feat(comfy-ui): create developing image

[tinovyatkin]

Create CompfyUI simple base image

Summary by CodeRabbit

• Documentation

  • Updated DEV.md with detailed instructions for building and running the ComfyUI Docker image.
  • Added comprehensive Docker setup guide for developers.

• New Features

  • Introduced a new Dockerfile for local CPU-based ComfyUI development environment.
  • Implemented Docker container configuration with specific port and startup settings.
  • Added a new GitHub Actions workflow for automating the build and push process of the ComfyUI development container.

[coderabbitai]

Walkthrough

The pull request introduces enhancements to the documentation and Dockerfile for setting up ComfyUI in a Docker environment. The DEV.md file now includes detailed instructions for building a Docker image using Dockerfile.local-cpu and running the ComfyUI container. The updated Dockerfile specifies a new base image with essential packages, repository cloning, environment configuration, and service initialization. Additionally, a new GitHub Actions workflow automates the build and push process for the ComfyUI development container.

Changes

File	Change Summary
ComfyUI/DEV.md	Added Docker image build and container run instructions
ComfyUI/Dockerfile.local-cpu	Updated Dockerfile for ComfyUI CPU-based Docker image setup
.github/workflows/comfyui-dev-container.yml	Added new GitHub Actions workflow for building and pushing Docker image

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Docker as Docker Engine
    participant ComfyUI as ComfyUI Container

    Dev->>Docker: Build Docker image
    Docker-->>Dev: Image built successfully
    Dev->>Docker: Run ComfyUI container
    Docker->>ComfyUI: Start application
    ComfyUI-->>Docker: Container running

Loading

Poem

🐰 A Docker tale of ComfyUI's might,
Spinning containers with code so bright
CPU-powered, ready to deploy
Development made simple, oh what joy!
A rabbit's dream of seamless design 🚀

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

ComfyUI/Dockerfile.local-cpu (4)

6-15: Optimize image size by cleaning up apt cache

While the cache mounting is good for build performance, consider adding apt-get clean and removing /var/lib/apt/lists/* to reduce the final image size.

 RUN --mount=type=cache,target=/var/cache/apt,rw --mount=type=cache,target=/var/lib/apt,rw \
     apt-get update && apt-get install -y --no-install-recommends \
     git \
     git-lfs \
     build-essential \
     libgl1-mesa-glx \
     wget \
     curl \
     unzip \
-    ffmpeg
+    ffmpeg \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*

---

35-36: Use --system instead of --global for git config

For container environments, --system is more appropriate than --global as it applies to all users and is more secure.

 RUN git config --local user.email "[email protected]" \
-    && git config --global user.name "Container Builder"
+    && git config --system user.name "Container Builder"

---

73-74: Consider removing git commit from Dockerfile

While the intention to track changes is good, committing changes during image build is unusual and might cause issues with image reproducibility. Consider documenting changes in the Dockerfile comments instead.

-# commit current state so we can trace changes
-RUN git add . && git commit -m "chore: initial setup"
+# Changes are tracked through Dockerfile version control

---

64-64: Fix heredoc syntax

Add a space before ] in the heredoc syntax to comply with shell script best practices.

-RUN <<EOF cat >> user/default/ComfyUI-Manager/config.ini
+RUN << EOF cat >> user/default/ComfyUI-Manager/config.ini

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 64-64: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6bb0030 and ed97125.

📒 Files selected for processing (2)

• ComfyUI/DEV.md (1 hunks)
• ComfyUI/Dockerfile.local-cpu (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• ComfyUI/DEV.md

🧰 Additional context used

🪛 Hadolint (2.12.0)

ComfyUI/Dockerfile.local-cpu

[error] 64-64: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

🔇 Additional comments (4)

ComfyUI/Dockerfile.local-cpu (4)

17-26: Well-structured environment configuration!

Good use of ARG for version pinning and ENV for runtime configuration. The separation of build-time and runtime variables is well done.

---

38-52: Excellent dependency management setup!

