fix: CI for external PRs

[rodrigok]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Chores
  • Improved CI/CD image build and artifact handling: conditional publishing, artifact download/load for external PRs, and architecture-aware image flows.
  • Broadened CI build triggers (excluding dependabot) and streamlined per-image publish decisions.
  • Updated federation test workflows to reliably use amd64 images and collect additional logs on failures.

Note: No end-user visible feature changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 94acef0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Introduces a publish-image flag that gates manifest creation/upload vs saving Docker image tarballs for amd64; CI/E2E workflows now download and load image artifacts instead of rebuilding in-fly, and federation tests and logging were adjusted to use artifact-based images and amd64 tags.

Changes

Cohort / File(s)	Summary
Docker Build Action .github/actions/build-docker/action.yml	Adds publish-image conditional: when true, compute DIGEST/FULL_IMAGE, inspect and save verbose manifest to /tmp/manifests/..., output manifest JSON and upload manifest artifact (amd64-only); when false and arch == amd64, extract image name, save image tar to /tmp/docker-images, and upload as docker-image artifact.
E2E Workflow .github/workflows/ci-test-e2e.yml	Replaces in-workflow docker build with artifact download/load flow: downloads image tarballs (fork PRs, non-release/non-develop), loads all tarballs into Docker daemon, removes tars, and lists images. Adds DOCKER_TAG with -amd64 suffix.
CI Workflow – Image Building & Gates .github/workflows/ci.yml	Removes earlier complex PR/release gating in favor of actor != dependabot and per-service publish-image flags propagated to build steps; replaces some build steps with artifact-driven image load for external PRs and standardizes amd64 tagging.
CI Workflow – Federation & Test Improvements .github/workflows/ci.yml	Swaps federation runs-on to ubuntu-24.04, adds download/load of prebuilt images for cross-repo PRs, updates federation image tags to amd64, adds failure-time log collection (rc, hs, mongo), and adjusts image-size tracking to repo PR events.

Sequence Diagram(s)

sequenceDiagram
    participant GHA as GitHub Actions
    participant Action as build-docker Action
    participant Registry as Image Registry
    participant Artifacts as Artifact Storage
    participant Runner as CI Job Runner

    rect rgb(200,220,255)
    Note over Action: publish-image = true (amd64)
    GHA->>Action: invoke build (arch=amd64, publish-image=true)
    Action->>Action: compute DIGEST from /tmp/meta.json
    Action->>Action: derive FULL_IMAGE, inspect image
    Action->>Action: save manifest to /tmp/manifests/...
    Action->>Artifacts: upload manifest artifact
    Action->>GHA: output manifest JSON
    end

    rect rgb(255,230,200)
    Note over Action: publish-image = false (amd64)
    GHA->>Action: invoke build (arch=amd64, publish-image=false)
    Action->>Action: extract image name from compose file
    Action->>Action: save image as tar in /tmp/docker-images
    Action->>Artifacts: upload docker-image tar artifact
    end

    rect rgb(220,255,220)
    Note over Runner: Downstream workflows (E2E/CI)
    Runner->>Artifacts: download image artifact(s)
    Runner->>Runner: load tarballs into Docker daemon
    Runner->>Runner: run tests using loaded images
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• chore(ci): do not include dev dependencies in docker images #37481: Modifies the same build-docker action; related to pre-publish image handling and size changes.
• chore(CI): enable multi arch docker image build #37353: Changes CI build/publish flow and publish-image handling across workflows.
• chore(ci): track docker image size changes #37527: Updates manifest inspection/save and artifact flows in build-docker and CI.

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• ggazzo
• sampaiodiego

Poem

🐰 I baked manifests and packed tarballs tight,
Hopped through workflows in the CI night,
If publish blooms, manifests shine,
Else tarballs travel down the line,
Artifacts hum — tests take flight! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: CI for external PRs' directly relates to the main changeset. The PR primarily modifies CI/CD workflows (.github/actions/build-docker/action.yml, .github/workflows/ci-test-e2e.yml, and .github/workflows/ci.yml) to fix handling of external PRs by introducing artifact-driven image loading and conditional publish gates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f2293ec and 94acef0.

