Skip to content

Refactor workflows into reusable composite actions#60

Merged
toddysm merged 2 commits into
mainfrom
refactor/composite-actions
Jun 9, 2026
Merged

Refactor workflows into reusable composite actions#60
toddysm merged 2 commits into
mainfrom
refactor/composite-actions

Conversation

@toddysm

@toddysm toddysm commented Jun 9, 2026

Copy link
Copy Markdown
Owner

Summary

Refactors the GitHub Actions into small, single-purpose composite actions under .github/actions/ and standardizes the terminology, so the steps (login, enumerate, copy, scan, gate, attach, delete) can be reused to compose more complex workflows.

Composite actions

  • registry-login — crane (+ optional oras) login
  • enumerate-tagscrane ls → JSON array for matrix fan-out
  • mirror-image — digest-compare + crane copy / oras cp -r (referrers folded in; promotion = force: true)
  • scan-imagetrivy image
  • scan-sbom — per-platform SBOM extract + trivy sbom
  • evaluate-findings — threshold + CVE-exception gate → decision
  • attach-scan-reportoras attach scan-report referrer
  • delete-image — GHCR package-version delete

Workflows

  • _mirror-image.yml now orchestrates registry-login + mirror-image.
  • _scan-image.yml / _scan-sbom-image.yml fan out across a job matrix: enumerate → scan (one job per tag) → summary.
  • Caller workflows (mirror-*.yml, scan-*.yml) are unchangedworkflow_call signatures are identical.

Docs

  • New canonical docs/reference/workflow-actions.md (action catalogue + terminology glossary).
  • Updated naming, image-mirror, and scan-and-promote architecture docs.

Validation

  • VS Code problem checker clean on all files.
  • shellcheck -S warning clean on every embedded run block.

Notes

  • Scan workflows now run one job per tag (parallel) instead of one looping job — same aggregated summary, different Actions UI topology.

Extract the duplicated workflow steps into single-purpose composite actions
under .github/actions/ and standardize the terminology (registry-login,
enumerate-tags, mirror-image, scan-image, scan-sbom, evaluate-findings,
attach-scan-report, delete-image).

- _mirror-image.yml now orchestrates registry-login + mirror-image.
- _scan-image.yml and _scan-sbom-image.yml fan out across a job matrix
  (enumerate -> scan per tag -> summary), composing the per-image actions.
- mirror-image doubles as the quarantine -> golden/base promotion (force: true).
- Document the action catalogue and terminology glossary in
  docs/reference/workflow-actions.md and update the architecture/naming docs.

Caller workflows (mirror-*.yml, scan-*.yml) are unchanged.
Copilot AI review requested due to automatic review settings June 9, 2026 16:27

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the repository’s GitHub Actions implementation by extracting shared logic into reusable composite actions under .github/actions/, and updating the reusable workflows to orchestrate those actions (including changing scan workflows to a per-tag job matrix with an aggregate summary job).

Changes:

  • Introduces a suite of composite actions (login, enumerate, mirror/promote, scan, gate, attach, delete) to replace duplicated inline shell logic in workflows.
  • Refactors _mirror-image.yml, _scan-image.yml, and _scan-sbom-image.yml to compose the new actions (scan workflows now fan out one job per tag and aggregate results).
  • Adds/updates documentation to standardize terminology and describe how actions and workflows compose.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
docs/reference/workflow-actions.md Adds canonical catalogue of composite actions, inputs/outputs, and shared terminology.
docs/reference/README.md Links the new workflow action catalogue from reference docs.
docs/contributing/workflow-naming.md Documents composite-action naming/structure rules and references the new catalogue.
docs/architecture/workflows/scan-and-promote-workflows.md Updates architecture docs to reflect composite-action composition and the new matrix-based scan topology.
docs/architecture/workflows/image-mirror-workflows.md Updates mirror workflow architecture docs to reflect composite-action composition.
.github/workflows/_scan-sbom-image.yml Refactors SBOM scan workflow into enumerate→matrix scan→summary orchestration using composite actions.
.github/workflows/_scan-image.yml Refactors filesystem scan workflow into enumerate→matrix scan→summary orchestration using composite actions.
.github/workflows/_mirror-image.yml Refactors mirror workflow to use registry-login + mirror-image composite actions and write summary from outputs.
.github/actions/scan-sbom/action.yml Adds composite action for SBOM-attestation scanning (trivy sbom) with per-platform breakdown output.
.github/actions/scan-image/action.yml Adds composite action for filesystem scanning (trivy image) emitting report + blocking IDs.
.github/actions/registry-login/action.yml Adds composite action to authenticate crane (and optionally oras) to registries.
.github/actions/mirror-image/action.yml Adds composite action to digest-compare and copy (crane or oras with referrers) with outputs.
.github/actions/evaluate-findings/action.yml Adds composite action implementing the gate decision based on blocking IDs and exceptions.
.github/actions/enumerate-tags/action.yml Adds composite action to list tags and emit JSON for matrix fan-out, with empty-repo handling.
.github/actions/delete-image/action.yml Adds composite action to delete a GHCR tag via Packages API using a PAT, emitting status.
.github/actions/attach-scan-report/action.yml Adds composite action to attach scan-report referrer annotations via oras attach.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/_scan-image.yml
Comment thread .github/workflows/_scan-sbom-image.yml
Comment thread .github/actions/scan-sbom/action.yml
Comment thread .github/actions/attach-scan-report/action.yml
- scan-sbom: de-duplicate the cross-platform vulnerability union so the same
  CVE found on multiple platforms is reported once (matches output docs).
- attach-scan-report: always record com.cssc.scan.method (image|sbom) so image
  scan-reports are no longer ambiguous; keep sbom-predicate-type for SBOM scans.
- _scan-image.yml / _scan-sbom-image.yml: map delete-image's raw status
  (deleted|skipped|failed) to user-facing wording in the run log and summary.
- docs: record com.cssc.scan.method in the referrer annotation table.
@toddysm toddysm merged commit db1a52f into main Jun 9, 2026
@toddysm toddysm deleted the refactor/composite-actions branch June 9, 2026 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants