ci(docker): publish GHCR image built with all cargo features

[theonlyhennygod]

Summary

• add Docker build arg ZEROCLAW_CARGO_ALL_FEATURES and use --all-features when enabled
• keep feature-list path intact while ensuring --locked is consistently applied
• install libudev-dev in builder stage for all-features compile requirements
• set GHCR publish workflow build arg ZEROCLAW_CARGO_ALL_FEATURES=true

Testing

• ruby -e "require "yaml"; YAML.load_file(".github/workflows/pub-docker-img.yml"); puts "ok""
• docker build smoke was attempted locally but Docker daemon socket was unavailable in this environment

Closes #2628

Summary by CodeRabbit

• Chores
  • Enhanced Docker build pipeline with flexible feature compilation configuration
  • Build process now supports conditional feature inclusion during container image creation
  • Added system-level dependency to enhance device compatibility

[coderabbitai]

Warning

Rate limit exceeded

@theonlyhennygod has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 9 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between fc4b704 and a0025eb.

📒 Files selected for processing (2)

• .github/workflows/pub-docker-img.yml
• Dockerfile

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'tools', 'path_filters', 'review_instructions'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

📝 Walkthrough

Walkthrough

The changes add build configuration to compile zeroclaw with all available features in the published Docker image. A new build-args flag is passed through the CI workflow to the Docker build process, and the Dockerfile is updated to support conditional feature compilation based on this flag along with an additional runtime dependency.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/pub-docker-img.yml	Added build-args to pass ZEROCLAW_CARGO_ALL_FEATURES=true to the Docker build step, enabling compilation with all features for the published image.
Docker Build Configuration Dockerfile	Introduced ZEROCLAW_CARGO_ALL_FEATURES build argument with conditional logic to select between all-features, specific features, or default cargo build configurations. Applied consistently across three build steps. Added libudev-dev to build dependencies.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• PR #2073: Modifies Dockerfile cargo build invocations for feature-enabled builds, handling how feature flags are passed to cargo.
• PR #2523: Modifies the same CI Docker workflow and Dockerfile with related build infrastructure changes.
• PR #175: Modifies Dockerfile build logic by restructuring multi-stage builds and feature flag handling.

Suggested labels

size: S, type: ci, type: dependencies, risk: high

Suggested reviewers

• chumyin

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete; it lacks required sections like label snapshot, change metadata, security impact, compatibility, human verification, side effects, and rollback plan that are specified in the repository template.	Complete the PR description by adding all required sections from the template, including label snapshot, change metadata, validation evidence, security/privacy assessments, and rollback plan.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: publishing a GHCR image built with all cargo features, which aligns with the PR's primary objective.
Linked Issues check	✅ Passed	The PR successfully implements the core requirement from issue #2628: adding Docker build infrastructure to publish a container image with zeroclaw compiled with all cargo features enabled.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the build pipeline as specified in issue #2628: Dockerfile modifications for feature flag support and workflow configuration to enable all-features builds for GHCR publication.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issue-2628-ghcr-all-features

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR intake checks found warnings (non-blocking)

Fast safe checks found advisory issues. CI lint/test/build gates still enforce merge quality.

• Missing required PR template sections: ## Validation Evidence (required), ## Security Impact (required), ## Privacy and Data Hygiene (required), ## Rollback Plan (required)
• Incomplete required PR template fields: summary problem, summary why it matters, summary what changed, validation commands, security risk/mitigation, privacy status, rollback plan
• Missing Linear issue key reference (RMN-<id>, CDV-<id>, or COM-<id>) in PR title/body (recommended for traceability, non-blocking).

Action items:

1. Complete required PR template sections/fields.
2. (Recommended) Link this PR to one active Linear issue key (RMN-xxx/CDV-xxx/COM-xxx) for traceability.
3. Remove tabs, trailing whitespace, and merge conflict markers from added lines.
4. Re-run local checks before pushing:
   • ./scripts/ci/rust_quality_gate.sh
   • ./scripts/ci/rust_strict_delta_gate.sh
   • ./scripts/ci/docs_quality_gate.sh

Detected Linear keys: none

Run logs: https://github.com/zeroclaw-labs/zeroclaw/actions/runs/22645937948

Detected blocking line issues (sample):

• none

Detected advisory line issues (sample):

• none

Workflow files changed in this PR:

• .github/workflows/pub-docker-img.yml

[github-actions]

Thanks for contributing to ZeroClaw.

For faster review, please ensure:

• PR template sections are fully completed
• cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test are included
• If automation/agents were used heavily, add brief workflow notes
• Scope is focused (prefer one concern per PR)

See CONTRIBUTING.md and docs/pr-workflow.md for full collaboration rules.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/pub-docker-img.yml (1)

182-183: Smoke-test the same all-features path in PRs.

publish now builds with ZEROCLAW_CARGO_ALL_FEATURES=true, but PR smoke still exercises default features only. Mirroring this in the smoke build catches all-features breakage before tag publish.

Suggested diff

             - name: Build smoke image
               uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
               with:
                   context: .
                   push: false
                   load: true
                   provenance: false
                   sbom: false
+                  build-args: |
+                      ZEROCLAW_CARGO_ALL_FEATURES=true
                   tags: zeroclaw-pr-smoke:latest
                   labels: ${{ steps.meta.outputs.labels || '' }}
                   platforms: linux/amd64
                   cache-from: type=gha
                   cache-to: type=gha,mode=max

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pub-docker-img.yml around lines 182 - 183, The PR smoke
workflow does not set the same Docker build-arg used by publish; update the
smoke build step to pass the same build-arg so PRs exercise the all-features
path by adding the build-args entry with ZEROCLAW_CARGO_ALL_FEATURES=true to the
smoke job’s docker build action (match the publish job’s build-args stanza).
Locate the publish build-args block and replicate the build-args: |
ZEROCLAW_CARGO_ALL_FEATURES=true into the corresponding smoke/pr job step so
both paths run with the same all-features configuration.

