Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update and rename ghcr.yml to container_image.yaml #22

Merged
merged 1 commit into from
Oct 22, 2024

Conversation

venkatamutyala
Copy link
Contributor

@venkatamutyala venkatamutyala commented Oct 2, 2024

PR Type

enhancement, configuration changes


Description

  • Added a new GitHub Actions workflow (container_image.yaml) to automate the process of building and publishing Docker images to GHCR.io.
  • Configured the workflow to use QEMU and Docker buildx for multi-platform support.
  • Implemented steps for logging into the registry, extracting metadata, and building/pushing images.
  • Removed the old workflow file (ghcr.yml) to streamline the publishing process.

Changes walkthrough 📝

Relevant files
Enhancement
container_image.yaml
Add GitHub Actions workflow for Docker image publishing   

.github/workflows/container_image.yaml

  • Added a new GitHub Actions workflow to publish Docker images to
    GHCR.io.
  • Configured environment variables for registry and image name.
  • Set up QEMU and Docker buildx for multi-platform builds.
  • Included steps for logging into the registry, extracting Docker
    metadata, and building/pushing Docker images.
  • +56/-0   
    Configuration changes
    ghcr.yml
    Remove old Docker image publishing workflow                           

    .github/workflows/ghcr.yml

  • Removed the old GitHub Actions workflow for publishing Docker images.
  • +0/-15   

    💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

    Copy link

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Security Consideration
    The workflow is using a GitHub token for authentication, which is good practice. However, it's using the default GITHUB_TOKEN secret, which may have more permissions than necessary for this specific task.

    Potential Improvement
    The workflow runs on every push, which might be unnecessary for non-main branches or documentation changes. Consider adding filters to the 'on' event to run only when necessary.

    Version Pinning
    While the workflow uses specific commit hashes for actions, which is good for reproducibility, it might make updating these actions more difficult in the future.

    Copy link

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Score
    Security
    Add a vulnerability scanning step before pushing the Docker image

    Add a step to scan the Docker image for vulnerabilities before pushing it to the
    registry. This can be done using tools like Trivy or Snyk, which can be easily
    integrated into GitHub Actions workflows.

    .github/workflows/container_image.yaml [46-56]

    -- name: Build and push Docker image
    -  id: build-and-push
    +- name: Build Docker image
    +  id: build
       uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
       with:
         context: .
    -    push: ${{ github.event_name != 'pull_request' }}
    +    push: false
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         provenance: false
         cache-from: type=gha
         cache-to: type=gha,mode=max
     
    +- name: Scan image for vulnerabilities
    +  uses: aquasecurity/trivy-action@master
    +  with:
    +    image-ref: ${{ steps.meta.outputs.tags }}
    +    format: 'table'
    +    exit-code: '1'
    +    ignore-unfixed: true
    +    vuln-type: 'os,library'
    +    severity: 'CRITICAL,HIGH'
    +
    +- name: Push Docker image
    +  if: success() && github.event_name != 'pull_request'
    +  uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
    +  with:
    +    context: .
    +    push: true
    +    tags: ${{ steps.meta.outputs.tags }}
    +    labels: ${{ steps.meta.outputs.labels }}
    +
    • Apply this suggestion
    Suggestion importance[1-10]: 9

    Why: Adding a vulnerability scanning step is crucial for security, ensuring that only safe images are pushed to the registry. This significantly enhances the security posture of the deployment pipeline.

    9
    Enable Docker content trust to ensure only signed images are pushed

    Enable Docker content trust by setting DOCKER_CONTENT_TRUST=1 in the environment.
    This ensures that only signed images are pushed to the registry, enhancing the
    security of your container deployment pipeline.

    .github/workflows/container_image.yaml [5-7]

     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}
    +  DOCKER_CONTENT_TRUST: 1
    • Apply this suggestion
    Suggestion importance[1-10]: 8

    Why: Enabling Docker content trust is a strong security measure that ensures only signed images are pushed, preventing unauthorized or tampered images from being deployed.

    8
    Add a step to verify the integrity of critical files before building the image

    Add a step to verify the integrity of the Dockerfile and other critical files before
    building the image. This can help prevent supply chain attacks by ensuring that the
    files haven't been tampered with.

    .github/workflows/container_image.yaml [17-18]

     - name: Checkout repository
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
     
    +- name: Verify file integrity
    +  run: |
    +    echo "Verifying Dockerfile integrity..."
    +    echo "<expected_hash>  Dockerfile" | sha256sum -c
    +    echo "Verifying other critical files..."
    +    # Add more file integrity checks as needed
    +
    • Apply this suggestion
    Suggestion importance[1-10]: 8

    Why: Verifying the integrity of critical files before building the image helps prevent supply chain attacks, ensuring the authenticity and integrity of the build process. This is an important security enhancement.

    8
    Best practice
    Refine the workflow trigger conditions to run only on specific events or branches

    Consider adding a condition to the on trigger to limit when this workflow runs. For
    example, you might want to run this workflow only on pushes to specific branches or
    on release events. This can help reduce unnecessary builds and save on GitHub
    Actions minutes.

    .github/workflows/container_image.yaml [3]

    -on: [push]
    +on:
    +  push:
    +    branches: [ "main", "develop" ]
    +  release:
    +    types: [published]
    • Apply this suggestion
    Suggestion importance[1-10]: 7

    Why: This suggestion improves workflow efficiency by limiting runs to specific branches or events, reducing unnecessary builds and saving resources. It's a best practice that enhances the workflow's relevance and efficiency.

    7

    💡 Need additional feedback ? start a PR chat

    @venkatamutyala venkatamutyala merged commit c7ff613 into main Oct 22, 2024
    3 of 4 checks passed
    @venkatamutyala venkatamutyala deleted the venkatamutyala-patch-1 branch October 22, 2024 17:08
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Projects
    None yet
    Development

    Successfully merging this pull request may close these issues.

    2 participants