Removes private handling of RVC4 images

[klemen1999]

Purpose

Removes private RVC4 image package

Specification

None / not applicable

Dependencies & Potential Impact

None / not applicable

Deployment Plan

None / not applicable

Testing & Validation

None / not applicable

AI Usage

Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]

Submitted code was reviewed by a human: YES/NO

The author is taking the responsibility for the contribution: YES/NO

Summary by CodeRabbit

Chores

• Simplified container image publishing to use a unified, non-private naming strategy across registries.
• Reorganized publish steps so image builds occur before registry publishing, with consistent tagging for latest and SHA.
• Improved Docker build candidate selection for RVC4 to refine when “full version” fallbacks are used.

Bug Fixes

• Fixed build file download behavior so the workflow no longer skips the step for the hailo package.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0b9918bf-40d0-4f7b-af32-af0ac13d8f6d

📥 Commits

Reviewing files that changed from the base of the PR and between cb24581 and 2951a77.

📒 Files selected for processing (1)

• .github/workflows/publish.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/publish.yaml

---

📝 Walkthrough

Walkthrough

This PR removes private image naming from the Docker publish workflow and related image selection logic. The publish workflow environment no longer defines PRIVATE_LOCAL_NAME, GHCR and GAR publishing now use only non-private naming unconditionally, GCS download gating is simplified to include hailo, and Docker image candidate selection for RVC4 no longer includes the -private variant.

Changes

Remove Private Image Naming

Layer / File(s)	Summary
Environment variable cleanup .github/workflows/publish.yaml	Removed PRIVATE_LOCAL_NAME from workflow environment setup and added BARE_LOCAL_NAME, keeping only non-private naming derived from inputs.package and inputs.version.
Publish workflow refactoring .github/workflows/publish.yaml	GCS download step no longer skips hailo package. GHCR and GAR publishing steps remove PRIVATE_PACKAGE conditional branching; "latest" and "SHA" tags are now computed unconditionally from LOCAL_NAME/NAME/STEM. Build step placed before publish steps. GAR clients step now initializes SHA internally before tagging client images.
Docker image candidate selection modelconverter/utils/docker_utils.py	RVC4 candidate-image logic removes the -private variant and adds conditional full-version fallback when a build number is present and no explicit image tag is supplied.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• luxonis/modelconverter#232: Both PRs modify .github/workflows/publish.yaml's RVC4 image tagging logic around the -private/PRIVATE_PACKAGE handling for :latest tag computation.

Suggested reviewers

• tersekmatija
• conorsim

Poem

🐰 Private images fade to grey,
One path replaces yesterday,
The naming cleaned, the branching gone,
Non-private flows march boldly on,
A simpler way to build and push,
No more complexity to crush! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Removes private handling of RVC4 images' directly corresponds to the main change: removing private RVC4 image package handling from the workflow and docker utility code.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/remove_private_rvc4_images

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[klemen1999]

When looking at the publish.yaml I also randomly saw this hailo specific check. It looks like we skip this download for hailo but the step has hailo specific code. Is it intentional that we skip it anyway? @kozlov721

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish.yaml (1)

143-152: 💤 Low value

Consider hardening against template injection in repository variable.

The static analysis tool flagged potential code injection via ${{ vars.EXTERNAL_CLIENTS }}. While this is a repository-level variable controlled by admins (not attacker-controllable via PRs), it's good practice to quote the expansion or use an intermediate environment variable to prevent issues if the variable ever contains unexpected characters.

🛡️ Optional hardening

      - name: GAR publish clients
+       env:
+         EXTERNAL_CLIENTS: ${{ vars.EXTERNAL_CLIENTS }}
        run: |
-         read -r -a REPO_ARRAY <<< "${{ vars.EXTERNAL_CLIENTS }}"
+         read -r -a REPO_ARRAY <<< "${EXTERNAL_CLIENTS}"

          SHA=$(git rev-parse --short HEAD)
          for REPO in "${REPO_ARRAY[@]}"; do

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yaml around lines 143 - 152, The repo variable
expansion needs hardening: capture the workflow variable into a safe
intermediate env var and use a proper array reader and quoted expansions to
avoid template-injection/word-splitting; specifically, assign
EXTERNAL_CLIENTS_VAL="${{ vars.EXTERNAL_CLIENTS }}" then populate the array with
readarray -t REPO_ARRAY <<< "$EXTERNAL_CLIENTS_VAL" (or read -r -a REPO_ARRAY
<<< "$EXTERNAL_CLIENTS_VAL"), iterate with for REPO in "${REPO_ARRAY[@]}", and
ensure all uses like
GAR_CLIENT_NAME="${GAR_STEM}/${REPO}/${STEM}:${VERSION}-${SHA}" and docker
tag/push use quoted variable expansions (e.g., docker tag "${LOCAL_NAME}"
"${GAR_CLIENT_NAME}") so unexpected characters in EXTERNAL_CLIENTS cannot cause
injection or word-splitting.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/publish.yaml:
- Around line 143-152: The repo variable expansion needs hardening: capture the
workflow variable into a safe intermediate env var and use a proper array reader
and quoted expansions to avoid template-injection/word-splitting; specifically,
assign EXTERNAL_CLIENTS_VAL="${{ vars.EXTERNAL_CLIENTS }}" then populate the
array with readarray -t REPO_ARRAY <<< "$EXTERNAL_CLIENTS_VAL" (or read -r -a
REPO_ARRAY <<< "$EXTERNAL_CLIENTS_VAL"), iterate with for REPO in
"${REPO_ARRAY[@]}", and ensure all uses like
GAR_CLIENT_NAME="${GAR_STEM}/${REPO}/${STEM}:${VERSION}-${SHA}" and docker
tag/push use quoted variable expansions (e.g., docker tag "${LOCAL_NAME}"
"${GAR_CLIENT_NAME}") so unexpected characters in EXTERNAL_CLIENTS cannot cause
injection or word-splitting.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 48a848ec-43e6-4926-a7cc-8603820f7224

📥 Commits

Reviewing files that changed from the base of the PR and between 959a32f and cb24581.

📒 Files selected for processing (2)

• .github/workflows/publish.yaml
• modelconverter/utils/docker_utils.py