From f776fdadcc4fb35914b13e60944bfe1fd041225c Mon Sep 17 00:00:00 2001 From: mm-psy <147830298+mm-psy@users.noreply.github.com> Date: Tue, 27 Jan 2026 14:50:31 +0100 Subject: [PATCH 1/6] Fix image reference extraction for Trivy SBOM generation in Docker publish workflow --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 113c32fc..e823bb19 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -114,7 +114,7 @@ jobs: scan-type: 'image' format: 'cyclonedx' output: 'sbom-output/sbom_container.cyclonedx.json' - image-ref: ${{ steps.meta.outputs.tags }} + image-ref: ${{ fromJSON(steps.meta.outputs.tags)[0] }} skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a seperate SBOM for easier vulnerability management and because trivy misses important fields - name: Upload trivy/container AND application SBOMs as a Github artifact From 76545011591ff398da48983ccdeb5014c51ee420 Mon Sep 17 00:00:00 2001 From: mm-psy <147830298+mm-psy@users.noreply.github.com> Date: Tue, 27 Jan 2026 15:02:02 +0100 Subject: [PATCH 2/6] Add step to extract first image tag for Trivy scanning in Docker publish workflow --- .github/workflows/docker-publish.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index e823bb19..d05718ff 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -106,6 +106,12 @@ jobs: push: false outputs: type=local,dest=sbom-output + # Extract the first tag from the list for Trivy scanning + - name: Get first image tag + if: ${{ github.event_name != 'pull_request' }} + id: first-tag + run: echo "value=$(echo '${{ steps.meta.outputs.tags }}' | head -n1)" >> $GITHUB_OUTPUT + # Generate container SBOM. - name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container if: ${{ github.event_name != 'pull_request' }} @@ -114,7 +120,7 @@ jobs: scan-type: 'image' format: 'cyclonedx' output: 'sbom-output/sbom_container.cyclonedx.json' - image-ref: ${{ fromJSON(steps.meta.outputs.tags)[0] }} + image-ref: ${{ steps.first-tag.outputs.value }} skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a seperate SBOM for easier vulnerability management and because trivy misses important fields - name: Upload trivy/container AND application SBOMs as a Github artifact From 4ada24c7546c6d80cbf6c34903bdaf6f542bb2d7 Mon Sep 17 00:00:00 2001 From: mm-psy <147830298+mm-psy@users.noreply.github.com> Date: Thu, 29 Jan 2026 11:53:22 +0100 Subject: [PATCH 3/6] Fix manual trigger value format in Docker publish workflow --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index d05718ff..de5660a6 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -75,7 +75,7 @@ jobs: type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/release/')}} type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/hotfix/')}} type=ref,event=pr - type=raw,value=manual-{{branch}}-{{sha}},enable=${{github.event_name == 'workflow_dispatch'}} + type=raw,value={{branch}}-{{sha}},enable=${{github.event_name == 'workflow_dispatch'}} # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action From e2e659368f3c8569047a2df0b800b442600d2a99 Mon Sep 17 00:00:00 2001 From: mm-psy <147830298+mm-psy@users.noreply.github.com> Date: Thu, 29 Jan 2026 14:50:27 +0100 Subject: [PATCH 4/6] Fix tag generation logic for Docker image based on branch conditions --- .github/workflows/docker-publish.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index de5660a6..a55b22bc 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -71,11 +71,11 @@ jobs: latest=false tags: | type=semver,pattern={{raw}} - type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/develop')}} - type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/release/')}} - type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/hotfix/')}} + type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}} + type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}} + type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}} + type=raw,value={{branch}}-{{sha}},enable=${{!startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}} type=ref,event=pr - type=raw,value={{branch}}-{{sha}},enable=${{github.event_name == 'workflow_dispatch'}} # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action From 08f184663273254d3475663aaefda6f399c55b95 Mon Sep 17 00:00:00 2001 From: mm-psy <147830298+mm-psy@users.noreply.github.com> Date: Thu, 29 Jan 2026 14:58:02 +0100 Subject: [PATCH 5/6] Enhance tag generation logic for Docker image by adding priority to develop branch tags --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index a55b22bc..d6d659c2 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -71,7 +71,7 @@ jobs: latest=false tags: | type=semver,pattern={{raw}} - type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}} + type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}},priority=201 type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}} type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}} type=raw,value={{branch}}-{{sha}},enable=${{!startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}} From fedf3f94503fde93190c232245370e0b61d9cd0e Mon Sep 17 00:00:00 2001 From: mm-psy <147830298+mm-psy@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:40:48 +0100 Subject: [PATCH 6/6] Fix tag generation logic for non-develop and non-release branches in Docker publish workflow --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index d6d659c2..e1c12b5a 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -74,7 +74,7 @@ jobs: type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}},priority=201 type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}} type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}} - type=raw,value={{branch}}-{{sha}},enable=${{!startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}} + type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/') && !startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}} type=ref,event=pr # Build and push Docker image with Buildx (don't push on PR)