Update and rename ghcr.yaml to container_image.yaml

[venkatamutyala]

PR Type

enhancement, configuration changes

---

Description

• Added a new GitHub Actions workflow (container_image.yaml) to automate the process of building, tagging, and publishing Docker images to GHCR.io.
• Configured the workflow to use specific actions for setting up QEMU, Docker buildx, and logging into the registry.
• Removed the outdated workflow (ghcr.yaml) that previously handled Docker image publishing.

---

Changes walkthrough 📝

Relevant files

Configuration changes

container_image.yaml Add GitHub Actions workflow for Docker image publishing    .github/workflows/container_image.yaml Added a new GitHub Actions workflow for publishing Docker images to GHCR.io. Configured environment variables for registry and image name. Included steps for setting up QEMU, Docker buildx, and logging into the registry. Added steps for extracting Docker metadata and building/pushing Docker images. +56/-0    ghcr.yaml Remove outdated Docker image workflow                                        .github/workflows/ghcr.yaml Removed the old GitHub Actions workflow for building and publishing Docker images. +0/-10

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[codiumai-pr-agent-free]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Potential overexposure: The workflow is configured to run on every push (line 3), which could potentially expose internal changes or lead to unnecessary image builds. Consider limiting this to specific branches or events to reduce potential security risks and resource usage.

⚡ Recommended focus areas for review Security Concern The workflow is triggered on every push, which might lead to unnecessary image builds and potential abuse. Best Practice The push step is not conditional, potentially pushing images for pull requests which is usually not desired.

[codiumai-pr-agent-free]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	✅ Add a vulnerability scanning step before pushing the Docker image Add a step to scan the Docker image for vulnerabilities before pushing it to the registry. This can be done using tools like Trivy or Snyk. This step will help ensure that you're not pushing images with known vulnerabilities to your registry. .github/workflows/container_image.yaml [46-56] -- name: Build and push Docker image - id: build-and-push +- name: Build Docker image + id: build uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . - push: ${{ github.event_name != 'pull_request' }} + push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} provenance: false cache-from: type=gha cache-to: type=gha,mode=max +- name: Scan image for vulnerabilities + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + +- name: Push Docker image + if: success() && github.event_name != 'pull_request' + run: | + docker push ${{ steps.meta.outputs.tags }} + [Suggestion has been applied] Suggestion importance[1-10]: 9 Why: Adding a vulnerability scan is a significant security enhancement, ensuring that images are checked for known vulnerabilities before being pushed to the registry.	9
	✅ Enable Docker content trust to ensure only signed images are pushed Enable Docker content trust by setting DOCKER_CONTENT_TRUST=1 in the environment. This ensures that only signed images are pushed to the registry, enhancing the security of your container deployment pipeline. .github/workflows/container_image.yaml [5-7] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} + DOCKER_CONTENT_TRUST: 1 [Suggestion has been applied] Suggestion importance[1-10]: 8 Why: Enabling Docker content trust enhances security by ensuring that only signed images are pushed, which is a crucial step in maintaining a secure deployment pipeline.	8
Best practice	Generate and upload a Software Bill of Materials (SBOM) for the Docker image Consider adding a step to generate and push a Software Bill of Materials (SBOM) for the Docker image. This can be done using tools like Syft. An SBOM provides transparency about the components used in your image, which is useful for security audits and compliance. .github/workflows/container_image.yaml [46-56] - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} provenance: false cache-from: type=gha cache-to: type=gha,mode=max +- name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + image: ${{ steps.meta.outputs.tags }} + artifact-name: image-sbom.json + output-file: ./image-sbom.json + +- name: Upload SBOM + uses: actions/upload-artifact@v3 + with: + name: image-sbom + path: ./image-sbom.json + Apply this suggestion Suggestion importance[1-10]: 8 Why: Generating an SBOM provides transparency about the components in the Docker image, aiding in security audits and compliance, which is a valuable addition to the workflow.	8
	Refine the workflow trigger conditions to run only on specific events Consider adding a condition to the on trigger to limit when this workflow runs. For example, you might want to run this workflow only on pushes to specific branches or on tag creation. This can help reduce unnecessary workflow runs and save on GitHub Actions usage. .github/workflows/container_image.yaml [3] -on: [push] +on: + push: + branches: [main, develop] + tags: + - 'v*' Apply this suggestion Suggestion importance[1-10]: 7 Why: This suggestion improves the efficiency of the workflow by limiting its execution to specific branches and tags, which can save resources and reduce unnecessary runs.	7

💡 Need additional feedback ? start a PR chat

[codiumai-pr-agent-free]

Suggestion: Enable Docker content trust to ensure only signed images are pushed [Security, importance: 8]

Suggested change

	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: ${{ github.repository }}
	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: ${{ github.repository }}
	DOCKER_CONTENT_TRUST: 1

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud