Skip to content

chore: update reusable docker pipeline to v0.18.1#489

Merged
kirugan merged 1 commit intomainfrom
chore/update-docker-pipeline-v0.18.1
Mar 24, 2026
Merged

chore: update reusable docker pipeline to v0.18.1#489
kirugan merged 1 commit intomainfrom
chore/update-docker-pipeline-v0.18.1

Conversation

@mpastecki
Copy link
Copy Markdown
Contributor

@mpastecki mpastecki commented Mar 24, 2026

Summary

  • Update reusable_docker_pipeline.yml to v0.18.1 (0adff9d36a)

What's new in v0.18.1

  • Scan-before-push: images are scanned locally before any registry push
  • 4-scan model: filesystem vulns, filesystem secrets, image vulns, image secrets
  • Secret scanning for source code and Docker layers (CRITICAL, HIGH)
  • SARIF upload to GitHub Security tab (public repos)
  • Scan results in GitHub Actions Job Summary
  • Hadolint lint failures block image publishing

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 24, 2026

🔐 Commit Signature Verification

All 1 commit(s) passed verification

Commit Author Signature Key Type Key Check
b267a0e0d260 Marcin sk-ssh-ed25519

Summary

  • Commits verified: 1
  • Signature check: ✅ All passed
  • Key type enforcement: ✅ All sk-ssh-ed25519

Required key type: sk-ssh-ed25519 (FIDO2 hardware key)

Last verified: 2026-03-24 09:24 UTC

@greptile-apps
Copy link
Copy Markdown

greptile-apps bot commented Mar 24, 2026

Greptile Summary

This PR updates the pinned SHA reference for reusable_docker_pipeline.yml from v0.13.4 → v0.18.1 in ci.yml and from v0.15.0 → v0.18.1 in publish.yml, bringing enhanced container security scanning to both workflows.

  • Both files now use the same commit SHA (0adff9d36a) for reusable_docker_pipeline.yml, keeping CI and publish pipelines in sync on the same pipeline version.
  • The upgrade introduces a 4-scan model (filesystem vulns, filesystem secrets, image vulns, image secrets), SARIF upload to the GitHub Security tab, and Hadolint Dockerfile linting that gates image publishing — all meaningful security improvements.
  • The reusable_go_lint_test.yml references are intentionally left at their existing versions (v0.13.4 in ci.yml, v0.15.0 in publish.yml), as those workflows have independent versioning and are out of scope for this change.
  • The needs: ["lint_test"] dependency in publish.yml remains commented out (pre-existing), meaning the docker pipeline still runs in parallel with — not sequentially after — the lint/test job on publish triggers.

Confidence Score: 5/5

  • This PR is safe to merge; it is a minimal, well-scoped version bump of a reusable pipeline reference using full SHA pinning.
  • Both changes are single-line SHA + version-comment updates to a centrally maintained reusable workflow. Full commit SHAs are used (supply-chain best practice), the new version adds only security scanning improvements, and no application logic is touched. No issues were identified.
  • No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/ci.yml Updates reusable_docker_pipeline.yml reference from v0.13.4 to v0.18.1 via full SHA pin; no other changes.
.github/workflows/publish.yml Updates reusable_docker_pipeline.yml reference from v0.15.0 to v0.18.1 via full SHA pin; no other changes.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant FS as Filesystem Scanner
    participant Builder as Docker Builder
    participant IS as Image Scanner
    participant Reg as Container Registry

    GH->>FS: Scan source filesystem (vulns)
    FS-->>GH: Filesystem vuln report (SARIF)
    GH->>FS: Scan source filesystem (secrets)
    FS-->>GH: Filesystem secret report (SARIF)
    GH->>Builder: Build Docker image locally
    Builder-->>GH: Image built (not yet pushed)
    GH->>IS: Scan image layers (vulns)
    IS-->>GH: Image vuln report (SARIF)
    GH->>IS: Scan image layers (secrets)
    IS-->>GH: Image secret report (SARIF)
    GH->>GH: Upload SARIF → GitHub Security tab
    GH->>GH: Hadolint Dockerfile lint check
    alt All scans pass & lint passes
        GH->>Reg: Push image to registry
        Reg-->>GH: Push confirmed
    else CRITICAL/HIGH finding or lint failure
        GH->>GH: Block publish, fail pipeline
    end
Loading

Reviews (1): Last reviewed commit: "chore: update reusable docker pipeline t..." | Re-trigger Greptile

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b267a0e0d2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@kirugan kirugan merged commit 2d73536 into main Mar 24, 2026
6 checks passed
@kirugan kirugan deleted the chore/update-docker-pipeline-v0.18.1 branch March 24, 2026 09:31
@mpastecki mpastecki mentioned this pull request Mar 24, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@kirugan kirugan kirugan approved these changes

@jrwbabylonlab jrwbabylonlab Awaiting requested review from jrwbabylonlab jrwbabylonlab is a code owner

@jeremy-babylonlabs jeremy-babylonlabs Awaiting requested review from jeremy-babylonlabs jeremy-babylonlabs is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mpastecki @kirugan