📒 Files selected for processing (3)

• .github/actions/build-docker/action.yml
• .github/workflows/ci-test-e2e.yml
• .github/workflows/ci.yml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37408
File: apps/meteor/client/views/admin/ABAC/useRoomAttributeOptions.tsx:53-69
Timestamp: 2025-11-10T19:06:20.146Z
Learning: In the Rocket.Chat repository, do not provide suggestions or recommendations about code sections marked with TODO comments. The maintainers have already identified these as future work and external reviewers lack the full context about implementation plans and timing.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build

🔇 Additional comments (8)

.github/workflows/ci-test-e2e.yml (2)

138-164: LGTM! Docker artifact download/load flow for fork PRs.

The condition logic is now correct with consistent && operators. This properly handles:

• Fork PRs (not same-repo) → download/load from artifacts
• Same-repo PRs, releases, develop → pull from registry

The conditional artifact pattern correctly fetches all EE services or just rocketchat for CE.

---

67-67: LGTM! Explicit amd64 tag for E2E tests.

Appending -amd64 ensures consistency between artifact-based loading (fork PRs) and registry pulls (same-repo PRs) on amd64 test runners.

.github/actions/build-docker/action.yml (2)

141-165: LGTM! Consistent conditions for save/upload steps.

Both the save step (line 142) and upload step (line 160) now correctly require inputs.arch == 'amd64', fixing the previous condition mismatch. The artifact naming convention aligns with the download patterns in the E2E and federation test workflows.

---

122-139: LGTM! Manifest creation gated by publish-image flag.

The manifest inspection and upload are correctly conditioned on publish-image == 'true', ensuring manifests are only created when images are pushed to the registry.

Also applies to: 167-172

.github/workflows/ci.yml (4)

328-328: LGTM! Correct publish-image condition.

The publish-image expression correctly covers all publish scenarios:

• Same-repo PRs
• Release events
• Develop branch pushes

Fork PRs will have publish-image: false, triggering the artifact save/upload flow.

Also applies to: 342-342, 357-357, 372-372

---

630-656: LGTM! Consistent artifact handling for federation tests.

The download/load flow mirrors the E2E test workflow, with correct conditions using all && operators. The artifact pattern 'docker-image-rocketchat-amd64-coverage' matches what's uploaded by the build-docker action.

---

667-680: LGTM! Helpful failure logging for federation tests.

Capturing logs from rc1-prebuilt, hs1, and mongo containers on failure will aid debugging federation test issues.

---

457-466: Verify: Image size tracking won't run on develop branch pushes.

The step condition at line 459 checks github.event.pull_request.head.repo.full_name == github.repository, which evaluates to false for push events (no PR context). This means image size tracking only runs for same-repo PRs.

If this is intentional (tracking only for PRs), consider updating the job-level if at line 449 to remove || github.ref == 'refs/heads/develop' for clarity.

If tracking should also run on develop, consider:

-       if: github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
+       if: github.actor != 'dependabot[bot]' && (github.event.pull_request.head.repo.full_name == github.repository || github.ref == 'refs/heads/develop')

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.64%. Comparing base (17ed52a) to head (94acef0).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38030      +/-   ##
===========================================
+ Coverage    70.62%   70.64%   +0.01%     
===========================================
  Files         3143     3143              
  Lines       108684   108684              
  Branches     19546    19579      +33     
===========================================
+ Hits         76762    76783      +21     
+ Misses       29919    29893      -26     
- Partials      2003     2008       +5     

Flag	Coverage Δ
e2e	60.17% <ø> (+0.01%)	⬆️
e2e-api	47.41% <ø> (ø)
unit	71.77% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

4 issues found across 3 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/actions/build-docker/action.yml">

<violation number="1" location=".github/actions/build-docker/action.yml:160">
P1: Condition mismatch: upload step will fail for arm64 when `publish-image == &#39;false&#39;`. The save step only runs for `amd64`, but the upload step runs for all architectures. Add `&amp;&amp; inputs.arch == &#39;amd64&#39;` to match the save step condition.</violation>
</file>

<file name=".github/workflows/ci.yml">

<violation number="1" location=".github/workflows/ci.yml:328">
P1: The `publish-image` condition is missing the release and develop branch cases. For non-PR events (releases, develop pushes), `github.event.pull_request.head.repo.full_name` will be empty, so images won&#39;t be published to the registry.</violation>

<violation number="2" location=".github/workflows/ci.yml:633">
P1: Incorrect boolean logic due to operator precedence. The `||` should be `&amp;&amp;` to properly negate the original condition. Currently, any non-develop branch (including internal PR branches) will incorrectly try to download artifacts instead of using the registry.</violation>
</file>

<file name=".github/workflows/ci-test-e2e.yml">

<violation number="1" location=".github/workflows/ci-test-e2e.yml:141">
P1: Operator precedence issue in condition. Due to `&amp;&amp;` binding tighter than `||`, this evaluates as `(fork PR &amp;&amp; not release) || (not develop)`, making it TRUE for all non-develop branches including internal PRs. This would cause internal feature branch PRs to fail trying to download non-existent Docker artifacts. Consider using parentheses to clarify intent, e.g., `github.event.pull_request.head.repo.full_name != github.repository` for just external PRs, or add parentheses around the full condition.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

661-665: Consider using the shared enterprise license from release-versions output.

There's a hardcoded ENTERPRISE_LICENSE_RC1 here while needs.release-versions.outputs.enterprise-license is defined at line 37 (with an expiry note of 2026-07-01). Having two separate license values increases maintenance burden and risk of inconsistency.

If the federation tests require a different license, consider adding a comment explaining why. Otherwise, consider reusing the shared output:

ENTERPRISE_LICENSE_RC1: ${{ needs.release-versions.outputs.enterprise-license }}

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 17ed52a and f2293ec.

📒 Files selected for processing (3)

• .github/actions/build-docker/action.yml
• .github/workflows/ci-test-e2e.yml
• .github/workflows/ci.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: 📦 Build Packages

🔇 Additional comments (6)

.github/workflows/ci-test-e2e.yml (1)

138-164: LGTM on the image loading mechanism.

The download and load flow is well-structured: downloading tarballs from artifacts, loading them into Docker, and cleaning up. The pattern matching for CE vs EE builds is appropriate.

.github/actions/build-docker/action.yml (2)

122-139: Manifest handling for publish flow looks correct.

The conditional branching properly handles the publish case: computing the service suffix for coverage images, extracting the digest, and saving the manifest for later multi-arch assembly.

---

141-157: LGTM on the image save mechanism.

The approach of saving Docker images to tarballs for artifact upload is appropriate for fork PRs where registry secrets aren't available.

.github/workflows/ci.yml (3)

315-328: LGTM on the publish-image flag pattern.

The conditional publish-image: ${{ github.event.pull_request.head.repo.full_name == github.repository }} cleanly determines whether to publish to the registry (internal PRs) or save as artifacts (fork PRs).

---

667-680: LGTM on failure logging.

Adding conditional log output for rc1-prebuilt, hs1, and mongo on failure aids debugging and follows the pattern established in E2E tests.

---

457-459: LGTM on image size tracking condition.

Skipping image size tracking for fork PRs is appropriate since images aren't published to the registry in that scenario.

[julio-rocketchat]

/backport 7.13.3

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.13.3-38030
git cherry-pick 385f795cbfcc45fbb9e5da81ced6bd7465049549
// solve the conflict
git push

after that just run /backport 7.13.3 again

[julio-rocketchat]

/backport 7.13.3

[dionisio-bot]

Pull request #38130 added to Project: "Patch 7.13.3"