Skip to content

Add mirror & scan workflows for hardened python DHI#53

Merged
toddysm merged 2 commits into
mainfrom
feature/hardened-image-mirror-scan
Jun 8, 2026
Merged

Add mirror & scan workflows for hardened python DHI#53
toddysm merged 2 commits into
mainfrom
feature/hardened-image-mirror-scan

Conversation

@toddysm

@toddysm toddysm commented Jun 8, 2026

Copy link
Copy Markdown
Owner

Summary

Adds a mirror workflow and a scan-and-promote workflow for the Docker
Hardened Image (DHI) python:3.14-alpine3.23, reusing the existing
caller + reusable-workflow pattern.

  • Source (DHI): dhi.io/python:3.14-alpine3.23 — pulled from dhi.io,
    which requires authentication with Docker Hub credentials.
  • Mirror destination (quarantine): ghcr.io/toddysm/quarantine/hardened/python
  • Promotion destination (base): ghcr.io/toddysm/base/hardened/python

Changes

  • _mirror-image.yml — optional, backward-compatible authenticated
    source-registry login. New input source_login_registry plus secrets
    source_registry_username / source_registry_password. The login step only
    runs when source_login_registry is set, so existing anonymous mirrors
    (python/node/openjdk) are unaffected.
  • mirror-hardened-python.yml (new caller) — mirrors
    dhi.io/python:3.14-alpine3.23 into quarantine/hardened/python, logging in
    to dhi.io with DOCKERHUB_USERNAME / DOCKERHUB_TOKEN.
  • scan-hardened-python.yml (new caller) — scans
    quarantine/hardened/python and promotes passing tags into
    base/hardened/python. Reuses _scan-image.yml unchanged.

Notes / follow-ups

  • The request referenced tag 3.14-alpine3.2; based on the catalog URL path
    (python/alpine-3.23/3.14) this PR uses 3.14-alpine3.23. One-line edit if
    that needs changing.
  • Repo secrets to configure before running: DOCKERHUB_USERNAME,
    DOCKERHUB_TOKEN (and GHCR_DELETE_TOKEN for scan cleanup, if not already set).

Closes #50
Closes #51
Closes #52

Extend _mirror-image.yml with an optional authenticated source-registry
login (backward compatible; anonymous mirrors unaffected) and add the
hardened python caller workflows:

- mirror-hardened-python.yml: dhi.io/python:3.14-alpine3.23 ->
  ghcr.io/toddysm/quarantine/hardened/python (logs in to dhi.io with
  DOCKERHUB_USERNAME / DOCKERHUB_TOKEN)
- scan-hardened-python.yml: quarantine/hardened/python ->
  base/hardened/python (reuses _scan-image.yml unchanged)

Refs #50, #51, #52
Copilot AI review requested due to automatic review settings June 8, 2026 02:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new GitHub Actions caller workflows to mirror and then scan/promote the Docker Hardened Image (DHI) Python 3.14-alpine3.23, extending the existing reusable mirror workflow to optionally authenticate to a private source registry (dhi.io) while keeping existing anonymous mirrors unchanged.

Changes:

  • Extend .github/workflows/_mirror-image.yml with an optional source_login_registry input + optional source-registry credentials secrets, and perform a conditional crane auth login to the source registry.
  • Add .github/workflows/mirror-hardened-python.yml to mirror dhi.io/python:3.14-alpine3.23 into ghcr.io/toddysm/quarantine/hardened/python.
  • Add .github/workflows/scan-hardened-python.yml to scan quarantine/hardened/python and promote passing tags into base/hardened/python using the existing reusable scan workflow.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/_mirror-image.yml Adds optional authenticated login to a configurable source registry before mirroring, preserving the existing reusable mirror pattern.
.github/workflows/mirror-hardened-python.yml New mirror caller for hardened Python DHI into the quarantine hardened namespace, passing Docker Hub creds for dhi.io login.
.github/workflows/scan-hardened-python.yml New scan-and-promote caller for hardened Python from quarantine to base, reusing _scan-image.yml unchanged.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@toddysm

toddysm commented Jun 8, 2026

Copy link
Copy Markdown
Owner Author

Closing as requested. Copilot review completed with no comments.

@toddysm toddysm closed this Jun 8, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/scan-hardened-python.yml
@toddysm toddysm reopened this Jun 8, 2026
Address Copilot review on PR #53: note in the header that hardened DHI
images are promoted into base/hardened/<image> instead of the golden/<image>
scheme from workflow-naming.md, so dest_repo intentionally departs from the
documented convention.
@toddysm toddysm merged commit 9c40858 into main Jun 8, 2026
@toddysm toddysm deleted the feature/hardened-image-mirror-scan branch June 8, 2026 02:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants