Refactor workflows into reusable composite actions#60
Merged
Conversation
Extract the duplicated workflow steps into single-purpose composite actions under .github/actions/ and standardize the terminology (registry-login, enumerate-tags, mirror-image, scan-image, scan-sbom, evaluate-findings, attach-scan-report, delete-image). - _mirror-image.yml now orchestrates registry-login + mirror-image. - _scan-image.yml and _scan-sbom-image.yml fan out across a job matrix (enumerate -> scan per tag -> summary), composing the per-image actions. - mirror-image doubles as the quarantine -> golden/base promotion (force: true). - Document the action catalogue and terminology glossary in docs/reference/workflow-actions.md and update the architecture/naming docs. Caller workflows (mirror-*.yml, scan-*.yml) are unchanged.
There was a problem hiding this comment.
Pull request overview
This PR refactors the repository’s GitHub Actions implementation by extracting shared logic into reusable composite actions under .github/actions/, and updating the reusable workflows to orchestrate those actions (including changing scan workflows to a per-tag job matrix with an aggregate summary job).
Changes:
- Introduces a suite of composite actions (login, enumerate, mirror/promote, scan, gate, attach, delete) to replace duplicated inline shell logic in workflows.
- Refactors
_mirror-image.yml,_scan-image.yml, and_scan-sbom-image.ymlto compose the new actions (scan workflows now fan out one job per tag and aggregate results). - Adds/updates documentation to standardize terminology and describe how actions and workflows compose.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/reference/workflow-actions.md | Adds canonical catalogue of composite actions, inputs/outputs, and shared terminology. |
| docs/reference/README.md | Links the new workflow action catalogue from reference docs. |
| docs/contributing/workflow-naming.md | Documents composite-action naming/structure rules and references the new catalogue. |
| docs/architecture/workflows/scan-and-promote-workflows.md | Updates architecture docs to reflect composite-action composition and the new matrix-based scan topology. |
| docs/architecture/workflows/image-mirror-workflows.md | Updates mirror workflow architecture docs to reflect composite-action composition. |
| .github/workflows/_scan-sbom-image.yml | Refactors SBOM scan workflow into enumerate→matrix scan→summary orchestration using composite actions. |
| .github/workflows/_scan-image.yml | Refactors filesystem scan workflow into enumerate→matrix scan→summary orchestration using composite actions. |
| .github/workflows/_mirror-image.yml | Refactors mirror workflow to use registry-login + mirror-image composite actions and write summary from outputs. |
| .github/actions/scan-sbom/action.yml | Adds composite action for SBOM-attestation scanning (trivy sbom) with per-platform breakdown output. |
| .github/actions/scan-image/action.yml | Adds composite action for filesystem scanning (trivy image) emitting report + blocking IDs. |
| .github/actions/registry-login/action.yml | Adds composite action to authenticate crane (and optionally oras) to registries. |
| .github/actions/mirror-image/action.yml | Adds composite action to digest-compare and copy (crane or oras with referrers) with outputs. |
| .github/actions/evaluate-findings/action.yml | Adds composite action implementing the gate decision based on blocking IDs and exceptions. |
| .github/actions/enumerate-tags/action.yml | Adds composite action to list tags and emit JSON for matrix fan-out, with empty-repo handling. |
| .github/actions/delete-image/action.yml | Adds composite action to delete a GHCR tag via Packages API using a PAT, emitting status. |
| .github/actions/attach-scan-report/action.yml | Adds composite action to attach scan-report referrer annotations via oras attach. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- scan-sbom: de-duplicate the cross-platform vulnerability union so the same CVE found on multiple platforms is reported once (matches output docs). - attach-scan-report: always record com.cssc.scan.method (image|sbom) so image scan-reports are no longer ambiguous; keep sbom-predicate-type for SBOM scans. - _scan-image.yml / _scan-sbom-image.yml: map delete-image's raw status (deleted|skipped|failed) to user-facing wording in the run log and summary. - docs: record com.cssc.scan.method in the referrer annotation table.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refactors the GitHub Actions into small, single-purpose composite actions under
.github/actions/and standardizes the terminology, so the steps (login, enumerate, copy, scan, gate, attach, delete) can be reused to compose more complex workflows.Composite actions
registry-login— crane (+ optional oras) loginenumerate-tags—crane ls→ JSON array for matrix fan-outmirror-image— digest-compare +crane copy/oras cp -r(referrers folded in; promotion =force: true)scan-image—trivy imagescan-sbom— per-platform SBOM extract +trivy sbomevaluate-findings— threshold + CVE-exception gate → decisionattach-scan-report—oras attachscan-report referrerdelete-image— GHCR package-version deleteWorkflows
_mirror-image.ymlnow orchestratesregistry-login+mirror-image._scan-image.yml/_scan-sbom-image.ymlfan out across a job matrix: enumerate → scan (one job per tag) → summary.mirror-*.yml,scan-*.yml) are unchanged —workflow_callsignatures are identical.Docs
docs/reference/workflow-actions.md(action catalogue + terminology glossary).Validation
shellcheck -S warningclean on every embeddedrunblock.Notes