Enhance CI workflow with Docker Scout (#377)

mathieu-benoit · web-flow · commit b662b4850192 · 2025-12-03T22:00:58.000-05:00
Signed-off-by: Mathieu Benoit &lt;mathieu-benoit@hotmail.fr&gt;
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -7,18 +7,19 @@ on:
       - main
 permissions:
   contents: read
+  pull-requests: write
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: checkout code in current PR branch
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0
       - name: Fetch all tags
         run: git fetch --force --tags
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
           go-version-file: 'go.mod'
       - name: Run Go Vet
@@ -35,17 +36,72 @@ jobs:
         run: go install github.com/google/addlicense@dc31ac9ffcca99c9457226366135701794b128c0
       - name: Check licenses
         run: addlicense -l apache -check -v -ignore '**/*.yaml' -c 'The Score Authors' ./cmd ./internal/
-      - name: Build docker image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+      - name: docker login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build container image from PR branch
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: mode=max
+          sbom: true
+          tags: score-compose:pr-${{ github.event.number }}
+      - name: docker images
+        run: |
+          docker images
+      - name: checkout code in main branch
+        uses: actions/checkout@v6
+        with:
+          ref: main
+      - name: Build container image from main branch
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: false
           load: true
-          tags: score-compose:test
-          build-args: |
-            "VERSION=test"
-      - name: Test docker image
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: mode=max
+          sbom: true
+          tags: score-compose:main
+      - name: docker images
+        run: |
+          docker images
+      - name: Docker Scout Comparison between main branch and current PR branch
+        uses: docker/scout-action@v1
+        with:
+          command: compare
+          image: local://score-compose:pr-${{ github.event.number }}
+          to: local://score-compose:main
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          organization: ${{ secrets.DOCKER_HUB_ORG }}
+      - name: Test docker image built in PR branch
         run: |
-          docker run --rm score-compose:test --version
-          docker run -v .:/score-compose --rm score-compose:test init
+          docker run --rm score-compose:pr-${{ github.event.number }} --version
+          docker run -v .:/score-compose --rm score-compose:pr-${{ github.event.number }} init
           cat score.yaml
+
+
+
+
+
+
