Improve hawkbit Docker CI for PRs, releases, and fork compatibility#3
Open
Improve hawkbit Docker CI for PRs, releases, and fork compatibility#3
Conversation
- add pull_request support for image validation without publishing - add workflow_dispatch support for manual runs on main or tags - make image naming fork-friendly via repository owner fallback - centralize image tag and version computation in a metadata step - skip DockerHub login and publishing for PR builds - support develop tagging on main branch builds - support versioned and latest tags for release builds - fail fast for manual runs on unsupported refs - build the image locally for Anchore/Grype scanning - upload SARIF results only for non-PR runs, and only for workflow_dispatch on main - publish multi-arch amd64/arm64 images for trusted runs - add GitHub Actions cache usage for Docker builds - pin GitHub Actions to commit SHAs This makes the hawkbit image workflow safer for forks and pull requests, keeps release and manual publishing predictable, and adds vulnerability scanning to the CI flow without publishing images from untrusted runs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refactor the hawkbit Docker image workflow to better support pull requests, forks, manual runs, and releases.
This change allows PRs to validate the Docker build without publishing, makes the workflow safer for fork-based contributions, adds container vulnerability scanning, and keeps release and manual publishing behavior explicit and predictable.
Changes
pull_requestsupport for image validationworkflow_dispatchsupport for manual runsmainor on a tagmainbranch runs asdevelopbuildsvars.DOCKERHUB_NAMESPACE || github.repository_ownerworkflow_dispatchonmainamd64/arm64images for trusted runsBehavior
Pull requests
Push to
maindevelopmulti-arch imageRelease
latestalongside the versioned tagManual dispatch
mainor on a tagmain, behaves like adevelopbuildWhy
These changes make the workflow more contributor-friendly by allowing PR validation without requiring publish credentials.
They also improve maintainability by centralizing tag computation and making the workflow behavior explicit for pushes, PRs, releases, and manual runs.
Finally, they add vulnerability scanning so issues in the image are surfaced during CI.
Notes