Implement automatic rebuilds of release images #47
Conversation
- Generate a proper image for comparison - Put workflow parameters in their proper location
|
Should be done but I'm waiting to see it working on my fork yet ... |
There was a problem hiding this comment.
Pull Request Overview
This PR implements an automated security-driven rebuild system for release images. When vulnerabilities are detected in the current release image, the workflow automatically tests if rebuilding would resolve them, and if so, creates a new patch version tag to trigger a release.
Key changes:
- Replaces simple vulnerability scanning with an automated remediation workflow that rebuilds and re-tags images when fixes are available
- Adds workflow dispatch trigger to release workflow for programmatic triggering
- Introduces a reusable action for bumping patch version tags
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/security.yml |
Transforms from passive scanning to active rebuild workflow with vulnerability comparison logic |
.github/workflows/release.yml |
Adds workflow_dispatch trigger to enable programmatic release initiation |
.github/actions/bump_tag/action.yml |
New composite action that increments patch version and triggers release workflow |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| shell: bash | ||
| working-directory: ${{ github.workspace }} | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} |
There was a problem hiding this comment.
The github.token should be explicitly passed as an input to this composite action rather than being implicitly available. Composite actions don't automatically inherit secrets/tokens from the caller's context. This will likely fail with a permissions error when the action attempts to use gh CLI commands.
1 participant
Creates new patch revisions when fixes become available (most likely via the base image).