build(repo): Add Github Actions integrations

[pedronauck]

Summary by CodeRabbit

• Chores
  • Added new multi-stage Dockerfiles for building and releasing the Compozy application and MCP Proxy, enhancing security and production deployment.
  • Updated dependency management to explicitly require the clipboard library.

[coderabbitai]

Walkthrough

Two new multi-stage Dockerfiles were added for building and releasing the Compozy application and its MCP Proxy component, emphasizing security, minimalism, and production-readiness. Additionally, the github.com/atotto/clipboard dependency in go.mod was promoted from an indirect to a direct requirement.

Changes

File(s)	Change Summary
cluster/Dockerfile.release	Added a multi-stage Dockerfile for building and releasing the Compozy application with production optimizations.
cluster/mcpproxy.release.Dockerfile	Added a multi-stage Dockerfile for building and releasing the MCP Proxy component with production optimizations.
go.mod	Promoted github.com/atotto/clipboard from an indirect to a direct dependency.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant DockerBuilder
    participant GoCompiler
    participant DistrolessImage
    participant ProductionContainer

    Developer->>DockerBuilder: Build Docker image (Compozy or MCP Proxy)
    DockerBuilder->>GoCompiler: Compile Go binary with static linking
    GoCompiler-->>DockerBuilder: Output binary
    DockerBuilder->>DistrolessImage: Copy binary and assets to minimal image
    DistrolessImage->>ProductionContainer: Run container with entrypoint
    ProductionContainer->>ProductionContainer: Start application (Compozy or MCP Proxy)

Loading

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81f1a67 and ac21cca.

⛔ Files ignored due to path filters (9)

• .github/actions/README.md is excluded by !**/*.md
• .github/actions/docker-build/action.yml is excluded by !**/*.yml
• .github/actions/setup-bun/action.yml is excluded by !**/*.yml
• .github/actions/setup-go/action.yml is excluded by !**/*.yml
• .github/workflows/ci.yml is excluded by !**/*.yml
• .github/workflows/codeql.yml is excluded by !**/*.yml
• .github/workflows/release.yml is excluded by !**/*.yml
• docs/content/docs/core/mcp/admin-api-enhanced.mdx is excluded by !**/*.mdx
• package.json is excluded by !**/*.json

📒 Files selected for processing (2)

• cluster/Dockerfile.release (1 hunks)
• cluster/mcpproxy.release.Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• cluster/Dockerfile.release
• cluster/mcpproxy.release.Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test (1.24.x)
• GitHub Check: Analyze Go Code (go)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pn/ghactions

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (4)

cluster/Dockerfile.release (2)

30-36: Minor build hardening: trim paths & inject version

Consider adding -trimpath to strip absolute paths and embedding version/commit metadata:

-    -ldflags='-w -s -extldflags "-static"' \
+    -ldflags="-w -s -extldflags '-static' -X main.version=${COMPOZY_VERSION:-unknown} -X main.commit=${GIT_COMMIT:-dirty} -trimpath" \

Makes the binary smaller and traceable.

---

14-16: appuser is never used

The builder creates an appuser but all subsequent steps run as root, and the runtime layer switches to nonroot. You can drop this user to shave a few kilobytes off the build stage.

cluster/mcpproxy.release.Dockerfile (2)

30-36: Same build-flags suggestion as main image

Add -trimpath and version metadata for reproducibility (see previous comment).

---

14-16: Unused appuser in builder stage

The created user is never switched to; consider dropping it for simplicity.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 150217e and 81f1a67.

