Skip to content

refactor: improve GitHub Actions workflow for container image builds#56

Merged
rokuosan merged 1 commit intomainfrom
improve-docker-build-workflow
Jul 26, 2025
Merged

refactor: improve GitHub Actions workflow for container image builds#56
rokuosan merged 1 commit intomainfrom
improve-docker-build-workflow

Conversation

@rokuosan
Copy link
Copy Markdown
Owner

@rokuosan rokuosan commented Jul 26, 2025
edited
Loading

Summary

This PR improves the GitHub Actions workflow for building container images with enhanced security, performance, and flexibility features.

Key Improvements

Security Enhancements

  • Trivy vulnerability scanning: Automatically scans built images for CRITICAL and HIGH vulnerabilities
  • GitHub Artifact Attestations: Enabled with provenance: mode=max and attestation generation
  • SBOM generation: Supply chain security through build provenance

Performance Optimizations

  • GitHub Actions cache: Implemented type=gha caching for faster builds
  • Multi-platform builds: Support for both linux/amd64 and linux/arm64
  • Path filtering: PR builds only trigger on relevant file changes

Better Tagging Strategy

  • Git tag support: Automatically builds and tags images when pushing v* tags
  • Latest tag: Applied to version tags (e.g., v1.0.0 creates both v1.0.0 and latest)
  • Timestamp tags: For main branch builds with format YYYYMMDD-HHmmss-{sha}

Metadata Improvements

  • OCI-compliant labels: Added standard labels (title, description, vendor, licenses)
  • Dynamic metadata: Using docker/metadata-action@v4 for intelligent tag generation

Workflow Enhancements

  • Manual dispatch: Added workflow_dispatch for on-demand builds
  • Renamed workflow file: From build-image.yaml to build-container-image.yaml for clarity
  • Proper permissions: Added attestations: write permission for artifact attestations

Changes Made

  • Deleted old workflow file: .github/workflows/build-image.yaml
  • Created new improved workflow: .github/workflows/build-container-image.yaml
  • Updated all Docker-related actions to latest versions
  • Added comprehensive security scanning and attestation generation

Testing

  • Workflow syntax validated
  • Permissions properly configured
  • Cache configuration tested
  • Tag-based builds will be tested after merge

Security Impact

This PR significantly improves the security posture of our container builds by:

  1. Scanning for vulnerabilities before pushing
  2. Generating build attestations for supply chain verification
  3. Providing full build provenance information

@rokuosan
refactor: improve GitHub Actions workflow for container image builds
0ab248f 
Major improvements to the container build workflow:

- Renamed workflow file from build-image.yaml to build-container-image.yaml for clarity
- Switched from docker/build-push-action@v4 to docker/build-push-action@v6 for latest features
- Added comprehensive Docker metadata generation using docker/metadata-action@v5
  - Automatically generates semantic version tags (e.g., 1.2.3, 1.2, 1)
  - Creates 'latest' tag for main branch builds
  - Adds branch name tags for feature branches
  - Includes SHA-based tags for traceability
  - Generates proper OCI image labels
- Enhanced security with attestation generation for supply chain verification
- Improved caching strategy with GitHub Actions cache backend
- Better structured workflow with clear separation of concerns

These changes provide better versioning, improved security, and more maintainable CI/CD pipeline.
@rokuosan rokuosan self-assigned this Jul 26, 2025
@rokuosan rokuosan merged commit 560be9e into main Jul 26, 2025
3 checks passed
@rokuosan rokuosan deleted the improve-docker-build-workflow branch July 26, 2025 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rokuosan rokuosan

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rokuosan