Skip to content

Docker workflow to build and push image #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Harish-Naruto merged 2 commits into from
Jun 23, 2026
+33 −0
Merged

Docker workflow to build and push image #76

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
40da583
Refactor Docker workflow to build and push image
Harish-Naruto Jun 23, 2026
a2ea3c0
Update Docker image workflow with persist-credentials
Harish-Naruto Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Docker Image CI

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

jobs:
build-and-push:
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Log in to Docker Hub
if: github.event_name == 'push'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Build and push Docker image
uses: docker/build-push-action@v6
Comment on lines +14 to +27

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the workflow file
find . -name "docker-image.yml" -type f

Repository: call-0f-code/COC-API

Length of output: 195

🏁 Script executed:

# Check the full content of the workflow file to understand context
cat -n .github/workflows/docker-image.yml

Repository: call-0f-code/COC-API

Length of output: 1035

🏁 Script executed:

# Verify the specific lines mentioned (14-24) and surrounding context
sed -n '1,30p' .github/workflows/docker-image.yml | cat -n

Repository: call-0f-code/COC-API

Length of output: 1035

Pin all GitHub Actions to commit SHAs and disable checkout credential persistence.

All three actions (checkout, docker/login-action, and docker/build-push-action) use tag refs instead of immutable commit SHAs, creating supply-chain risk if tags are reassigned. Additionally, the checkout action omits persist-credentials: false, leaving the GitHub token available to subsequent steps unnecessarily.

Suggested hardening diff 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA>
+        with:
+          persist-credentials: false

       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@<FULL_LENGTH_COMMIT_SHA>

       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@<FULL_LENGTH_COMMIT_SHA>

Note: The Docker Hub login step runs on both push and pull_request events, but will fail on forked PRs due to unavailable secrets. Consider adding if: github.event_name == 'push' to the login step to prevent unnecessary failures.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-image.yml around lines 14 - 24, Replace the version
tags in all three GitHub Actions with immutable commit SHAs to prevent
supply-chain risk: update actions/checkout from `@v4` to its specific commit SHA,
update docker/login-action from `@v3` to its commit SHA, and update
docker/build-push-action from `@v6` to its commit SHA. Add persist-credentials:
false as a parameter under the with section of the Checkout repository step to
prevent GitHub token exposure to subsequent steps. Add an if condition to the
Log in to Docker Hub step with the value github.event_name == 'push' to prevent
authentication failures when the workflow runs on forked pull requests where
secrets are unavailable.

Source: Linters/SAST tools

with:
context: .
file: ./Dockerfile
push: ${{ github.event_name == 'push' }}
tags: callofcode07/coc-api:latest

Loading