update registry to quay

[nikhilsinhaparseable]

Summary by CodeRabbit

• Chores
  • Docker container images now published to Quay (quay.io/parseablehq/parseable) instead of Docker Hub for edge, edge-debug, edge-kafka, and release builds.

[coderabbitai]

Walkthrough

Four GitHub Actions workflows are migrated from Docker Hub to Quay for container image publishing. Each workflow replaces Docker Hub authentication with Quay credentials and updates metadata generation and build-push image targets to quay.io/parseablehq/parseable, maintaining existing tag suffixes (edge-debug, edge-kafka-amd64/arm64, edge, and version-based tags).

Changes

Container Registry Migration

Layer / File(s)	Summary
Edge image workflow migrations .github/workflows/build-push-edge-debug.yaml, .github/workflows/build-push-edge-kafka.yaml, .github/workflows/build-push-edge.yaml	Three edge workflows replace Docker Hub login (DOCKERHUB_USERNAME/DOCKERHUB_TOKEN) with Quay login (QUAY_USERNAME/QUAY_PASSWORD). Docker metadata action targets quay.io/parseablehq/parseable. Build-push steps update image tags from parseable/parseable:edge-* variants to quay.io/parseablehq/parseable:edge-* variants, including edge-debug, edge-kafka-amd64, and edge-kafka-arm64 suffixes.
Release workflow migration .github/workflows/release.yml	Release workflow switches to Quay login and metadata targeting quay.io/parseablehq/parseable:${{ github.ref_name }} for versioned releases. Kafka image build steps for both amd64 and arm64 architectures update their push tags to use Quay registry path with -kafka-amd64 and -kafka-arm64 suffixes respectively.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• parseablehq/parseable#1364: Modifies build-push-edge-kafka.yaml to update architecture-specific Kafka image tag naming in the same workflow being migrated to Quay.
• parseablehq/parseable#1336: Previously modified .github/workflows/release.yml to add Docker build targeting parseable/parseable on Docker Hub, now being migrated to Quay by this PR.

Suggested reviewers

• nitisht

Poem

🐰 A rabbit hops through registries so fine,
From Docker Hub to Quay, workflows align!
Each edge and release now knows the way,
To quay.io, where containers will stay. 🎪

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request lacks any description; the required template sections (description, rationale, key changes, and testing checklist) are entirely missing.	Add a comprehensive description explaining the migration from Docker Hub to Quay, rationale for the change, key modifications across workflows, and confirm testing was performed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'update registry to quay' clearly and concisely summarizes the primary change across all modified workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-push-edge-debug.yaml:
- Line 29: The workflow uses mutable tags docker/login-action@v3 and
docker/metadata-action@v5 which should be pinned to immutable commit SHAs;
locate the uses of "docker/login-action@v3" and "docker/metadata-action@v5" in
the workflow and replace each "`@vX`" tag with the corresponding full commit SHA
from the action's upstream GitHub repo (e.g., docker/login-action@<commit-sha>
and docker/metadata-action@<commit-sha>), ensuring you fetch the correct latest
stable commit SHAs from their official repositories and update both occurrences
in the file.

In @.github/workflows/build-push-edge-kafka.yaml:
- Line 29: The workflow currently pins actions by tag ("docker/login-action@v3"
and "docker/metadata-action@v5") which can change; replace those tag pins with
the corresponding immutable commit SHAs for docker/login-action and
docker/metadata-action in the workflow file so the steps use fixed SHAs (e.g.,
change docker/login-action@v3 -> docker/login-action@<commit-sha> and
docker/metadata-action@v5 -> docker/metadata-action@<commit-sha>), updating the
two uses: the step referencing docker/login-action and the step referencing
docker/metadata-action to their SHA-pinned versions.

In @.github/workflows/build-push-edge.yaml:
- Line 29: Replace the mutable tags for the actions to pinned commit SHAs:
locate the uses entries for docker/login-action@v3 and docker/metadata-action@v5
in the workflow and replace their `@v`* tags with the corresponding full commit
SHA refs for docker/login-action and docker/metadata-action respectively; update
the two uses lines so they reference the exact commit SHAs (keep the same action
names docker/login-action and docker/metadata-action to find the lines).

In @.github/workflows/release.yml:
- Line 365: The workflow uses mutable action tags (docker/login-action@v3,
docker/metadata-action@v5, docker/build-push-action@v6); replace each occurrence
with the corresponding immutable commit SHA for that action repository (e.g.,
docker/login-action@<commit-sha>) to SHA-pin the actions, ensuring you update
all instances of docker/login-action, docker/metadata-action, and
docker/build-push-action in the file to their latest verified commit SHAs and
commit the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 665da25c-2d7c-4376-8a7d-729168a42680

📥 Commits

Reviewing files that changed from the base of the PR and between a4a3738 and a5ff03d.

📒 Files selected for processing (4)

• .github/workflows/build-push-edge-debug.yaml
• .github/workflows/build-push-edge-kafka.yaml
• .github/workflows/build-push-edge.yaml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin third-party GitHub Actions to full commit SHAs (no mutable @v* tags)

In .github/workflows/build-push-edge-debug.yaml, docker/login-action@v3 (line 29) and docker/metadata-action@v5 (line 37) use mutable version tags; pin both to full commit SHAs for stronger CI supply-chain integrity.