Good practices observed:

• Proper virtual environment isolation
• Efficient cache usage with UV
• Correct PyTorch CPU variant selection

---

65-70: Review security implications of weak security level

The security_level = weak setting in ComfyUI Manager config might expose the application to security risks. Consider using a stronger security level unless there's a specific requirement for weak security.

Would you like me to help research the security implications of this setting?

---

55-55: Reconsider removing .gitignore file

Removing the .gitignore file could lead to unintended files being tracked in git. Consider adding the submodule path to .gitmodules instead.

[marchuk-vlad]

Why do we need to install these libraries separately? Isn't the requirements.txt file in the ComfyUI root directory sufficient?

[tinovyatkin]

requirements.txt is not enough in case of GPU optimized versions pytorch as it ships different builds using different indexes.

See https://docs.astral.sh/uv/guides/integration/pytorch/

[marchuk-vlad]

Add new line please.
Are the parameters "--cpu" and "--cpu-vae" needed here? What if someone wants to use a GPU?

[tinovyatkin]

Add new line please.

Sure, I’ll make the change.

That said, I believe stylistic or formatting issues are better addressed through automated tools rather than manual code review comments. Tools like automatic formatters and linters are widely available for most file types, including Dockerfiles. Using these tools ensures consistent formatting across the repository and saves time during reviews.

Currently, I don’t see even a basic configuration like an EditorConfig file in this repository. I’d be happy to contribute by adding such tools or configurations if the team agrees, as I also think consistent formatting is important.

[tinovyatkin]

Are the parameters "--cpu" and "--cpu-vae" needed here? What if someone wants to use a GPU?

As far I understand we need to create a dedicated container for GPU users which will have optimized pytorch builds and drivers such as CUDA installed (or use Nvidia Docker images as base)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ComfyUI/Dockerfile.local-cpu (1)

55-55: Consider safer alternative to removing .gitignore.

Removing the entire .gitignore file might have unintended consequences for version control. Consider either:

• Temporarily moving it aside and restoring after submodule addition
• Or modifying only the relevant rules

-RUN rm .gitignore
+RUN mv .gitignore .gitignore.bak && \
+    git submodule add $COMFYUI_MANAGER_REPO custom_nodes/ComfyUI-Manager && \
+    mv .gitignore.bak .gitignore

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed97125 and e156bf1.

📒 Files selected for processing (1)

• ComfyUI/Dockerfile.local-cpu (1 hunks)

🧰 Additional context used

🪛 Hadolint (2.12.0)

ComfyUI/Dockerfile.local-cpu

[error] 64-64: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (4)

ComfyUI/Dockerfile.local-cpu (4)

1-15: Well-structured base setup with efficient caching!

Good practices observed:

• Using UV pre-installed image for faster Python package management
• Proper caching of apt operations
• Comprehensive system dependencies

---

38-42: Good implementation of relocatable virtual environment!

The virtual environment setup with --relocatable flag aligns with the development needs for dependency isolation and portability.

---

86-86: Consider parameterizing CPU/GPU options.

The --cpu and --cpu-vae flags are hardcoded, which limits the image's flexibility. Consider:

1. Making these configurable via build arguments
2. Using environment variables to toggle CPU/GPU mode at runtime

-CMD [".venv/bin/python", "main.py", "--listen", "0.0.0.0", "--port", "8188", "--disable-auto-launch", "--cpu", "--cpu-vae"]
+ARG COMPUTE_TYPE="cpu"
+ENV EXTRA_ARGS=${COMPUTE_TYPE:+"--$COMPUTE_TYPE --$COMPUTE_TYPE-vae"}
+CMD .venv/bin/python main.py --listen 0.0.0.0 --port 8188 --disable-auto-launch $EXTRA_ARGS

---

21-26: Verify ComfyUI version compatibility.

The specified ComfyUI version (v0.3.10) should be verified for compatibility with the required features and stability.

