Introduction
In a previous blog post, Beginner’s Guide: Build, Push, and Deploy Docker Image with GitHub Actions, we explored how to set up a GitHub Actions workflow for building, pushing, and deploying Docker images. This guide takes it a step further by adding semantic versioning, cleaner build workflows, and vulnerability scanning to the CI/CD pipeline. By implementing these improvements, you can better automate Docker image lifecycle management with a robust and professional workflow.
Why This Update?
The updated workflow introduces several notable enhancements:
- Semantic Versioning: Automatically bump Docker image versions based on commit messages.
- Improved Docker Build and Push: Cleaner setup with GitHub Container Registry (GHCR).
- Security Scanning: Use Trivy to scan Docker images for vulnerabilities before deployment.
This workflow ensures version control, clean tagging, and improved security measures in an automated CI/CD pipeline.
Complete GitHub Actions Workflow
Here is the updated GitHub Actions YAML workflow:
Key Improvements and Explanation
- Semantic Versioning
Managing Docker image versions can become tedious, especially in collaborative projects. Semantic versioning automates version bumps based on commit messages:
- Default Behavior: Increments the patch version.
-
Custom Increments:
- Add bump: major in a commit message to increment the major version.
- Add bump: minor in a commit message to increment the minor version.
Code Explanation:
- name: Determine Version Bump Type
id: determine-bump-type
run: |
echo "level=patch" >> $GITHUB_ENV
if git log -1 --pretty=%B | grep -q 'bump: major'; then
echo "level=major" >> $GITHUB_ENV
elif git log -1 --pretty=%B | grep -q 'bump: minor'; then
echo "level=minor" >> $GITHUB_ENV
Here, the script scans the latest commit message for keywords and determines the version bump level.
- Clean Docker Build and Push to GHCR
The Docker image is built and pushed to GitHub Container Registry (GHCR), making it easier to manage images natively in GitHub.
Steps:
- Log in to the GHCR using GitHub credentials.
- Build and tag the image with the new version and latest tag.
Code Example:
- name: Build and Push Docker Image
uses: docker/build-push-action@v6
with:
context: ./php-8.2
file: ./php-8.2/Dockerfile
push: true
tags: |
ghcr.io/${{ github.repository }}:${{ needs.semver.outputs.new_version }}
ghcr.io/${{ github.repository }}:latest
- Vulnerability Scanning with Trivy
Security is critical for containerized applications. Trivy scans the built Docker image for vulnerabilities before deployment. It exits with an error if vulnerabilities are found, ensuring only secure images are deployed.
Code Explanation:
- name: Run Trivy Vulnerability Scan
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: 'image'
image-ref: ghcr.io/${{ github.repository }}:${{ needs.semver.outputs.new_version }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
-
scan-type: image: Scans the built image. -
exit-code: 1: Fails the workflow if vulnerabilities are detected. -
ignore-unfixed: true: Ignores vulnerabilities without known fixes.
Conclusion
This enhanced GitHub Actions workflow adds automation, cleaner versioning, and security scanning to your Docker CI/CD pipeline. By leveraging semantic versioning, Docker builds with GHCR, and vulnerability scanning via Trivy, you can ensure efficient, secure, and manageable image deployments.
For a practical implementation, you can refer to the complete workflow in my GitHub repository.
If you're new to GitHub Actions or Docker automation, check out my earlier blog post for foundational concepts: Beginner’s Guide: Build, Push, and Deploy Docker Image with GitHub Actions.
Happy automating!
Top comments (0)