Dockerfile (1)

34-37: Consider de-duplicating the cargo feature-selection branch.

The same if/elif/else cargo-flag logic appears in two build layers. Extracting shared logic (e.g., a reusable shell snippet or computed flag variable pattern) reduces drift risk.

Also applies to: 70-73

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 34 - 37, The Dockerfile duplicates cargo
feature-selection logic in two build layers; consolidate by computing a single
build command or feature-arg variable (e.g., derive FEATURES_ARG or
CARGO_BUILD_CMD based on ZEROCLAW_CARGO_ALL_FEATURES and
ZEROCLAW_CARGO_FEATURES) and reuse it in both places instead of repeating the
if/elif/else blocks. Update the two locations that currently branch on
ZEROCLAW_CARGO_ALL_FEATURES and ZEROCLAW_CARGO_FEATURES to call the shared shell
snippet or use the precomputed variable so both build layers run the same cargo
build invocation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pub-docker-img.yml:
- Around line 182-183: The workflow uses docker/build-push-action with
build-args (ZEROCLAW_CARGO_ALL_FEATURES) and also github/codeql-action which is
not covered by the current allowlist; update the PR notes to either confirm no
new Actions were introduced or explicitly document that github/codeql-action is
permitted by the allowlist policy, and if the policy is missing that entry add
github/codeql-action to the allowlist (or update the security policy) so the
workflow’s use of github/codeql-action is authorized.

---

Nitpick comments:
In @.github/workflows/pub-docker-img.yml:
- Around line 182-183: The PR smoke workflow does not set the same Docker
build-arg used by publish; update the smoke build step to pass the same
build-arg so PRs exercise the all-features path by adding the build-args entry
with ZEROCLAW_CARGO_ALL_FEATURES=true to the smoke job’s docker build action
(match the publish job’s build-args stanza). Locate the publish build-args block
and replicate the build-args: | ZEROCLAW_CARGO_ALL_FEATURES=true into the
corresponding smoke/pr job step so both paths run with the same all-features
configuration.

In `@Dockerfile`:
- Around line 34-37: The Dockerfile duplicates cargo feature-selection logic in
two build layers; consolidate by computing a single build command or feature-arg
variable (e.g., derive FEATURES_ARG or CARGO_BUILD_CMD based on
ZEROCLAW_CARGO_ALL_FEATURES and ZEROCLAW_CARGO_FEATURES) and reuse it in both
places instead of repeating the if/elif/else blocks. Update the two locations
that currently branch on ZEROCLAW_CARGO_ALL_FEATURES and ZEROCLAW_CARGO_FEATURES
to call the shared shell snippet or use the precomputed variable so both build
layers run the same cargo build invocation.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f3999ab and fc4b704.

📒 Files selected for processing (2)

• .github/workflows/pub-docker-img.yml
• Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check if workflow file exists
if [ ! -f .github/workflows/pub-docker-img.yml ]; then
  echo "Workflow file not found"
  exit 1
fi

echo "=== Workflow file check ==="
wc -l .github/workflows/pub-docker-img.yml

echo
echo "=== YAML syntax validation ==="
python3 <<EOF
import yaml
try:
    with open('.github/workflows/pub-docker-img.yml', 'r') as f:
        yaml.safe_load(f)
    print("✓ YAML syntax is valid")
except yaml.YAMLError as e:
    print(f"✗ YAML syntax error: {e}")
EOF

echo
echo "=== Action source inventory in workflow ==="
rg -nP '^\s*uses:\s*' .github/workflows/pub-docker-img.yml || echo "No 'uses' directives found"

echo
echo "=== Policy doc status ==="
if [ -f docs/actions-source-policy.md ]; then
  echo "✓ docs/actions-source-policy.md exists"
  echo "File size:"
  wc -l docs/actions-source-policy.md
else
  echo "✗ docs/actions-source-policy.md not found"
fi

Repository: zeroclaw-labs/zeroclaw

Length of output: 1479

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Context around lines 182-183 (175-190) ==="
sed -n '175,190p' .github/workflows/pub-docker-img.yml

echo
echo "=== Actions sources covered in policy doc ==="
cat docs/actions-source-policy.md

Repository: zeroclaw-labs/zeroclaw

Length of output: 4324

---

Confirm Actions allowlist status in PR notes; workflow uses github/codeql-action which is not explicitly listed in policy.

YAML syntax is valid. Actionlint cannot run in sandbox, but verification confirms: (1) lines 182-183 contain only build-args configuration for docker/build-push-action (no new Actions sources); (2) all Actions used—actions/*, docker/*, and github/codeql-action—must align with allowlist. The policy doc covers actions/* and docker/*, but github/codeql-action (line 404) is not explicitly in the allowlist patterns, despite being actively used. Include PR notes either confirming no new Actions sources were introduced or documenting the codeql-action allowlist status.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pub-docker-img.yml around lines 182 - 183, The workflow
uses docker/build-push-action with build-args (ZEROCLAW_CARGO_ALL_FEATURES) and
also github/codeql-action which is not covered by the current allowlist; update
the PR notes to either confirm no new Actions were introduced or explicitly
document that github/codeql-action is permitted by the allowlist policy, and if
the policy is missing that entry add github/codeql-action to the allowlist (or
update the security policy) so the workflow’s use of github/codeql-action is
authorized.