✅ Verification successful

ComfyUI version is up-to-date and stable

The specified version (v0.3.10) is the latest stable release, with no reported critical issues. The version pinning is appropriate for production use.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check latest ComfyUI releases and any reported issues
gh api repos/comfyanonymous/ComfyUI/releases/latest --jq .tag_name
gh api repos/comfyanonymous/ComfyUI/issues --jq '.[] | select(.state == "open" and (.title | test("v0.3.10"; "i"))) | {title, html_url}'

Length of output: 215

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

ComfyUI/Dockerfile.local-cpu (1)

64-71: ⚠️ Potential issue

Document security implications and fix heredoc syntax.

1. The weak security level allows execution of high-risk features
2. The heredoc syntax is incorrect

-RUN <<EOF cat >> user/default/ComfyUI-Manager/config.ini
+# Warning: Weak security level is for development only
+# This allows execution of potentially unsafe custom nodes
+RUN << EOF cat >> user/default/ComfyUI-Manager/config.ini
 [default]
 preview_method = auto
 file_logging = False
 security_level = weak
 skip_migration_check = True
 model_download_by_agent = False
 EOF

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 64-64: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

🧹 Nitpick comments (4)

ComfyUI/Dockerfile.local-cpu (4)

6-15: Clean up apt lists after package installation.

To reduce the image size, add rm -rf /var/lib/apt/lists/* after package installation:

 RUN --mount=type=cache,target=/var/cache/apt,rw --mount=type=cache,target=/var/lib/apt,rw \
     apt-get update && apt-get install -y --no-install-recommends \
     git \
     git-lfs \
     build-essential \
     libgl1-mesa-glx \
     wget \
     curl \
     unzip \
-    ffmpeg
+    ffmpeg \
+    && rm -rf /var/lib/apt/lists/*

---

21-26: Enhance security with SHA pinning and verification.

While version tags are used, they can be changed. Consider:

1. Using commit SHAs instead of version tags
2. Adding repository verification

-ARG COMFYUI_VERSION=v0.3.10
-ARG COMFYUI_MANAGER_VERSION=3.6.5
+# ComfyUI v0.3.10
+ARG COMFYUI_SHA=8973d5e0e5eeaa0d3a4710ab8eb6e1c5e1ca2787
+# ComfyUI Manager 3.6.5
+ARG COMFYUI_MANAGER_SHA=a935c8bb355a8d2e107e1fb11ace9cd6d2b9c9bb

Then update the clone commands to use these SHAs.

---

80-81: Enhance healthcheck for better reliability.

The current healthcheck only verifies HTTP response. Consider:

1. Adding a more comprehensive health endpoint
2. Checking for successful model loading
3. Adding timeout and retry parameters

 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:8188/ || exit 1
+    CMD curl -f http://localhost:8188/system/health || exit 1

---

86-86: Document CPU-only runtime configuration.

The --cpu and --cpu-vae flags enforce CPU-only execution. Add a comment explaining:

1. Why CPU-only mode is used
2. How to modify for GPU support
3. Performance implications

+# CPU-only configuration for development
+# For GPU support:
+# 1. Use appropriate base image (e.g., nvidia/cuda)
+# 2. Remove --cpu and --cpu-vae flags
+# 3. Install GPU versions of PyTorch packages
 CMD [".venv/bin/python", "main.py", "--listen", "0.0.0.0", "--port", "8188", "--disable-auto-launch", "--cpu", "--cpu-vae"]

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e156bf1 and 3cc43a5.

📒 Files selected for processing (1)

• ComfyUI/Dockerfile.local-cpu (1 hunks)

🧰 Additional context used

🪛 Hadolint (2.12.0)

ComfyUI/Dockerfile.local-cpu

[error] 64-64: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/comfyui-dev-container.yml (1)

3-8: Consider adding more path triggers.

Add paths for any files in the ComfyUI directory that could affect the build:

 on:
   push:
     paths:
       - ".github/workflows/comfyui-dev-container.yml"
       - "ComfyUI/Dockerfile.local-cpu"
+      - "ComfyUI/requirements.txt"
+      - "ComfyUI/scripts/**"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3cc43a5 and 3f6c43f.

