chore: refactor re-usable workflows to enable re-use in derived repositories#968
Merged
Ron (rjaegers) merged 53 commits intoOct 16, 2025
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the wc-build-push.yml workflow to make it more reusable by adding configurable registry and authentication options. Previously, the workflow was hardcoded to use GitHub Container Registry with GitHub authentication.
- Adds optional
registryinput parameter withghcr.ioas the default - Introduces optional Docker authentication secrets (
DOCKER_USERNAMEandDOCKER_PASSWORD) - Updates the workflow to use configurable registry and authentication with fallbacks to GitHub defaults
Contributor
Contributor
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 22 | 0 | 0 | 0.53s | |
| ✅ DOCKERFILE | hadolint | 2 | 0 | 0 | 0.77s | |
| ✅ GHERKIN | gherkin-lint | 6 | 0 | 0 | 2.29s | |
| ✅ JSON | npm-package-json-lint | yes | no | no | 0.35s | |
| ✅ JSON | prettier | 15 | 2 | 0 | 0 | 0.52s |
| ✅ JSON | v8r | 15 | 0 | 0 | 10.77s | |
| ✅ MARKDOWN | markdownlint | 11 | 0 | 0 | 0 | 0.94s |
| ✅ MARKDOWN | markdown-table-formatter | 11 | 0 | 0 | 0 | 0.24s |
| ✅ REPOSITORY | gitleaks | yes | no | no | 0.66s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.01s | |
| ✅ REPOSITORY | grype | yes | no | no | 28.33s | |
| ✅ REPOSITORY | secretlint | yes | no | no | 0.98s | |
| ✅ REPOSITORY | syft | yes | no | no | 2.0s | |
| ✅ REPOSITORY | trivy | yes | no | no | 4.54s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 0.24s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 3.04s | |
| lychee | 73 | 1 | 0 | 21.57s | ||
| ✅ YAML | prettier | 28 | 0 | 0 | 0 | 0.83s |
| ✅ YAML | v8r | 28 | 0 | 0 | 7.88s | |
| ✅ YAML | yamllint | 28 | 0 | 0 | 0.97s |
Detailed Issues
⚠️ SPELL / lychee - 1 error
[IGNORED] docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a)
[ERROR] https://slsa.dev/spec/v1.0/threats | Network error: error sending request for url (https://slsa.dev/spec/v1.0/threats) Maybe a certificate error?
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
📝 Summary
---------------------
🔍 Total..........122
✅ Successful.....119
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........1
Errors in test/cpp/features/security.feature
[ERROR] https://slsa.dev/spec/v1.0/threats | Network error: error sending request for url (https://slsa.dev/spec/v1.0/threats) Maybe a certificate error?
See detailed reports in MegaLinter artifacts
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.1.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R
André Jordan (andjordan)
approved these changes
Oct 10, 2025
Contributor
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
Contributor
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
…tps://github.com/philips-software/amp-devcontainer into ci/refactor-reusable-workflows-for-better-re-use
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 2 out of 4 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
.github/workflows/wc-build-push.yml:1
- This step references
inputs.flavorandCONTAINER_FLAVORwhich no longer exist after the refactoring. This should use the newinputs.devcontainer-metadataparameter and handle the case when it's not provided.
---
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 2 out of 4 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
.github/workflows/wc-build-push.yml:1
- The step still references the removed
CONTAINER_FLAVORenvironment variable. This should use the newdevcontainer-metadatainput parameter or be updated to work with the new parameterized approach.
---
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
Contributor
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 5 out of 7 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
.github/workflows/wc-build-push.yml:1
- This code references the old
inputs.flavorparameter which no longer exists, and uses hardcoded path.devcontainer/${CONTAINER_FLAVOR}/. This should use the newinputs.devcontainer-metadataparameter instead.
---
Ron (rjaegers)
changed the title
| uses: ./.github/workflows/wc-dependency-review.yml | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
Check warning
Code scanning / zizmor
permissions without explanatory comments Warning
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
|
Ron (rjaegers)
deleted the
ci/refactor-reusable-workflows-for-better-re-use
branch
Contributor
Pull Request Report (#968)Static measures
Time related measures
Status check related measures
|
Contributor
|
🎉 Hooray! The changes in this pull request went live with the release of v6.5.2 🎉 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request refactors and enhances the GitHub Actions workflows for building, testing, and publishing multi-architecture devcontainer images. The changes introduce more flexible and reusable workflow templates, improve input/output handling, and add documentation and validation to standardize workflow practices across the repository.
Workflow Refactoring and Reusability
flavorusage with flexible inputs likedockerfile,image-name, and test paths. This enables easier extension to new flavors and architectures. (wc-build-push.yml,wc-build-push-test.yml,continuous-integration.yml,release-build.yml) [1] [2] [3] [4]wc-sanitize-image-name.yml) and corresponding job to sanitize and standardize image names and registry references for all build/push operations. This ensures consistent image naming and tagging.Input/Output and Secrets Handling
wc-build-push.yml,wc-build-push-test.yml) [1] [2]wc-acceptance-test.yml) [1] [2] [3]Testing and Publishing Improvements
continuous-integration.yml,release-build.yml,wc-build-push-test.yml,wc-build-push.yml) [1] [2] [3]wc-acceptance-test.yml,continuous-integration.yml) [1] [2]Documentation and Guidelines
.github/instructions/workflows.instructions.mdoutlining best practices for workflow naming, input/output sorting, and file conventions to ensure consistency and maintainability.General Workflow Robustness
${{ !cancelled() }}for step execution, better handling of optional inputs and secrets, and more robust runner selection for jobs). (wc-acceptance-test.yml,pr-conventional-title.yml,wc-build-push.yml) [1] [2] [3]