🔒 Suggested fix

-        uses: docker/login-action@v3
+        uses: docker/login-action@<full-commit-sha>

-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@<full-commit-sha>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-push-edge-debug.yaml at line 29, The workflow uses
mutable tags docker/login-action@v3 and docker/metadata-action@v5 which should
be pinned to immutable commit SHAs; locate the uses of "docker/login-action@v3"
and "docker/metadata-action@v5" in the workflow and replace each "`@vX`" tag with
the corresponding full commit SHA from the action's upstream GitHub repo (e.g.,
docker/login-action@<commit-sha> and docker/metadata-action@<commit-sha>),
ensuring you fetch the correct latest stable commit SHAs from their official
repositories and update both occurrences in the file.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/build-push-edge-kafka.yaml"

echo "== File: $FILE =="
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE"
  exit 1
fi

# Print with line numbers around the referenced lines
nl -ba "$FILE" | sed -n '1,140p'

# Extract only the uses lines for docker/login-action and docker/metadata-action
echo "== Matching uses lines =="
rg -n "uses:\s*docker/(login-action|metadata-action)@" "$FILE" || true

Repository: parseablehq/parseable

Length of output: 184

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/build-push-edge-kafka.yaml"

echo "== File: $FILE =="
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE"
  exit 1
fi

echo "== Line-numbered excerpt (1-120) =="
awk '{printf "%4d\t%s\n", NR, $0}' "$FILE" | sed -n '1,120p'

echo "== Matching uses lines =="
rg -n "uses:\s*docker/(login-action|metadata-action)@" "$FILE" || true

Repository: parseablehq/parseable

Length of output: 2189

---

Pin GitHub Actions references to immutable SHAs
Line 29 (docker/login-action@v3) and line 37 (docker/metadata-action@v5) are still tag-pinned instead of SHA-pinned.

🔒 Suggested fix

-        uses: docker/login-action@v3
+        uses: docker/login-action@<full-commit-sha>

-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@<full-commit-sha>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-push-edge-kafka.yaml at line 29, The workflow
currently pins actions by tag ("docker/login-action@v3" and
"docker/metadata-action@v5") which can change; replace those tag pins with the
corresponding immutable commit SHAs for docker/login-action and
docker/metadata-action in the workflow file so the steps use fixed SHAs (e.g.,
change docker/login-action@v3 -> docker/login-action@<commit-sha> and
docker/metadata-action@v5 -> docker/metadata-action@<commit-sha>), updating the
two uses: the step referencing docker/login-action and the step referencing
docker/metadata-action to their SHA-pinned versions.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/build-push-edge.yaml"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi
nl -ba "$FILE" | sed -n '1,120p'
echo "---- uses lines ----"
rg -n "uses:\s*docker/(login-action|metadata-action)@" "$FILE" || true

Repository: parseablehq/parseable

Length of output: 108

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/build-push-edge.yaml"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

echo "---- matching uses lines (docker/login-action, docker/metadata-action) ----"
rg -n "uses:\s*docker/(login-action|metadata-action)@" "$FILE" || true

echo "---- lines 20-60 with numbers ----"
awk 'NR>=20 && NR<=60 {printf "%d:%s\n", NR, $0}' "$FILE"

Repository: parseablehq/parseable

Length of output: 1281

---

Pin docker/login-action and docker/metadata-action to commit SHAs (mutable action tags at lines 29 and 37)
Workflow currently uses docker/login-action@v3 (line 29) and docker/metadata-action@v5 (line 37); replace @v* with full commit SHA refs to reduce supply-chain risk.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-push-edge.yaml at line 29, Replace the mutable tags
for the actions to pinned commit SHAs: locate the uses entries for
docker/login-action@v3 and docker/metadata-action@v5 in the workflow and replace
their `@v`* tags with the corresponding full commit SHA refs for
docker/login-action and docker/metadata-action respectively; update the two uses
lines so they reference the exact commit SHAs (keep the same action names
docker/login-action and docker/metadata-action to find the lines).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the workflow file
ls -la .github/workflows/release.yml

# Show relevant lines around the referenced actions
sed -n '340,420p' .github/workflows/release.yml | nl -ba

# Search for the exact docker actions mentioned
rg -n "docker/(login-action|metadata-action|build-push-action)@" .github/workflows/release.yml

Repository: parseablehq/parseable

Length of output: 206

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== File =="
ls -la .github/workflows/release.yml

echo "== Lines 340-420 =="
sed -n '340,420p' .github/workflows/release.yml

echo "== All docker action refs in this file =="
rg -n "docker/(login-action|metadata-action|build-push-action)@" .github/workflows/release.yml || true

Repository: parseablehq/parseable

Length of output: 2501

---

Harden the release pipeline by SHA-pinning Docker actions.

Lines 365 (docker/login-action@v3), 373 (docker/metadata-action@v5), and docker/build-push-action@v6 (lines 378, 387, 398) use mutable action tags; pin them to immutable commit SHAs to reduce supply-chain/compliance risk.

🔒 Suggested fix

-        uses: docker/login-action@v3
+        uses: docker/login-action@<full-commit-sha>

-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@<full-commit-sha>

-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@<full-commit-sha>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 365-365: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 365, The workflow uses mutable action
tags (docker/login-action@v3, docker/metadata-action@v5,
docker/build-push-action@v6); replace each occurrence with the corresponding
immutable commit SHA for that action repository (e.g.,
docker/login-action@<commit-sha>) to SHA-pin the actions, ensuring you update
all instances of docker/login-action, docker/metadata-action, and
docker/build-push-action in the file to their latest verified commit SHAs and
commit the change.