Skip to content

build: docker-bake migration#289

Open
ziscky wants to merge 2 commits intomainfrom
feat/migrate-to-docker-bake
Open

build: docker-bake migration#289
ziscky wants to merge 2 commits intomainfrom
feat/migrate-to-docker-bake

Conversation

@ziscky
Copy link
Copy Markdown
Contributor

@ziscky ziscky commented Apr 1, 2026

Migrate from Earthly to Docker Bake build system. Adds Dockerfile, docker-bake.hcl, helper script, CI workflow, and .dockerignore.

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 1, 2026
View reviewed changes
Comment thread .github/workflows/publish-docker-bake.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 1, 2026
View reviewed changes
Comment thread .github/workflows/publish-docker-bake.yml
Comment on lines +20 to +29
uses: zondax/_workflows/.github/workflows/_publish-docker-bake.yaml@main
with:
registry: dockerhub
enable_remote_builder: true
enable_signing: true
enable_provenance: true
secrets:
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
REMOTE_BUILD_KIT: tcp://buildkit.int-dev.zondax.io:8372

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 month ago

To fix the problem, explicitly declare a permissions block that grants only the minimal required scopes to GITHUB_TOKEN. For a publish-to-registry workflow that doesn’t obviously need to write to the repository (no checkouts, tagging, or releases in the shown snippet), a conservative starting point is repository contents read-only plus packages write (so the token can push images if needed). This should be declared at the workflow root so it applies to the reused job unless that job overrides it.

Concretely, in .github/workflows/publish-docker-bake.yml, insert a root-level permissions section between the on: block and the jobs: block (around line 17). Use:

permissions:
  contents: read
  packages: write

This keeps repository contents read-only while allowing package publishing (e.g., to GitHub Container Registry). If the reusable workflow later proves to need more/less, this block can be adjusted, but this is a safe, least-privilege default that resolves the CodeQL finding without changing any functional behavior for Docker Hub publishing (which uses explicit secrets, not GITHUB_TOKEN).

Suggested changeset 1
.github/workflows/publish-docker-bake.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-docker-bake.yml b/.github/workflows/publish-docker-bake.yml
--- a/.github/workflows/publish-docker-bake.yml
+++ b/.github/workflows/publish-docker-bake.yml
@@ -15,6 +15,10 @@
       - 'v[0-9]+.[0-9]+'
       - 'v[0-9]+.[0-9]+.[0-9]+'
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     uses: zondax/_workflows/.github/workflows/_publish-docker-bake.yaml@main
EOF
@@ -15,6 +15,10 @@
- 'v[0-9]+.[0-9]+'
- 'v[0-9]+.[0-9]+.[0-9]+'

permissions:
contents: read
packages: write

jobs:
build:
uses: zondax/_workflows/.github/workflows/_publish-docker-bake.yaml@main
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ziscky @github-advanced-security