📒 Files selected for processing (1)

• .github/workflows/comfyui-dev-container.yml (1 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/comfyui-dev-container.yml

[warning] 12-38: Workflow does not contain permissions
Actions Job or Workflow does not set permissions

---

[warning] 18-18: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 25-25: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 28-28: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 31-31: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

.github/workflows/comfyui-dev-container.yml (1)

10-13: ⚠️ Potential issue

Add explicit permissions to follow security best practices.

The workflow should declare minimum required permissions:

 jobs:
   build-and-push:
+    permissions:
+      contents: read
+      packages: write
     runs-on: ubuntu-latest

Likely invalid or redundant comment.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/comfyui-dev-container.yml (1)

37-43: Enhance Docker image configuration and versioning.

Consider adding version tags and metadata labels for better container management.

Apply this diff to improve the build configuration:

         with:
           context: ComfyUI
           file: ComfyUI/Dockerfile.local-cpu
           push: true
           provenance: true
           platforms: linux/amd64,linux/arm64
-          tags: ghcr.io/super-protocol/solutions/comfyui-composer:latest
+          tags: |
+            ghcr.io/super-protocol/solutions/comfyui-composer:latest
+            ghcr.io/super-protocol/solutions/comfyui-composer:${{ github.sha }}
+          labels: |
+            org.opencontainers.image.title=ComfyUI Development Container
+            org.opencontainers.image.description=Base development image for ComfyUI
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

ComfyUI/Dockerfile.local-cpu (2)

6-14: Consider using multi-stage builds to reduce image size.

The current setup installs build dependencies that aren't needed at runtime.

Consider using a multi-stage build to separate build and runtime dependencies:

+FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    git-lfs \
+    build-essential
+
+# ... build steps ...
+
FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim
 
RUN apt-get update && apt-get install -y --no-install-recommends \
-    git \
-    git-lfs \
-    build-essential \
     libgl1-mesa-glx \
     wget \
     curl \
     unzip \
     ffmpeg
+
+COPY --from=builder $COMFYUI_DIR $COMFYUI_DIR

---

79-81: Improve healthcheck reliability.

The current healthcheck might not detect all failure modes.

Consider adding more comprehensive health checks:

HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:8188/ || exit 1
+    CMD curl -f http://localhost:8188/ -o /dev/null \
+        && python3 -c "import torch; print(torch.__version__)" \
+        || exit 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f6c43f and aeaff94.

📒 Files selected for processing (2)

• .github/workflows/comfyui-dev-container.yml (1 hunks)
• ComfyUI/Dockerfile.local-cpu (1 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/comfyui-dev-container.yml

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 36-36: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

🪛 Hadolint (2.12.0)

ComfyUI/Dockerfile.local-cpu

[error] 63-63: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build-and-push

🔇 Additional comments (3)

.github/workflows/comfyui-dev-container.yml (2)

13-17: LGTM! Permissions are well-defined and follow the principle of least privilege.

The workflow correctly specifies the minimum required permissions:

• packages: write for pushing to container registry
• contents: read for checking out code
• attestations: write and id-token: write for provenance

---

19-36: ⚠️ Potential issue

Pin GitHub Actions to specific commit hashes for security.

Using version tags like v3 and v6 can be unsafe as tags can be moved to point to malicious commits.

Apply this diff to pin the actions to specific commit hashes:

-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0

Likely invalid or redundant comment.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 36-36: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

ComfyUI/Dockerfile.local-cpu (1)

63-70: Document security implications of weak security level.

The security_level = weak setting allows all risk levels to execute.

