ci(release): refactor workflows with reusable validate, buildah-only builds

miragecentury · cursoragent · miragecentury · commit 5415e1eca9bf · 2026-02-19T22:26:46.000+01:00
- Add reusable validate.yaml: hadolint + build-and-scan (buildah, dive, trivy)
- CI: call validate workflow instead of duplicating hadolint/build jobs
- Release: gate semantic-release behind validate; build-and-push only builds and pushes (no re-scan)

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -19,58 +19,5 @@ jobs:
 
       - uses: wagoid/commitlint-github-action@v6
 
-  hadolint:
-    name: Lint Containerfile
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: hadolint/hadolint-action@v3.1.0
-        with:
-          dockerfile: Containerfile
-
-  build:
-    name: Build and scan
-    runs-on: ubuntu-latest
-    needs: [hadolint]
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install yq
-        run: |
-          sudo curl -sSL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/v4.45.4/yq_linux_amd64"
-          sudo chmod +x /usr/local/bin/yq
-
-      - name: Build image
-        run: |
-          BUILD_ARGS=""
-          for arg in $(yq e '.build.args[]' manifest.yaml); do
-            BUILD_ARGS="${BUILD_ARGS} --build-arg ${arg}"
-          done
-          # shellcheck disable=SC2086
-          docker build -f Containerfile ${BUILD_ARGS} -t test-build .
-
-      - name: Install Dive
-        run: |
-          DIVE_VERSION=0.12.0
-          curl -sSL -o /tmp/dive.deb "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.deb"
-          sudo apt install -y /tmp/dive.deb
-          rm /tmp/dive.deb
-
-      - name: Dive filesystem scan
-        run: dive --ci --source=docker test-build
-
-      - name: Cache Trivy vulnerability DB
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/trivy
-          key: trivy-db-${{ runner.os }}-${{ github.run_id }}
-          restore-keys: |
-            trivy-db-${{ runner.os }}-
-
-      - name: Trivy vulnerability scan
-        uses: aquasecurity/trivy-action@0.24.0
-        with:
-          image-ref: test-build
-          severity: 'HIGH,CRITICAL'
-          exit-code: '1'
+  validate:
+    uses: ./.github/workflows/validate.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,8 +9,12 @@ permissions:
   packages: write
 
 jobs:
+  validate:
+    uses: ./.github/workflows/validate.yaml
+
   release:
     name: Semantic release
+    needs: validate
     runs-on: ubuntu-latest
     outputs:
       new_release_published: ${{ steps.semantic.outputs.new_release_published }}
@@ -30,7 +34,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   build-and-push:
-    name: Build, scan & push
+    name: Build & push
     needs: release
     if: needs.release.outputs.new_release_published == 'true'
     runs-on: ubuntu-latest
@@ -49,11 +53,6 @@ jobs:
           echo "registry=$(yq e '.registry' manifest.yaml)" >> "$GITHUB_OUTPUT"
           echo "format=$(yq e '.build.format' manifest.yaml)" >> "$GITHUB_OUTPUT"
 
-      - name: Validate Containerfile
-        run: |
-          docker pull -q ghcr.io/hadolint/hadolint:latest
-          docker run --rm -i -v "$(pwd)/.hadolint.yaml:/.hadolint.yaml:ro" hadolint/hadolint:latest hadolint --config /.hadolint.yaml - < Containerfile
-
       - name: Build image
         env:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
@@ -89,35 +88,10 @@ jobs:
             --tag "${IMAGE_NAME}:${IMAGE_VERSION}" \
             .
 
-          # Save to OCI archive for scanning and pushing
+          # Save to OCI archive for pushing
           mkdir -p build
           buildah push "${IMAGE_NAME}:${IMAGE_VERSION}" "oci-archive:build/${IMAGE_NAME}.tar"
 
-          # Load into Docker daemon for dive scan
-          skopeo copy "oci-archive:build/${IMAGE_NAME}.tar" "docker-daemon:${IMAGE_NAME}:${IMAGE_VERSION}"
-
-      - name: Dive filesystem scan
-        env:
-          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
-        run: dive --ci --source=docker "${IMAGE_NAME}:${IMAGE_VERSION}"
-
-      - name: Cache Trivy vulnerability DB
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/trivy
-          key: trivy-db-${{ runner.os }}-${{ github.run_id }}
-          restore-keys: |
-            trivy-db-${{ runner.os }}-
-
-      - name: Trivy vulnerability scan
-        env:
-          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
-        run: |
-          trivy image \
-            --severity HIGH,CRITICAL \
-            --exit-code 1 \
-            --input "build/${IMAGE_NAME}.tar"
-
       - name: Login to GHCR
         env:
           REGISTRY: ${{ steps.manifest.outputs.registry }}
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
@@ -0,0 +1,95 @@
+name: Validate
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  hadolint:
+    name: Lint Containerfile
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Containerfile
+
+  build-and-scan:
+    name: Build and scan
+    needs: hadolint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install build tools
+        run: ./scripts/install_tools.sh
+
+      - name: Read manifest
+        id: manifest
+        run: |
+          echo "image_name=$(yq e '.name' manifest.yaml)" >> "$GITHUB_OUTPUT"
+          echo "format=$(yq e '.build.format' manifest.yaml)" >> "$GITHUB_OUTPUT"
+
+      - name: Build image
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+          IMAGE_FORMAT: ${{ steps.manifest.outputs.format }}
+        run: |
+          # Build args from manifest
+          BUILD_ARGS=()
+          while IFS= read -r arg; do
+            BUILD_ARGS+=(--build-arg "${arg}")
+          done < <(yq e '.build.args[]' manifest.yaml)
+
+          # Labels from manifest
+          LABELS=()
+          while IFS= read -r label; do
+            if [[ -n "${label}" ]]; then
+              label_key="${label%%=*}"
+              label_value="${label#*=}"
+              label_value="${label_value%\"}"
+              label_value="${label_value#\"}"
+              LABELS+=(--label "${label_key}=${label_value}")
+            fi
+          done < <(yq e '.build.labels[]' manifest.yaml)
+
+          buildah build \
+            --squash \
+            --pull-always \
+            --format "${IMAGE_FORMAT}" \
+            "${BUILD_ARGS[@]}" \
+            "${LABELS[@]}" \
+            --tag "${IMAGE_NAME}:test" \
+            .
+
+          # Save to OCI archive for scanning
+          mkdir -p build
+          buildah push "${IMAGE_NAME}:test" "oci-archive:build/${IMAGE_NAME}.tar"
+
+          # Load into Docker daemon for dive scan
+          skopeo copy "oci-archive:build/${IMAGE_NAME}.tar" "docker-daemon:${IMAGE_NAME}:test"
+
+      - name: Dive filesystem scan
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+        run: dive --ci --source=docker "${IMAGE_NAME}:test"
+
+      - name: Cache Trivy vulnerability DB
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/trivy
+          key: trivy-db-${{ runner.os }}-${{ github.run_id }}
+          restore-keys: |
+            trivy-db-${{ runner.os }}-
+
+      - name: Trivy vulnerability scan
+        env:
+          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
+        run: |
+          trivy image \
+            --severity HIGH,CRITICAL \
+            --exit-code 1 \
+            --input "build/${IMAGE_NAME}.tar"
diff --git a/path_to_comments/discussion_r2809010124 b/path_to_comments/discussion_r2809010124
