Skip to content

feat: add image push to GitHub registry#27

Closed
jeastham1993 wants to merge 14 commits into
mainfrom
feat/add-image-push
Closed

feat: add image push to GitHub registry#27
jeastham1993 wants to merge 14 commits into
mainfrom
feat/add-image-push

Conversation

@jeastham1993

Copy link
Copy Markdown
Collaborator

No description provided.


-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation


-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@scottgerring scottgerring left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the job name is wrong now (user management tests?)

Also, now that we can see that it's working, I reckon we should modify it so that we only push images on push to main, not on PR.

Also also, are you plugging the commit SHAs into the docker container env so they are discoverable for datadog's source code integration?

Comment thread .github/workflows/user-management.yml Outdated

-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation

@@ -1,4 +1,4 @@
name: User Management Tests
name: User Management

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Default permissions for the GITHUB_TOKEN are expected to be restricted (contents:read, metadata:read, and packages:read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

View in Datadog  Leave us feedback  Documentation

@scottgerring

Copy link
Copy Markdown
Member

Re-staged into and merged with #29

@scottgerring scottgerring deleted the feat/add-image-push branch January 20, 2026 07:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants