Download private git repositories using Github App

[dianab-cl]

No description provided.

[linear-code]

ITS-1208

FOU-249

[greptile-apps]

Greptile Summary

This PR replaces the previous single-job Depot-based build with a three-job pipeline (prepare → matrix build → merge) that builds each platform natively (no QEMU) and combines them into a single multi-arch manifest. It also adds optional GitHub App token minting to provide scoped access to private Go module repositories during the Docker build.

• Multi-arch pipeline: A prepare job computes a {platform, runner} matrix (whitelist-enforced to linux/amd64 / linux/arm64), each build runner pushes a per-arch digest, and a merge job assembles the final manifest with docker buildx imagetools create.
• Private module access: When private_module_repos is set, the workflow normalizes the repo list, rejects whitespace-only inputs (to prevent over-scoped tokens), mints a GitHub App installation token via actions/create-github-app-token, and forwards it as a BuildKit secret. User-controlled inputs that reach shell scripts are routed through env: blocks throughout.

Confidence Score: 5/5

The refactored workflow is safe to merge; all user-controlled inputs reaching shell scripts are correctly routed through env vars, and the GitHub App token-minting logic has sensible guards against over-scoped tokens.

The multi-arch pipeline and private-module token flow are structurally sound. Shell inputs are handled via env vars consistently with only minor cosmetic inconsistencies. No new data-loss, secret-leakage, or incorrect-logic paths were found beyond what is already captured in prior review threads.

.github/workflows/build-base.yml — the Create manifest list and push step's unquoted glob and the remaining direct matrix.platform interpolation are worth a look before merging.

Important Files Changed

Filename	Overview
.github/workflows/build-base.yml	Rewrites the reusable build workflow from a single-job Depot build to a 3-job (prepare → build matrix → merge) native multi-arch pipeline; adds GitHub App token minting for private Go modules. All user-controlled inputs that reach shell scripts are correctly routed through env vars except one minor inconsistency in the matrix step.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([workflow_call]) --> B

    subgraph prepare["prepare job"]
        B["Compute matrix from platforms input\n(whitelist: linux/amd64, linux/arm64)"]
        B --> C["Configure AWS + ECR login"]
        C --> D["Create ECR repo if absent"]
    end

    D --> E

    subgraph build["build job (matrix per platform)"]
        E["Checkout repo"]
        E --> F["Set PLATFORM_PAIR env var"]
        F --> G["Configure AWS + ECR login + Buildx"]
        G --> H{"private_module_repos != ''?"}
        H -- yes --> I["Normalize repo list"]
        I --> J["Mint GitHub App token"]
        J --> K
        H -- no --> K
        K["docker/build-push-action\n(push-by-digest)"]
        K --> L["Export + Upload digest artifact"]
    end

    L --> N

    subgraph merge["merge job"]
        N["Configure AWS + ECR login + Buildx"]
        N --> O["Download all digest artifacts"]
        O --> P["docker/metadata-action"]
        P --> Q["docker buildx imagetools create"]
        Q --> R["Extract version → output"]
        R --> S["docker buildx imagetools inspect"]
    end

    S --> T([outputs: tag, version])

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A([workflow_call]) --> B

    subgraph prepare["prepare job"]
        B["Compute matrix from platforms input\n(whitelist: linux/amd64, linux/arm64)"]
        B --> C["Configure AWS + ECR login"]
        C --> D["Create ECR repo if absent"]
    end

    D --> E

    subgraph build["build job (matrix per platform)"]
        E["Checkout repo"]
        E --> F["Set PLATFORM_PAIR env var"]
        F --> G["Configure AWS + ECR login + Buildx"]
        G --> H{"private_module_repos != ''?"}
        H -- yes --> I["Normalize repo list"]
        I --> J["Mint GitHub App token"]
        J --> K
        H -- no --> K
        K["docker/build-push-action\n(push-by-digest)"]
        K --> L["Export + Upload digest artifact"]
    end

    L --> N

    subgraph merge["merge job"]
        N["Configure AWS + ECR login + Buildx"]
        N --> O["Download all digest artifacts"]
        O --> P["docker/metadata-action"]
        P --> Q["docker buildx imagetools create"]
        Q --> R["Extract version → output"]
        R --> S["docker buildx imagetools inspect"]
    end

    S --> T([outputs: tag, version])

Loading

_{Reviews (7): Last reviewed commit: "After code review" | Re-trigger Greptile}

[dianab-cl]

@greptile review

[dianab-cl]

@greptile review

[dianab-cl]

@greptile review

[dianab-cl]

@greptile review

[dianab-cl]

@greptile review

[dianab-cl]

@greptile review

[JunyupHong]

LGTM :)