Improve Docker CI for PRs and add manual release workflow#25
Draft
Improve Docker CI for PRs and add manual release workflow#25
Conversation
Refactor the Docker image workflow to better support pull requests, forks, and multi-architecture builds. Changes: - add pull_request support for Docker image builds - refactor duplicated amd64/arm64 jobs into a matrix build - keep DockerHub login/push disabled for PR builds - keep manifest creation only for non-PR builds - derive image namespace from DOCKERHUB_NAMESPACE or repository owner - add Grype scanning for the base image - upload SARIF results only for non-PR builds - print scan SARIF in PR builds instead of uploading it - keep the existing per-arch slim image flow - add Buildx cache configuration Also add a separate manual Release workflow that: - takes an explicit VERSION input - creates and pushes a lightweight git tag - creates the GitHub release - dispatches the Docker workflow for that tag via workflow_dispatch This keeps PR behavior fork-friendly, adds image vulnerability scanning, and makes releases explicit without requiring Gradle or computed versioning.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This updates the Docker image GitHub Actions workflow to make it more reusable for PR validation, reduce duplication, and add container vulnerability scanning.
It also adds a separate manual release workflow for creating a versioned tag/release and dispatching the Docker publish workflow for that tag.
Changes
pull_requesttrigger for builds targetingmainvars.DOCKERHUB_NAMESPACE || github.repository_ownerto work better in forksVERSIONinputpostgresql.ymlexplicitly viaworkflow_dispatchWhy
This makes the Docker workflow more useful for contributors and forks by allowing PR builds without requiring push credentials, while still preserving the current main/release publishing flow.
It also adds vulnerability scanning so issues in the base image are detected during CI.
The separate release workflow keeps versioning simple for this repository by requiring an explicit version instead of computing one, and avoids recursive workflow limitations by manually dispatching the Docker workflow after the release tag is created.
Behavior
Pull requests
Push to
maindevelopanddevelop-slimManual release workflow
VERSIONinputpostgresql.ymlon that tag viaworkflow_dispatchNotes
Fixes #3