Skip to content

Refactor proxy Docker workflows for PR builds, releases, and fork compatibility#26

Open
wborn wants to merge 1 commit intomainfrom
improve-gha-workflows
Open

Refactor proxy Docker workflows for PR builds, releases, and fork compatibility#26
wborn wants to merge 1 commit intomainfrom
improve-gha-workflows

Conversation

@wborn
Copy link
Copy Markdown
Member

@wborn wborn commented Apr 14, 2026

Summary

Improve the proxy GitHub Actions workflows to better support pull requests, forks, manual runs, and releases.

This updates the Docker image workflow so PRs can validate builds without publishing, makes the workflow safer for fork-based contributions, adds image vulnerability scanning before publish, and introduces a separate release workflow for creating tagged releases.

Changes

Docker image workflow

  • add pull_request support for image validation
  • add workflow_dispatch support for manual runs
  • allow manual runs only on main or on a tag
  • treat tag-based manual runs as versioned builds
  • treat main branch runs as develop builds
  • make image naming fork-friendly via vars.DOCKERHUB_NAMESPACE || github.repository_owner
  • centralize image tag and version computation in a metadata step
  • skip DockerHub login and publishing for PR runs
  • build the image locally first for Anchore/Grype scanning
  • upload SARIF results only for non-PR runs, and only for workflow_dispatch on main
  • keep multi-arch publishing for develop and release tags
  • skip SonarQube when SONAR_TOKEN is not configured
  • skip SonarQube for fork PRs because repository secrets are not available there
  • refresh and pin GitHub Action SHAs

Release workflow

  • add a dedicated release workflow
  • support creating a versioned release explicitly
  • keep release publishing separate from the Docker build workflow
  • allow release-driven Docker publishing via the existing release event flow

Behavior

Pull requests

  • build the image for validation
  • run Anchore/Grype scanning
  • do not log in to DockerHub
  • do not publish images
  • do not upload SARIF
  • only run SonarQube for same-repo PRs when SONAR_TOKEN is configured

Push to main

  • build and publish the develop multi-arch image
  • run Anchore/Grype scanning
  • upload SARIF results
  • run SonarQube when SONAR_TOKEN is configured

Release

  • build and publish versioned multi-arch images
  • publish latest alongside the versioned tag
  • run Anchore/Grype scanning
  • upload SARIF results
  • run SonarQube when SONAR_TOKEN is configured

Manual dispatch

  • allowed only on main or on a tag
  • on main, behaves like a develop build
  • on a tag, behaves like a versioned release build
  • fails fast on any other ref

Why

These changes make the workflows more contributor-friendly by allowing PR validation without requiring publish credentials or secrets from forks.

They also improve maintainability by centralizing tag computation and separating release creation from image publishing.

Finally, they add a security check before publishing by scanning the built image during CI.

Notes

  • the image is scanned once locally before the publish step
  • the multi-arch image is still built separately for publishing
  • Markdown-only changes do not trigger the Docker image workflow
  • SonarQube is intentionally skipped when secrets are unavailable

@wborn wborn requested a review from denniskuijs April 14, 2026 08:58
@wborn wborn requested a review from a team April 14, 2026 08:59
@wborn wborn force-pushed the improve-gha-workflows branch from 5c5323a to f314530 Compare April 14, 2026 09:03
@wborn wborn mentioned this pull request Apr 14, 2026
Open
@wborn
Refactor proxy Docker workflows for PR builds, releases, and fork com…
22cbf53 
…patibility

- add pull_request support for proxy image validation
- add workflow_dispatch support for manual Docker runs on main or tags
- make image naming fork-friendly via repository owner fallback
- centralize image tag and version computation in a metadata step
- skip DockerHub login and publishing for PR builds
- build the image locally for Anchore/Grype scanning before publish
- upload SARIF results only for non-PR runs, and only for workflow_dispatch on main
- keep multi-arch image publishing for develop and release tags
- skip SonarQube when SONAR_TOKEN is not configured
- skip SonarQube for fork PRs because repository secrets are unavailable there
- add a release workflow for creating and publishing tagged releases
- pin and refresh GitHub Action SHAs

This improves the proxy CI/CD setup by making PR validation work in forks,
keeping publishing restricted to trusted runs, and adding a cleaner manual
and release flow for versioned Docker images.
@wborn wborn force-pushed the improve-gha-workflows branch from f314530 to 22cbf53 Compare April 14, 2026 12:39
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 14, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@denniskuijs denniskuijs Awaiting requested review from denniskuijs

At least 1 approving review is required to merge this pull request.

Assignees

@wborn wborn

@denniskuijs denniskuijs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wborn @denniskuijs