But we’re only scanning latest

A CVE scan is more valuable if it’s scanning each PR commit

1. We’ll need to ensure our Docker Build creates a unique image tag for each PR commit

2. Also, we’ll need to wait for Docker Build to finish before trying to scan

• We’ll enhance the Docker Build in today’s Homework!

Bret’s Reusable Workflow Conventions

• Store all reusable workflows in a single repo
  • actions, gha-reusable, or reusable-workflows are all fine names
• Standardize naming of "calling" versus "callable" workflow files
  • Called/callable reusable workflows: reusable-*.yml
  • Calling workflows: call-*.yml
• Permissions should be set in both calling --> reusable
  • Reusable workflow (at workflow level) sets required permissions to run
  • Calling workflow (at job level) sets permissions it gives to reusable
• Don’t mix workflow_call with push or pull_request events in the same file
• Reusable workflow repos should have a local calling workflow to test it
  • This may mean adding a sample Dockerfile and other file types as test data
• Reusable workflow repos- should have a ./template/ full of calling workflow examples
• Example of these conventions bretfisher/docker-build-workflow

Permissions in reusable workflows!

• Below is a "calling" workflow. Notice the Job-based permissions
• We always need to pass necessary permissions to the reusable workflow
• The reusable "called" workflow gets the calling "context", including GITHUB_TOKEN and these perms
• ProTip: Also set required perms in Reusable Workflow. Then, it’ll fail earily if calling doesn’t give them

name: Docker Build
on:
push:
  branches:
    - main
  pull_request:
jobs:
  call-docker-build:
    name: Call Docker Build
    uses: mostlydevops/actions/.github/workflows/reusable-docker-build.yaml@main
    permissions:
      packages: write
      pull-requests: write
    with:
      image-name: ghcr.io/mostlydevops/wordsmith-web