Fix(deps): Update docker/setup-qemu-action commit SHA (#5)

gowthamrao · gowthamrao · commit 37f7e1d3d34f · 2025-10-25T18:10:54.000-04:00
fix(ci): Resolve Docker build workflow failures and update dependencies

This commit addresses multiple issues that caused the Docker `build-scan-push` workflow to fail, ensuring the pipeline is robust and functional.

Key fixes:
* **Action Dependencies:** Updates several GitHub Actions to valid, stable commit SHAs to resolve "action not found" errors:
    * `docker/setup-qemu-action`
    * `docker/setup-buildx-action`
    * `docker/build-push-action`
    * `aquasecurity/trivy-action`
* **Image Tagging:** Adds a step to convert the `GITHUB_REPOSITORY` name to lowercase, fixing the "repository name must be lowercase" error during the build.
* **Dockerfile:**
    * Ensures the `/install` directory is created in the builder stage, preventing `COPY` failures when no production dependencies exist.
    * Removes a redundant `poetry install` command.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -29,24 +29,28 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199093565ac3b62264dc64a97
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d70bba72b6f31a22640103738a088e5d3c8b4104
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+
+      - name: Lowercase repository name
+        id: repo_name
+        run: echo "name=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
 
       - name: Build and push
-        uses: docker/build-push-action@2cddeafc873d6113b789a7164923793f63101131
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
         with:
           context: .
           push: true
-          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
+          tags: ghcr.io/${{ steps.repo_name.outputs.name }}:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
       - name: Scan for vulnerabilities
-        uses: aquasecurity/trivy-action@678a23d8ab761c56f6f59508935c1054363d11b3
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
         with:
-          image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
+          image-ref: 'ghcr.io/${{ steps.repo_name.outputs.name }}:${{ github.sha }}'
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
diff --git a/Dockerfile b/Dockerfile
@@ -11,10 +11,10 @@ WORKDIR /app
 COPY pyproject.toml poetry.lock* ./
 COPY src/ ./src/
 
-# Export dependencies and install them, then install the project
-RUN poetry export -f requirements.txt --output requirements.txt --without-hashes && \
-    pip install --no-cache-dir --prefix="/install" -r requirements.txt && \
-    poetry install --no-dev
+# Export dependencies and install them
+RUN mkdir -p /install && \
+    poetry export -f requirements.txt --output requirements.txt --without-hashes && \
+    pip install --no-cache-dir --prefix="/install" -r requirements.txt
 
 
 # Stage 2: Runtime