⛔ Files ignored due to path filters (50)

• .github/actions/README.md is excluded by !**/*.md
• .github/actions/docker-build/action.yml is excluded by !**/*.yml
• .github/actions/setup-bun/action.yml is excluded by !**/*.yml
• .github/actions/setup-go/action.yml is excluded by !**/*.yml
• .github/codeql/codeql-config.yml is excluded by !**/*.yml
• .github/dependabot.yml is excluded by !**/*.yml
• .github/versions.yml is excluded by !**/*.yml
• .github/workflows/branch-protection.yml is excluded by !**/*.yml
• .github/workflows/ci.yml is excluded by !**/*.yml
• .github/workflows/codeql.yml is excluded by !**/*.yml
• .github/workflows/container-cleanup.yml is excluded by !**/*.yml
• .github/workflows/dev-containers.yml is excluded by !**/*.yml
• .github/workflows/docs.yml is excluded by !**/*.yml
• .github/workflows/release-please.yml is excluded by !**/*.yml
• .github/workflows/release.yml is excluded by !**/*.yml
• .github/workflows/security.yml is excluded by !**/*.yml
• .goreleaser.yml is excluded by !**/*.yml
• .kiro/specs/github-actions-integration/design.md is excluded by !**/*.md
• .kiro/specs/github-actions-integration/requirements.md is excluded by !**/*.md
• .kiro/specs/github-actions-integration/tasks.md is excluded by !**/*.md
• .release-please-config.json is excluded by !**/*.json
• .release-please-manifest.json is excluded by !**/*.json
• tasks/prd-authsystem/10_task.md is excluded by !**/*.md
• tasks/prd-authsystem/1_task.md is excluded by !**/*.md
• tasks/prd-authsystem/2_task.md is excluded by !**/*.md
• tasks/prd-authsystem/2_task_fixes_summary.md is excluded by !**/*.md
• tasks/prd-authsystem/3_task.md is excluded by !**/*.md
• tasks/prd-authsystem/4_task.md is excluded by !**/*.md
• tasks/prd-authsystem/5_task.md is excluded by !**/*.md
• tasks/prd-authsystem/6_task.md is excluded by !**/*.md
• tasks/prd-authsystem/6_task_review.md is excluded by !**/*.md
• tasks/prd-authsystem/7_task.md is excluded by !**/*.md
• tasks/prd-authsystem/8_task.md is excluded by !**/*.md
• tasks/prd-authsystem/9_task.md is excluded by !**/*.md
• tasks/prd-authsystem/_prd.md is excluded by !**/*.md
• tasks/prd-authsystem/_tasks.md is excluded by !**/*.md
• tasks/prd-authsystem/_techspec.md is excluded by !**/*.md
• tasks/prd-authsystem/merged_prd_techspec.md is excluded by !**/*.md
• tasks/prd-authsystem/task-complexity-report.md is excluded by !**/*.md
• tasks/prd-authsystem/to_fix.md is excluded by !**/*.md
• tasks/prd-cli/1_task.md is excluded by !**/*.md
• tasks/prd-cli/2_task.md is excluded by !**/*.md
• tasks/prd-cli/3_task.md is excluded by !**/*.md
• tasks/prd-cli/4_task.md is excluded by !**/*.md
• tasks/prd-cli/5_task.md is excluded by !**/*.md
• tasks/prd-cli/6_task.md is excluded by !**/*.md
• tasks/prd-cli/7_task.md is excluded by !**/*.md
• tasks/prd-cli/_prd.md is excluded by !**/*.md
• tasks/prd-cli/_tasks.md is excluded by !**/*.md
• tasks/prd-cli/_techspec.md is excluded by !**/*.md

📒 Files selected for processing (3)

• cluster/Dockerfile.release (1 hunks)
• cluster/mcpproxy.release.Dockerfile (1 hunks)
• go.mod (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/compozy-examples.mdc:0-0
Timestamp: 2025-06-24T20:55:34.828Z
Learning: Shared configuration patterns in Compozy include MCP integration (filesystem, HTTP), reference patterns (local, global, resource), template expressions, and usage patterns for tools and agents.

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/compozy-examples.mdc:0-0
Timestamp: 2025-06-24T20:55:34.828Z
Learning: Project configuration files ('compozy.yaml') should include the project name, version, workflows, model configuration, runtime permissions, and environment variable patterns.

