Skip to content

Dev fix trivy + tag rework #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mm-psy merged 6 commits into from
Jan 29, 2026
Merged

Dev fix trivy + tag rework #23

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f776fda
Fix image reference extraction for Trivy SBOM generation in Docker pu…
mm-psy Jan 27, 2026
7654501
Add step to extract first image tag for Trivy scanning in Docker publ…
mm-psy Jan 27, 2026
4ada24c
Fix manual trigger value format in Docker publish workflow
mm-psy Jan 29, 2026
e2e6593
Fix tag generation logic for Docker image based on branch conditions
mm-psy Jan 29, 2026
08f1846
Enhance tag generation logic for Docker image by adding priority to d…
mm-psy Jan 29, 2026
fedf3f9
Fix tag generation logic for non-develop and non-release branches in …
mm-psy Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions .github/workflows/docker-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,11 @@ jobs:
latest=false
tags: |
type=semver,pattern={{raw}}
type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/develop')}}
type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/release/')}}
type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/hotfix/')}}
type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}},priority=201
type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}}
type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}}
type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/') && !startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}}
type=ref,event=pr
type=raw,value=manual-{{branch}}-{{sha}},enable=${{github.event_name == 'workflow_dispatch'}}

# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
Expand Down Expand Up @@ -106,6 +106,12 @@ jobs:
push: false
outputs: type=local,dest=sbom-output

# Extract the first tag from the list for Trivy scanning
- name: Get first image tag
if: ${{ github.event_name != 'pull_request' }}
id: first-tag
run: echo "value=$(echo '${{ steps.meta.outputs.tags }}' | head -n1)" >> $GITHUB_OUTPUT

# Generate container SBOM.
- name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container
if: ${{ github.event_name != 'pull_request' }}
Expand All @@ -114,7 +120,7 @@ jobs:
scan-type: 'image'
format: 'cyclonedx'
output: 'sbom-output/sbom_container.cyclonedx.json'
image-ref: ${{ steps.meta.outputs.tags }}
image-ref: ${{ steps.first-tag.outputs.value }}
skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a seperate SBOM for easier vulnerability management and because trivy misses important fields

- name: Upload trivy/container AND application SBOMs as a Github artifact
Expand Down
Loading