fix: bump base images, overhaul container scan and release workflow#195
Merged
Conversation
coopernetes
force-pushed
the
fix/bump-base-image
branch
2 times, most recently
from
aa285cf to
d256050
Compare
- Bump eclipse-temurin:21-jdk and :21-jre to latest multi-arch index digests, resolving all 9 CVEs (openjdk 21.0.11, libcap2) reported by grype - Replace anchore/scan-action (3x grype invocations) with a single grype run using multi-output (-o template + -o json); add .grype-report.tmpl for a human-readable report with no truncated fix versions - Move grype sort-by, fail-on-severity, and output-template-file into .grype.yaml; workflows and commands only pass context-specific output paths - Rework docker-publish.yml: tag pushes no longer rebuild the image; publish-release resolves the :edge digest and promotes it directly, ensuring released images are byte-for-byte identical to what was scanned on the main push - Remove ephemeral -pending tag logic - Update /release-tag command with correct check names and promotion note - Add /fetch-grype-report command for future CVE triage - Add Releases section to CONTRIBUTING.md documenting the two-phase release model - Add commit conventions section to CLAUDE.md closes #194 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
coopernetes
force-pushed
the
fix/bump-base-image
branch
from
44b4345 to
78758f6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
eclipse-temurin:21-jdkand:21-jreto latest multi-arch index digests, resolving all 9 reported CVEs (openjdk 21.0.11 + libcap2).grype-report.tmplfor human-readable reports with no truncated fix versionsdocker-publish.ymlso tag pushes promote:edgedirectly instead of rebuilding — released images are byte-for-byte identical to what was scanned on the main push; removes ephemeral-pendingtag logic/release-tagcommand with correct check names and a note about the promotion model/fetch-grype-reportcommand for future CVE triage workflows## Releasessection toCONTRIBUTING.mddocumenting the two-phase release modelcloses #194
Test plan
docker-publish.ymlbuild-and-push job skips on tag push (if: !startsWith(github.ref, 'refs/tags/')):edgeis updated and container scan passes — this unblocks the stalled main pushes (refactor: use provider name as canonical DB foreign key #190, refactor: provider registry name cleanup + Optional return types #191)