Improve Docker CI for PRs and add manual release workflow#25
Open
Improve Docker CI for PRs and add manual release workflow#25
Conversation
wborn
force-pushed
the
improve-gha-workflows
branch
from
0469c1e to
13af91e
Compare
- add pull_request support for build validation - refactor amd64/arm64 jobs into a matrix build - support manual workflow_dispatch runs on main or tags - treat tag-based manual runs as versioned builds - publish develop tags for main branch runs - keep DockerHub login/push disabled for PRs - create multi-arch manifests for develop and release tags - add Grype-based scanning of the base image - upload SARIF results for non-PR runs, and only for workflow_dispatch on main - keep the existing per-arch slim image flow - add Buildx cache configuration - pin GitHub Actions by commit SHA This makes the workflow more reusable for contributors and forks, adds container vulnerability scanning, and keeps release publishing compatible with manual tag-triggered release automation.
wborn
force-pushed
the
improve-gha-workflows
branch
from
13af91e to
fe6eed9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refactor the Docker image workflow to better support pull requests, manual dispatches, releases, and multi-architecture publishing.
This change also adds container vulnerability scanning for the base image and keeps the workflow usable in forks by avoiding DockerHub publishing on PR builds.
Changes
pull_requestsupport for build validationamd64andarm64jobs into a matrix buildworkflow_dispatchruns onmainor on a tagmainbranch runs asdevelopbuildsdevelopand versioned release tagsworkflow_dispatchwhen run onmainBehavior
Pull requests
amd64andarm64imagesPush to
maindevelop-amd64anddevelop-arm64developanddevelop-slimmulti-arch manifestsRelease
amd64andarm64imageslatestmulti-arch manifestsManual dispatch
mainor on a tagmain, behaves like adevelopbuildWhy
This makes the workflow more useful for contributors and forks by allowing PR validation without requiring publish credentials.
It also improves maintainability by deduplicating the architecture-specific jobs and centralizing the image tag/version logic.
Finally, it adds image vulnerability scanning so issues in the base image are detected during CI before publishing.
Notes
pushandpull_requestmainand tags to avoid publishing unintended temporary tags