Update and rename main.yml to container_image.yml

[venkatamutyala]

PR Type

enhancement, configuration changes

---

Description

• Added a new GitHub Actions workflow in container_image.yml to automate the process of building and publishing Docker images to GHCR.io.
• Configured the workflow to set up QEMU, Docker buildx, and log into the registry using GitHub Actions.
• Removed the old workflow defined in main.yml that used a different action for building and pushing Docker images.

---

Changes walkthrough 📝

	Relevant files
Enhancement	container_image.yml Add GitHub Actions workflow for Docker image publishing    .github/workflows/container_image.yml Added a new GitHub Actions workflow for publishing Docker images to GHCR.io. Configured environment variables for registry and image name. Implemented steps for setting up QEMU, Docker buildx, and logging into the registry. Included steps for extracting Docker metadata and building/pushing Docker images. +56/-0
Configuration changes	main.yml Remove old Docker image build workflow                                      .github/workflows/main.yml Removed the old GitHub Actions workflow for building, tagging, and pushing Docker images. +0/-10

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[codiumai-pr-agent-free]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Security Concern The workflow is triggered on every push, which might lead to unnecessary builds and potential abuse. Best Practice The workflow is using the 'latest' tag implicitly, which is not recommended for reproducibility. Configuration The 'provenance' option is set to false, which disables the generation of provenance data for the built image.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[codiumai-pr-agent-free]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	Add a vulnerability scanning step before pushing the Docker image to improve security To improve security, consider adding a step to scan the Docker image for vulnerabilities before pushing it to the registry. You can use tools like Trivy or Snyk, which integrate well with GitHub Actions. .github/workflows/container_image.yml [46-56] -- name: Build and push Docker image - id: build-and-push +- name: Build Docker image + id: build uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . - push: ${{ github.event_name != 'pull_request' }} + push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - provenance: false cache-from: type=gha cache-to: type=gha,mode=max +- name: Scan image for vulnerabilities + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + +- name: Push Docker image + if: ${{ github.event_name != 'pull_request' }} + run: | + docker push ${{ steps.meta.outputs.tags }} + Apply this suggestion Suggestion importance[1-10]: 9 Why: Adding a vulnerability scanning step is a significant security enhancement, ensuring that only secure images are pushed to the registry, which is crucial for maintaining the integrity of the deployment process.	9
	Enable Docker Content Trust to enhance the security of image pushing Consider enabling Docker content trust by setting the DOCKER_CONTENT_TRUST environment variable. This adds an extra layer of security by ensuring the integrity and publisher of the images you're pushing. .github/workflows/container_image.yml [5-7] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} + DOCKER_CONTENT_TRUST: 1 Apply this suggestion Suggestion importance[1-10]: 8 Why: Enabling Docker Content Trust adds an extra layer of security by verifying the integrity and publisher of the images, which is a crucial step in ensuring secure deployments.	8
Enhancement	Generate and upload a Software Bill of Materials (SBOM) for the Docker image Consider adding a step to generate and push a Software Bill of Materials (SBOM) for the Docker image. This can help with transparency and security by providing a detailed inventory of the components in your image. .github/workflows/container_image.yml [46-56] - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} provenance: false cache-from: type=gha cache-to: type=gha,mode=max +- name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + image: ${{ steps.meta.outputs.tags }} + artifact-name: image-sbom.spdx + +- name: Upload SBOM + uses: actions/upload-artifact@v3 + with: + name: sbom + path: image-sbom.spdx + Apply this suggestion Suggestion importance[1-10]: 8 Why: Generating and uploading an SBOM provides transparency and aids in security audits by detailing the components within the Docker image, which is a valuable enhancement for compliance and security.	8
Best practice	Refine the workflow trigger conditions to run only on specific events or branches Consider adding a condition to the on trigger to limit when this workflow runs. For example, you might want to run this workflow only on pushes to specific branches or on pull requests. This can help reduce unnecessary workflow runs and save on GitHub Actions usage. .github/workflows/container_image.yml [3] -on: [push] +on: + push: + branches: [ "main", "develop" ] + pull_request: + branches: [ "main" ] Apply this suggestion Suggestion importance[1-10]: 7 Why: The suggestion to refine the workflow trigger conditions is valuable as it can help reduce unnecessary workflow runs and save on GitHub Actions usage, making the workflow more efficient.	7

💡 Need additional feedback ? start a PR chat