Skip to content

chore: update reusable docker pipeline to v0.16.0#221

Closed
mpastecki wants to merge 1 commit intomainfrom
chore/update-reusable-pipeline-v0.16.0
Closed

chore: update reusable docker pipeline to v0.16.0#221
mpastecki wants to merge 1 commit intomainfrom
chore/update-reusable-pipeline-v0.16.0

Conversation

@mpastecki
Copy link

@mpastecki mpastecki commented Jan 30, 2026

Summary

Updates reusable_docker_pipeline.yml to v0.16.0 (a5bf0dd).

This version introduces pre-push security scanning — images are scanned
for vulnerabilities and secrets before being pushed to registries.

What changes in v0.16.0

  • Scan-before-push: Trivy filesystem + image scans run before any registry push
  • Secret scanning: source code and image layer secret detection
  • Scans enabled by default: docker_scan: true, trivy_nofail: false, hadolint_nofail: false
  • DockerHub push disabled by default: push_to_dockerhub now defaults to false
  • Job Summary: scan results appear directly in the GitHub Actions run summary
  • SARIF upload: vulnerability findings surface in GitHub Security tab (public repos)
  • Build caching: scan build layers are reused via cache-from for push steps

Copilot AI review requested due to automatic review settings January 30, 2026 12:28
Copilot AI reviewed Jan 30, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the reusable Docker pipeline workflow from v0.11.2 to v0.16.0 in the publish workflow. The new version introduces pre-push security scanning with Trivy, including vulnerability detection and secret scanning, with results surfaced in GitHub Actions summaries and the Security tab via SARIF uploads.

Changes:

  • Updated reusable_docker_pipeline.yml reference to v0.16.0 (commit a5bf0dd)
  • Removed trailing whitespace on lines 11 and 20

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/publish.yml

permissions:
contents: read
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The v0.16.0 update introduces SARIF upload functionality that uploads vulnerability findings to GitHub Security tab. This requires the security-events: write permission to be added to the permissions block. Without this permission, the SARIF upload step will fail for public repositories.

Add the following to the permissions section:

permissions:
  contents: read
  security-events: write
Suggested change
contents: read
contents: read
security-events: write

Copilot uses AI. Check for mistakes.
Copy link
Author

@mpastecki mpastecki Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to be partially true, but the permission might be needed in the reusable workflow, not here. I will check.

@mpastecki mpastecki closed this Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mpastecki