From fd8083d737761afba87515da9f25d4e383464630 Mon Sep 17 00:00:00 2001 From: albertwayland <90286197+albertwayland@users.noreply.github.com> Date: Thu, 26 Feb 2026 14:04:23 -0600 Subject: [PATCH 1/3] Update call-docker-build-result.yaml --- .../workflows/call-docker-build-result.yaml | 106 +++++------------- 1 file changed, 28 insertions(+), 78 deletions(-) diff --git a/.github/workflows/call-docker-build-result.yaml b/.github/workflows/call-docker-build-result.yaml index a946a87b03..9debdae4eb 100644 --- a/.github/workflows/call-docker-build-result.yaml +++ b/.github/workflows/call-docker-build-result.yaml @@ -1,82 +1,32 @@ -name: Build Result -# template source: https://github.com/dockersamples/.github/blob/main/templates/call-docker-build.yaml +name: Build and Scan Result Image on: - # we want pull requests so we can build(test) but not push to image registry - push: - branches: - - 'main' - # only build when important files change - paths: - - 'result/**' - - '.github/workflows/call-docker-build-result.yaml' - pull_request: - branches: - - 'main' - # only build when important files change - paths: - - 'result/**' - - '.github/workflows/call-docker-build-result.yaml' + workflow_dispatch: jobs: - call-docker-build: - - name: Result Call Docker Build - - uses: dockersamples/.github/.github/workflows/reusable-docker-build.yaml@main - - permissions: - contents: read - packages: write # needed to push docker image to ghcr.io - pull-requests: write # needed to create and update comments in PRs - - secrets: - - # Only needed if with:dockerhub-enable is true below - dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} - - # Only needed if with:dockerhub-enable is true below - dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - - with: - - ### REQUIRED - ### ENABLE ONE OR BOTH REGISTRIES - ### tell docker where to push. - ### NOTE if Docker Hub is set to true, you must set secrets above and also add account/repo/tags below - dockerhub-enable: true - ghcr-enable: true - - ### REQUIRED - ### A list of the account/repo names for docker build. List should match what's enabled above - ### defaults to: - image-names: | - ghcr.io/dockersamples/example-voting-app-result - dockersamples/examplevotingapp_result - - ### REQUIRED set rules for tagging images, based on special action syntax: - ### https://github.com/docker/metadata-action#tags-input - ### defaults to: - tag-rules: | - type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} - type=raw,value=before,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} - type=raw,value=after,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} - type=ref,event=pr - - ### path to where docker should copy files into image - ### defaults to root of repository (.) - context: result - - ### Dockerfile alternate name. Default is Dockerfile (relative to context path) - # file: Containerfile - - ### build stage to target, defaults to empty, which builds to last stage in Dockerfile - # target: - - ### platforms to build for, defaults to linux/amd64 - ### other options: linux/amd64,linux/arm64,linux/arm/v7 - platforms: linux/amd64,linux/arm64,linux/arm/v7 - - ### Create a PR comment with image tags and labels - ### defaults to false - # comment-enable: false + build-and-scan: + name: Build and Scan Result Image + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Build Image Locally + run: docker build -t example-voting-app-result:latest ./result + + - name: Scan Image with Sysdig + id: scan + uses: sysdiglabs/scan-action@v6 + with: + image-tag: example-voting-app-result:latest + sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }} + sysdig-secure-url: ${{ secrets.SECURE_API_URL }} + stop-on-failed-policy-eval: false + stop-on-processing-error: true + + - name: Upload SARIF Results + if: success() || failure() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ github.workspace }}/sarif.json From e6abfc248e31fe31fa61702fd0d4e5fced82ccea Mon Sep 17 00:00:00 2001 From: albertwayland <90286197+albertwayland@users.noreply.github.com> Date: Thu, 26 Feb 2026 14:09:07 -0600 Subject: [PATCH 2/3] Update call-docker-build-vote.yaml --- .github/workflows/call-docker-build-vote.yaml | 53 +++++++++---------- 1 file changed, 24 insertions(+), 29 deletions(-) diff --git a/.github/workflows/call-docker-build-vote.yaml b/.github/workflows/call-docker-build-vote.yaml index cb4a484a2a..ec12d362c7 100644 --- a/.github/workflows/call-docker-build-vote.yaml +++ b/.github/workflows/call-docker-build-vote.yaml @@ -1,40 +1,35 @@ -name: Build Vote -# template source: https://github.com/dockersamples/.github/blob/main/templates/call-docker-build.yaml +name: Build and Scan Vote Image on: - # we want pull requests so we can build(test) but not push to image registry - push: - branches: - - 'main' - # only build when important files change - paths: - - 'vote/**' - - '.github/workflows/call-docker-build-vote.yaml' - pull_request: - branches: - - 'main' - # only build when important files change - paths: - - 'vote/**' - - '.github/workflows/call-docker-build-vote.yaml' + workflow_dispatch: jobs: - call-docker-build: + build-and-scan: + name: Build and Scan Vote Image + runs-on: ubuntu-latest - name: Vote Call Docker Build + steps: + - name: Checkout Code + uses: actions/checkout@v4 - uses: dockersamples/.github/.github/workflows/reusable-docker-build.yaml@main + - name: Build Image Locally + run: docker build -t example-voting-app-vote:latest ./vote - permissions: - contents: read - packages: write # needed to push docker image to ghcr.io - pull-requests: write # needed to create and update comments in PRs - - secrets: - - # Only needed if with:dockerhub-enable is true below - dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + - name: Scan Image with Sysdig + id: scan + uses: sysdiglabs/scan-action@v6 + with: + image-tag: example-voting-app-vote:latest + sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }} + sysdig-secure-url: ${{ secrets.SECURE_API_URL }} + stop-on-failed-policy-eval: false + stop-on-processing-error: true + - name: Upload SARIF Results + if: success() || failure() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ github.workspace }}/sarif.json # Only needed if with:dockerhub-enable is true below dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} From 128f58d96deec3528bcc72a95594f55916d21c53 Mon Sep 17 00:00:00 2001 From: albertwayland <90286197+albertwayland@users.noreply.github.com> Date: Thu, 26 Feb 2026 14:09:56 -0600 Subject: [PATCH 3/3] Update call-docker-build-worker.yaml --- .../workflows/call-docker-build-worker.yaml | 106 +++++------------- 1 file changed, 28 insertions(+), 78 deletions(-) diff --git a/.github/workflows/call-docker-build-worker.yaml b/.github/workflows/call-docker-build-worker.yaml index 5abfb6bc9c..8b044668c8 100644 --- a/.github/workflows/call-docker-build-worker.yaml +++ b/.github/workflows/call-docker-build-worker.yaml @@ -1,82 +1,32 @@ -name: Build Worker -# template source: https://github.com/dockersamples/.github/blob/main/templates/call-docker-build.yaml +name: Build and Scan Worker Image on: - # we want pull requests so we can build(test) but not push to image registry - push: - branches: - - 'main' - # only build when important files change - paths: - - 'worker/**' - - '.github/workflows/call-docker-build-worker.yaml' - pull_request: - branches: - - 'main' - # only build when important files change - paths: - - 'worker/**' - - '.github/workflows/call-docker-build-worker.yaml' + workflow_dispatch: jobs: - call-docker-build: - - name: Worker Call Docker Build - - uses: dockersamples/.github/.github/workflows/reusable-docker-build.yaml@main - - permissions: - contents: read - packages: write # needed to push docker image to ghcr.io - pull-requests: write # needed to create and update comments in PRs - - secrets: - - # Only needed if with:dockerhub-enable is true below - dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} - - # Only needed if with:dockerhub-enable is true below - dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - - with: - - ### REQUIRED - ### ENABLE ONE OR BOTH REGISTRIES - ### tell docker where to push. - ### NOTE if Docker Hub is set to true, you must set secrets above and also add account/repo/tags below - dockerhub-enable: true - ghcr-enable: true - - ### REQUIRED - ### A list of the account/repo names for docker build. List should match what's enabled above - ### defaults to: - image-names: | - ghcr.io/dockersamples/example-voting-app-worker - dockersamples/examplevotingapp_worker - - ### REQUIRED set rules for tagging images, based on special action syntax: - ### https://github.com/docker/metadata-action#tags-input - ### defaults to: - tag-rules: | - type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} - type=ref,event=pr - - ### path to where docker should copy files into image - ### defaults to root of repository (.) - context: worker - - ### Dockerfile alternate name. Default is Dockerfile (relative to context path) - # file: Containerfile - - ### build stage to target, defaults to empty, which builds to last stage in Dockerfile - # target: - - ### platforms to build for, defaults to linux/amd64 - ### other options: linux/amd64,linux/arm64,linux/arm/v7 - # FIXME worker arm/v7 support doesn't build in .net core 3.1 with QEMU - # a fix would likely run the .net build on amd64 but with a target of arm/v7 - platforms: linux/amd64,linux/arm64,linux/arm/v7 - - ### Create a PR comment with image tags and labels - ### defaults to false - # comment-enable: false + build-and-scan: + name: Build and Scan Worker Image + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Build Image Locally + run: docker build -t example-voting-app-worker:latest ./worker + + - name: Scan Image with Sysdig + id: scan + uses: sysdiglabs/scan-action@v6 + with: + image-tag: example-voting-app-worker:latest + sysdig-secure-token: ${{ secrets.SECURE_API_TOKEN }} + sysdig-secure-url: ${{ secrets.SECURE_API_URL }} + stop-on-failed-policy-eval: false + stop-on-processing-error: true + + - name: Upload SARIF Results + if: success() || failure() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ github.workspace }}/sarif.json