Add reusable UBI image-build workflow + starter template#1
Conversation
Reusable workflow (workflow_call) to build/scan/CIS-validate/publish hardened Red Hat UBI base images (SDK + slim runtime) to GHCR, plus a New-workflow starter template. Used by opsta/ais-image-lifecycle; reusable across opsta repos. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new GitHub Actions workflow template and its properties file for building, scanning, and publishing hardened Red Hat UBI base images. The review feedback suggests pinning the reusable workflow to a specific release tag or commit SHA instead of @main to prevent unexpected breaking changes, and adding the security-events: write permission to allow Trivy scan results to be uploaded to GitHub Code Scanning.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
|
||
| jobs: | ||
| build: | ||
| uses: opsta/.github/.github/workflows/ubi-image-build.yml@main |
There was a problem hiding this comment.
Pinning the reusable workflow to @main can introduce unexpected breaking changes to consumer repositories when the reusable workflow is updated. It is highly recommended to pin to a specific release tag (e.g., @v1) or a full commit SHA for stability and security.
uses: opsta/.github/.github/workflows/ubi-image-build.yml@v1| permissions: | ||
| contents: read | ||
| packages: write |
There was a problem hiding this comment.
Since the reusable workflow performs a Trivy security scan, it likely attempts to upload the SARIF results to GitHub's Code Scanning service. To allow this, the calling workflow needs the security-events: write permission. Without it, the upload step will fail.
permissions:
contents: read
packages: write
security-events: write1 participant
Adds an org-reusable workflow and a New-workflow starter template for building hardened Red Hat UBI base images (SDK + slim runtime) → GHCR, with Trivy + CIS Docker Benchmark v1.8 §4.
New files (additive — no collisions with existing workflows):
.github/workflows/ubi-image-build.yml— reusable workflow (on: workflow_call)workflow-templates/ubi-image-build.yml+.properties.json— starter template (appears under New workflow → By Opsta)Usage from any repo:
First consumer:
opsta/ais-image-lifecycle(currently ships a self-contained copy; can switch to this once merged). Optional org secretsREDHAT_REGISTRY_USER/REDHAT_REGISTRY_TOKENenable registry.redhat.io; without them it falls back to the public registry.🤖 Generated with Claude Code