Skip to content

Commit 7087397

Browse files
authored
feat: Update Docker publish workflow for tag handling (#35)
* Enhance Docker publish workflow for SBOM generation Updated Docker publish workflow to include first image tag extraction and modified image reference for Trivy scanning. * Clean up docker-publish.yml by removing blank lines Removed unnecessary blank lines in the Docker publish workflow. * Add comment for priority setting * Refactor Docker publish workflow: improve tag logic, variable names, and documentation
1 parent 9d31dbc commit 7087397

1 file changed

Lines changed: 17 additions & 7 deletions

File tree

.github/workflows/docker-publish.yml

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -71,11 +71,13 @@ jobs:
7171
latest=false
7272
tags: |
7373
type=semver,pattern={{raw}}
74-
type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/develop')}}
75-
type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/release/')}}
76-
type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/hotfix/')}}
74+
# Priority is set to ensure the develop-{{sha}} tag is preferred over other tags for the develop branch
75+
type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}},priority=201
76+
type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}}
77+
type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}}
78+
# The following tag is only applied to regular branches except 'develop' and 'release/*' (i.e., not for tags or PRs)
79+
type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/') && !startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}}
7780
type=ref,event=pr
78-
type=raw,value=manual-{{branch}}-{{sha}},enable=${{github.event_name == 'workflow_dispatch'}}
7981
8082
# Build and push Docker image with Buildx (don't push on PR)
8183
# https://github.com/docker/build-push-action
@@ -105,6 +107,14 @@ jobs:
105107
push: false
106108
outputs: type=local,dest=sbom-output
107109

110+
# Extract the tag with the highest priority from the list for Trivy scanning
111+
- name: Get highest priority image tag
112+
if: ${{ github.event_name != 'pull_request' }}
113+
id: highest-priority-tag
114+
run: |
115+
# The first tag in the list is the one with the highest priority
116+
echo "value=$(echo '${{ steps.meta.outputs.tags }}' | head -n1)" >> $GITHUB_OUTPUT
117+
108118
# Generate container SBOM.
109119
- name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container
110120
if: ${{ github.event_name != 'pull_request' }}
@@ -113,9 +123,9 @@ jobs:
113123
scan-type: 'image'
114124
format: 'cyclonedx'
115125
output: 'sbom-output/sbom_container.cyclonedx.json'
116-
image-ref: ${{ steps.meta.outputs.tags }}
117-
skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a seperate SBOM for easier vulnerability management and because trivy misses important fields
118-
126+
image-ref: ${{ steps.highest-priority-tag.outputs.value }}
127+
skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a separate SBOM for easier vulnerability management and because trivy misses important fields
128+
119129
- name: Upload trivy/container AND application SBOMs as a Github artifact
120130
if: ${{ github.event_name != 'pull_request' }}
121131
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

0 commit comments

Comments
 (0)