP_MIMXRT1060_EVK, Debug, FreeRTOS-NXP)
• GitHub Check: build-target (ESP32_H2_THREAD, Debug, ESP32)
• GitHub Check: build-target (ESP32_S2_USB, Debug, ESP32)
• GitHub Check: build-target (ESP32_S3, Debug, ESP32)
• GitHub Check: build-target (ESP32_C6_THREAD, Debug, ESP32)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, All)
• GitHub Check: build-target (ESP_WROVER_KIT, Debug, ESP32)
• GitHub Check: build-target (M5Core2, Debug, ESP32)
• GitHub Check: build-target (SL_STK3701A, Debug, All)
• GitHub Check: build-target (SL_STK3701A, Debug, AzureRTOS)
• GitHub Check: build-target (ST_STM32F769I_DISCOVERY, Debug, ChibiOS)

🔇 Additional comments (8)

.github/workflows/devcontainer-chibios.yaml (2)

29-29: Action version upgrade looks good.

Upgrading actions/checkout to v5 is appropriate. Verify compatibility notes if any custom behaviors relied on v4-specific features.

---

58-58: Action version upgrade compatible with current tags format.

Upgrading docker/build-push-action to v6 is approved. Tags in docker/build-push-action v6 expects comma-delimited list of tags.

.github/workflows/devcontainer-ti.yaml (2)

29-29: Action version upgrade approved.

---

58-58: Action version upgrade approved.

.github/workflows/devcontainer-azurertos.yaml (2)

29-29: Action version upgrade approved.

---

58-58: Action version upgrade approved.

.github/workflows/devcontainer-esp32.yml (2)

29-29: Action version upgrade approved.

---

58-58: Action version upgrade approved; address prior concern about tags format compatibility.

A previous review raised a critical issue about docker/build-push-action@v6 tags format compatibility. The current code uses YAML > (folded scalar) which technically produces CSV output, but this presentation is non-standard and may have been the source of confusion in the prior review.