Skip to content

chore: update reusable docker pipeline to v0.16.1#532

Open
mpastecki wants to merge 1 commit intomainfrom
chore/update-reusable-pipeline-v0.16.1
Open

chore: update reusable docker pipeline to v0.16.1#532
mpastecki wants to merge 1 commit intomainfrom
chore/update-reusable-pipeline-v0.16.1

Conversation

@mpastecki
Copy link
Contributor

@mpastecki mpastecki commented Feb 3, 2026

Summary

Updates reusable_docker_pipeline.yml to v0.16.1 (d2299e8).

What changes in v0.16.1

  • Lint failures block publishing: dockerfile_lint is now a dependency of docker_build, so Hadolint failures will block image publishing

What changed in v0.16.0

  • Scan-before-push: Trivy filesystem + image scans run before any registry push
  • Secret scanning: source code and image layer secret detection
  • Scans enabled by default: docker_scan: true, trivy_nofail: false, hadolint_nofail: false
  • DockerHub push disabled by default: push_to_dockerhub now defaults to false
  • Job Summary: scan results appear directly in the GitHub Actions run summary
  • SARIF upload: vulnerability findings surface in GitHub Security tab (public repos)
  • Build caching: scan build layers are reused via cache-from for push steps

Copilot AI review requested due to automatic review settings February 3, 2026 13:47
Copilot AI reviewed Feb 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the reusable Docker pipeline workflow reference from v0.15.0 to v0.16.1, bringing enhanced security features including scan-before-push, secret scanning, and lint failure enforcement. The update introduces stricter default behaviors where security scans and linting now block publishing by default.

Changes:

  • Updated reusable_docker_pipeline.yml reference from commit 22ae8ed (v0.15.0) to d2299e8 (v0.16.1)
Comments suppressed due to low confidence (1)

.github/workflows/publish.yml:55

  • In v0.16.1, the default value for push_to_dockerhub changed from true to false (as noted in the PR description). If this workflow was previously pushing images to DockerHub, you may need to explicitly set push_to_dockerhub: true in the with section to maintain that behavior. If DockerHub pushes are not required, this change is fine. Please verify whether DockerHub publishing is needed for this repository.
    with:
      publish: true
      docker_scan: true

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/publish.yml
)}}
needs: ["lint_test"]
uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@22ae8ed7a2ea5c80331758914c4e0ea732eea1ad # v0.15.0
uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@d2299e834fcbaca4bf2db043a2939798043d5951 # v0.16.1
Copy link

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ci.yml workflow file still uses v0.15.0 of reusable_docker_pipeline.yml (at line 24 of ci.yml). For consistency and to ensure both CI and publish workflows use the same scanning and linting behavior, consider updating ci.yml to v0.16.1 as well. The v0.16.1 changes (lint failures blocking, scan-before-push, and secret scanning) would benefit the CI workflow too.

Copilot uses AI. Check for mistakes.
Copy link
Contributor

@RafilxTenfen RafilxTenfen Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mpastecki should be updated everywhere?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gitferry gitferry gitferry approved these changes

@KonradStaniec KonradStaniec Awaiting requested review from KonradStaniec

@RafilxTenfen RafilxTenfen Awaiting requested review from RafilxTenfen

@Lazar955 Lazar955 Awaiting requested review from Lazar955

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mpastecki @gitferry @RafilxTenfen