Add a comment explaining this is for development only:

RUN << EOF cat >> user/default/ComfyUI-Manager/config.ini
[default]
preview_method = auto
file_logging = False
+# WARNING: Weak security level is for development only.
+# This allows execution of all risk levels including high-risk features.
+# Never use this setting in production environments.
security_level = weak
skip_migration_check = True
model_download_by_agent = False
EOF

Let's verify if this configuration is used elsewhere:

✅ Verification successful

Add security warning comment as suggested

The review comment is correct. The security_level = weak setting appears only in the local development Dockerfile, and adding the warning comment is appropriate. The proposed documentation clearly warns about the security implications and helps prevent accidental use in production environments.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for security level configuration
rg -i "security_level.*=|SECURITY" ComfyUI/

Length of output: 96

---

Script:

#!/bin/bash
# Search for other Dockerfiles and config files
fd Dockerfile
fd -e ini -e md -e txt -i -g "*config*"
fd -e md -i -g "*security*"
fd -e md -i -g "*readme*"

Length of output: 952

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 63-63: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/comfyui-dev-container.yml (1)

46-49: Add source URL to container metadata labels.

Enhance container discoverability by adding the source URL:

          labels: |
            org.opencontainers.image.title=ComfyUI Development Container
            org.opencontainers.image.description=Base development image for ComfyUI
+           org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aeaff94 and b9b6112.

📒 Files selected for processing (1)

• .github/workflows/comfyui-dev-container.yml (1 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/comfyui-dev-container.yml

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 36-36: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build-and-push

🔇 Additional comments (2)

.github/workflows/comfyui-dev-container.yml (2)

1-17: Well-structured workflow configuration!

The workflow has:

• Clear naming
• Appropriate trigger paths
• Well-defined minimal permissions following the principle of least privilege

---

19-34: ⚠️ Potential issue

Pin action versions to specific commit hashes for security.

To prevent potential supply chain attacks, replace version tags with commit hashes:

-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0

-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0

Likely invalid or redundant comment.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (6)

ComfyUI/DEV.md (2)

3-5: Consider adding build arguments for better version control.

The build command could benefit from explicit version arguments:

-docker buildx build -f Dockerfile.local-cpu -t comfyui .
+docker buildx build -f Dockerfile.local-cpu \
+    --build-arg COMFYUI_VERSION=v0.3.10 \
+    --build-arg COMFYUI_MANAGER_VERSION=3.6.5 \
+    -t comfyui .

---

9-17: Consider adding volume mounts for data persistence.

The run command could benefit from volume mounts for models and outputs:

 docker run \
     --name comfyui \
     --publish 8188:8188 \
     # optionally to run in background
     --detach \
     --restart unless-stopped \
+    --volume ./models:/opt/ComfyUI/models \
+    --volume ./output:/opt/ComfyUI/output \
     comfyui

.github/workflows/comfyui-dev-container.yml (1)

46-49: Add more metadata labels for better container discoverability.

Consider adding additional OpenContainers labels:

 labels: |
   org.opencontainers.image.title=ComfyUI Development Container
   org.opencontainers.image.description=Base development image for ComfyUI
   org.opencontainers.image.revision=${{ github.sha }}
+  org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+  org.opencontainers.image.licenses=MIT
+  org.opencontainers.image.created=${{ github.event.repository.updated_at }}
+  org.opencontainers.image.documentation=https://github.com/Super-Protocol/solutions/blob/main/ComfyUI/DEV.md

ComfyUI/Dockerfile.local-cpu (3)

6-14: Optimize package installation for smaller image size.

Add cleanup steps and consider pinning package versions:

 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     git-lfs \
     build-essential \
     libgl1-mesa-glx \
     wget \
     curl \
     unzip \
-    ffmpeg
+    ffmpeg \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*

---

79-80: Enhance healthcheck robustness.

Consider a more comprehensive health check:

-    CMD curl -f http://localhost:8188/ || exit 1
+    CMD curl -f http://localhost:8188/ -o /dev/null \
+        && ps aux | grep -q "[p]ython.*main.py" \
+        && [ -S /tmp/.X11-unix/X0 ] || exit 1

---

82-85: Document CPU-only limitations.

Add a comment explaining the implications of CPU-only mode:

-# On startup, ComfyUI is started at its default port; the IP address is changed from localhost to 0.0.0.0, because Docker is only forwarding traffic
-# to the IP address it assigns to the container, which is unknown at build time; listening to 0.0.0.0 means that ComfyUI listens to all incoming
-# traffic; the auto-launch feature is disabled, because we do not want (nor is it possible) to open a browser window in a Docker container
+# Container Configuration:
+# 1. Network: Listens on 0.0.0.0 to accept connections from Docker's network
+# 2. Browser: Auto-launch disabled as container runs headless
+# 3. Processing:
+#    - CPU-only mode for broad compatibility
+#    - Performance will be lower than GPU-enabled setups
+#    - For GPU support, use the GPU-specific Dockerfile
 CMD [".venv/bin/python", "main.py", "--listen", "0.0.0.0", "--port", "8188", "--disable-auto-launch", "--cpu", "--cpu-vae"]

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b9b6112 and 180433a.

📒 Files selected for processing (3)

• .github/workflows/comfyui-dev-container.yml (1 hunks)
• ComfyUI/DEV.md (1 hunks)
• ComfyUI/Dockerfile.local-cpu (1 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/comfyui-dev-container.yml

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 36-36: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

🪛 Hadolint (2.12.0)

ComfyUI/Dockerfile.local-cpu

[error] 63-63: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build-and-push

🔇 Additional comments (3)

.github/workflows/comfyui-dev-container.yml (2)

3-17: Well-structured workflow configuration!

The workflow triggers and permissions are properly configured for secure container publishing.

---

19-36: ⚠️ Potential issue

Pin action versions to specific commit hashes for security.

Replace version tags with commit hashes to prevent supply chain attacks:

-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0

-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0

Likely invalid or redundant comment.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 36-36: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

ComfyUI/Dockerfile.local-cpu (1)

63-70: 🛠️ Refactor suggestion

Document security implications of weak security level.

The weak security level allows all risk levels to execute. Add a comment explaining this is for development only:

 RUN <<EOF cat >> user/default/ComfyUI-Manager/config.ini
 [default]
 preview_method = auto
 file_logging = False
+# WARNING: weak security level is for development only
+# This allows execution of all risk levels including high-risk features
+# Do not use this setting in production environments
 security_level = weak
 skip_migration_check = True
 model_download_by_agent = False
 EOF

Likely invalid or redundant comment.

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 63-63: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

[coderabbitai]

🛠️ Refactor suggestion

Add error handling to git commands.

The git commands should check for errors and existing changes:

-git stash --all --include-untracked
-git checkout -b my-setup-changes
-git stash apply
-git add --all
-git commit -m 'Getting all my changes'
-git archive -o update.zip HEAD $(git diff --submodule=diff --name-only HEAD HEAD^)
+# Check for uncommitted changes
+if ! git diff-index --quiet HEAD --; then
+    git stash --all --include-untracked
+fi
+
+# Create new branch if it doesn't exist
+if ! git show-ref --verify --quiet refs/heads/my-setup-changes; then
+    git checkout -b my-setup-changes
+else
+    echo "Branch my-setup-changes already exists"
+    exit 1
+fi
+
+# Apply stashed changes if they exist
+if git stash list | grep -q "stash@{0}"; then
+    git stash apply
+fi
+
+git add --all
+git commit -m 'Getting all my changes'
+
+# Create archive if there are changes
+if git diff --name-only HEAD HEAD^ &>/dev/null; then
+    git archive -o update.zip HEAD $(git diff --submodule=diff --name-only HEAD HEAD^)
+fi

[coderabbitai]

🛠️ Refactor suggestion

Verify package integrity during installation.

Add hash verification for better security:

 RUN --mount=type=cache,target=/root/.cache/uv \
-    uv pip install -r requirements.txt
+    uv pip install -r requirements.txt --require-hashes

Generate requirements with hashes using:

uv pip freeze --all --require-hashes > requirements.txt

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/comfyui-dev-container.yml (1)

35-48: Consider adding more metadata labels for better container discoverability.

While the current labels are good, consider adding more OpenContainers labels for better container discoverability and compliance:

           labels: |
             org.opencontainers.image.title=ComfyUI Development Container
             org.opencontainers.image.description=Base development image for ComfyUI
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.created=${{ github.event.repository.updated_at }}
+            org.opencontainers.image.version=${{ github.sha }}
+            org.opencontainers.image.licenses=MIT

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 36-36: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 180433a and e82c0a7.

📒 Files selected for processing (1)

• .github/workflows/comfyui-dev-container.yml (1 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/comfyui-dev-container.yml

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 36-36: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build-and-push

🔇 Additional comments (1)

.github/workflows/comfyui-dev-container.yml (1)

1-18: LGTM! Well-configured workflow triggers and permissions.

The workflow is correctly configured with:

• Specific path triggers to avoid unnecessary builds
• Explicit permissions following the principle of least privilege

[coderabbitai]

⚠️ Potential issue

Pin GitHub Actions to specific commit hashes for better security.

Currently using version tags (@V3) which could potentially lead to supply chain attacks. Replace version tags with specific commit hashes for all actions:

• actions/checkout@v4
• docker/login-action@v3
• docker/setup-qemu-action@v3
• docker/setup-buildx-action@v3

Here's how to find and pin the commit hashes:

#!/bin/bash
# Description: Get the latest commit hashes for the GitHub Actions in use

# For each action, fetch the commit hash for the current version tag
for action in "actions/checkout@v4" "docker/login-action@v3" "docker/setup-qemu-action@v3" "docker/setup-buildx-action@v3" "docker/build-push-action@v6"; do
  echo "Fetching commit hash for $action"
  gh api repos/${action%@*}/commits/$(echo $action | cut -d@ -f2) --jq .sha
done

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

ComfyUI/Dockerfile.local-cpu (1)

6-14: Optimize package installation to reduce image size.

Add cleanup steps after package installation to reduce the image size.

 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     git-lfs \
     build-essential \
     libgl1-mesa-glx \
     wget \
     curl \
     unzip \
-    ffmpeg
+    ffmpeg \
+    && rm -rf /var/lib/apt/lists/*

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e82c0a7 and 7a35039.

📒 Files selected for processing (3)

• .github/workflows/comfyui-dev-container.yml (1 hunks)
• ComfyUI/DEV.md (1 hunks)
• ComfyUI/Dockerfile.local-cpu (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• ComfyUI/DEV.md

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/comfyui-dev-container.yml

[warning] 23-23: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/login-action' with ref 'v3', not a pinned commit hash

---

[warning] 30-30: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash

---

[warning] 33-33: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash

---

[warning] 37-37: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step: meta uses 'docker/metadata-action' with ref 'v5', not a pinned commit hash

---

[warning] 46-46: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

🪛 Hadolint (2.12.0)

ComfyUI/Dockerfile.local-cpu

[error] 63-63: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build-and-push

🔇 Additional comments (10)

.github/workflows/comfyui-dev-container.yml (4)

13-17: LGTM! Comprehensive permissions configuration.

The permissions block correctly specifies all necessary scopes for the workflow operations.

---

20-20: Pin GitHub Actions to specific commit hashes.

Using version tags (@V3, @v4, @v5, @v6) could potentially lead to supply chain attacks. Replace version tags with specific commit hashes for better security.

Also applies to: 23-23, 30-30, 33-33, 37-37, 46-46

---

35-43: LGTM! Well-structured tagging strategy.

The metadata configuration implements a clear and logical tagging strategy that separates development, PR, and production builds.

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 37-37: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step: meta uses 'docker/metadata-action' with ref 'v5', not a pinned commit hash

---

45-56: LGTM! Comprehensive build configuration.

The build and push configuration includes all necessary elements:

• Multi-platform support (amd64/arm64)
• Security through provenance
• Clear image metadata

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 46-46: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Build and Push ComfyUI Dev Container' step Uses Step uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash

ComfyUI/Dockerfile.local-cpu (6)

20-25: LGTM! Clear version management and environment configuration.

Explicit versioning and well-organized environment variables improve maintainability.

---

38-41: LGTM! Well-configured virtual environment.

The relocatable virtual environment setup aligns with the development purpose, making it easier to detect and replicate dependency changes.

---

49-50: Add hash verification for package installation.

Enhance security by verifying package integrity during installation.

---

63-70: Document security implications and fix heredoc formatting.

1. Add a comment explaining this is for development only and document security implications.
2. Fix the heredoc formatting.

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 63-63: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

---

79-80: LGTM! Well-configured healthcheck.

The healthcheck configuration follows best practices with appropriate intervals and retry settings.

---

85-85: LGTM! Appropriate CPU-only configuration.

The CPU-only configuration is suitable for this base development image, with GPU support planned for a separate image.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

ComfyUI/Dockerfile.local-cpu (2)

49-50: 🛠️ Refactor suggestion

Verify package integrity during installation.

Add hash verification for better security:

 RUN --mount=type=cache,target=/root/.cache/uv \
-    uv pip install -r requirements.txt
+    uv pip install -r requirements.txt --require-hashes

Generate requirements with hashes using:

uv pip freeze --all --require-hashes > requirements.txt

---

74-81: ⚠️ Potential issue

Document security implications and fix heredoc syntax

1. The security_level = weak setting needs documentation about its development-only usage and security implications.
2. Fix the heredoc syntax:

-RUN <<EOF cat >> user/default/ComfyUI-Manager/config.ini
+RUN << EOF cat >> user/default/ComfyUI-Manager/config.ini
 [default]
 preview_method = auto
 file_logging = False
 security_level = weak
 skip_migration_check = True
 model_download_by_agent = False
EOF

Add a comment explaining the security implications:

+# WARNING: This configuration is for development only.
+# The weak security level allows all risk levels to execute.
+# Never use this configuration in production environments.
 RUN << EOF cat >> user/default/ComfyUI-Manager/config.ini

🧰 Tools

🪛 Hadolint (2.12.0)

[error] 74-74: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

🧹 Nitpick comments (3)

ComfyUI/Dockerfile.local-cpu (3)

6-14: Optimize image size by cleaning up apt cache

Add cleanup commands to reduce the image size:

 RUN apt-get update && apt-get install -y --no-install-recommends \
     git \
     git-lfs \
     build-essential \
     libgl1-mesa-glx \
     wget \
     curl \
     unzip \
-    ffmpeg
+    ffmpeg \
+    && rm -rf /var/lib/apt/lists/*

---

34-35: Consider using more specific git configuration

The current git configuration uses generic email and name. Consider using more specific identifiers that reflect your organization:

-RUN git config --local user.email "[email protected]" \
+RUN git config --local user.email "[email protected]" \
     && git config --global user.name "Container Builder"

---

90-91: Enhance healthcheck reliability

The current healthcheck might fail if the working directory changes. Make it more robust:

 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:8188/ || exit 1
+    CMD cd $COMFYUI_DIR && curl -f http://localhost:8188/ || exit 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7a35039 and 7b86882.

📒 Files selected for processing (2)

• ComfyUI/DEV.md (1 hunks)
• ComfyUI/Dockerfile.local-cpu (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• ComfyUI/DEV.md

🧰 Additional context used

🪛 Hadolint (2.12.0)

ComfyUI/Dockerfile.local-cpu

[error] 56-56: This is interpreted as a command name ending with '/'. Double check syntax.

(SC2287)

---

[error] 74-74: Missing space before ]. Fix any mentioned problems and try again.

(SC1072)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: build-and-push

🔇 Additional comments (1)

ComfyUI/Dockerfile.local-cpu (1)

20-25: LGTM! Good version pinning and environment organization.

The use of ARG for versions and clear environment variable organization promotes reproducibility and maintainability.