Learnt from: CR
PR: compozy/compozy#0
File: CLAUDE.md:0-0
Timestamp: 2025-06-30T20:15:15.552Z
Learning: Applies to **/compozy-shared*.yml : YAML files for shared patterns (MCP, templates, references) must follow compozy-shared-patterns.mdc

Learnt from: CR
PR: compozy/compozy#0
File: CLAUDE.md:0-0
Timestamp: 2025-06-30T20:15:15.552Z
Learning: Applies to **/compozy*.yml : YAML configuration files must follow project setup patterns (see compozy-project-config.mdc)

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/compozy-shared-patterns.mdc:0-0
Timestamp: 2025-06-24T20:55:51.774Z
Learning: In Compozy YAML configuration files, MCP integrations can be defined using either a 'filesystem' pattern (with 'transport: stdio' and a command such as 'npx @modelcontextprotocol/server-filesystem') or an 'http' pattern (with 'transport: sse' and a 'url' field).

go.mod (5)

Learnt from: CR
PR: compozy/compozy#0
File: AGENT.md:0-0
Timestamp: 2025-06-26T19:34:35.267Z
Learning: The project uses Go 1.24+ features and expects code to be compatible with this version or higher.

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/go-coding-standards.mdc:0-0
Timestamp: 2025-06-24T20:56:42.900Z
Learning: Use explicit dependency injection via constructor functions in Go to manage dependencies and facilitate testing.

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/api-standards.mdc:0-0
Timestamp: 2025-06-30T20:15:27.720Z
Learning: Applies to **/*.go : API versioned at `/api/v0/`

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/architecture.mdc:0-0
Timestamp: 2025-06-30T20:16:10.079Z
Learning: Applies to **/*.go : Avoid circular dependencies: Do not create packages that import each other.

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/go-coding-standards.mdc:0-0
Timestamp: 2025-06-24T20:56:42.900Z
Learning: Keep Go package names simple and descriptive to enhance code readability and discoverability.

cluster/mcpproxy.release.Dockerfile (1)

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-06-24T20:58:01.453Z
Learning: MCP (Model Context Protocol) integration enables external tool servers to be accessed via HTTP/SSE protocols, with a dedicated MCP proxy for secure communication.

cluster/Dockerfile.release (2)

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/compozy-examples.mdc:0-0
Timestamp: 2025-06-24T20:55:34.828Z
Learning: Project configuration files ('compozy.yaml') should include the project name, version, workflows, model configuration, runtime permissions, and environment variable patterns.

Learnt from: CR
PR: compozy/compozy#0
File: .cursor/rules/compozy-project-config.mdc:0-0
Timestamp: 2025-06-24T20:55:42.355Z
Learning: In Compozy project configuration files (compozy.yaml or *.compozy.yaml), the top-level keys should include 'name', 'version', and optionally 'description', 'author', 'workflows', 'models', 'autoload', and 'runtime'.

🪛 GitHub Actions: Development Container Images

cluster/mcpproxy.release.Dockerfile

[error] 1-1: Docker build failed due to invalid image tag format: 'ghcr.io/compozy/mcp-proxy:-3d9e64c'. The tag contains an invalid reference format.

cluster/Dockerfile.release

[error] 1-1: Docker build failed due to invalid image tag format: "ghcr.io/compozy/compozy:-3d9e64c". The tag contains an invalid reference format.

🪛 Hadolint (2.12.0)

cluster/Dockerfile.release

[error] 66-66: unexpected '|'
expecting '', a new line followed by the next instruction, or at least one space

(DL1000)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Generate JSON Schemas
• GitHub Check: Analyze Go Code (go)
• GitHub Check: Build Main App Dev Container
• GitHub Check: Build MCP Proxy Dev Container

🔇 Additional comments (1)

go.mod (1)

70-72: Confirm the dependency really became first-class

github.com/atotto/clipboard was moved from an indirect to a direct require, but nothing in the current tree obviously imports it.
Please run a quick search (or go mod tidy) to verify that the promotion is justified; otherwise, this line should keep the // indirect suffix to avoid confusing downstream tooling.