Skip to content

Build docker build images #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
korewaChino wants to merge 3 commits into
base: um42
Choose a base branch
from
Open

Build docker build images #122

korewaChino wants to merge 3 commits into from

Conversation

@korewaChino
Copy link
Member

@korewaChino korewaChino commented Oct 15, 2025

This should improve DX somewhat by providing a prebuilt environment for katsu

@korewaChino
Build docker build images
aba8e09 
This should improve DX somewhat by providing a prebuilt environment for
katsu
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 15, 2025
View reviewed changes
.github/workflows/builder-image.yml
Comment on lines 7 to 27
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
dockerfile: builder.Dockerfile
push: true
tags: ghcr.io/ultramarine-linux/katsu:latest

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

To fix the problem, add a permissions: block either at the root of the workflow (applies to all jobs) or specifically to the docker job, assigning the minimal permissions necessary. For this workflow, the minimum is contents: read. If pushing to the GitHub Container Registry using GITHUB_TOKEN is required, adding packages: write would also be prudent, as that permission controls publishing container images. Insert this block above the jobs: key at the top level, or within the specific job definition. The best location is at the root of the workflow for clarity and because there is only one job, which keeps the file maintainable and follows best practice.

This change requires adding:

permissions:
  contents: read
  packages: write

after the workflow name (line 1), or before the jobs: key (line 5).

Suggested changeset 1
.github/workflows/builder-image.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/builder-image.yml b/.github/workflows/builder-image.yml
--- a/.github/workflows/builder-image.yml
+++ b/.github/workflows/builder-image.yml
@@ -2,6 +2,9 @@
 
 on: [push]
 
+permissions:
+  contents: read
+  packages: write
 jobs:
     docker:
         runs-on: ubuntu-latest
EOF
@@ -2,6 +2,9 @@

on: [push]

permissions:
contents: read
packages: write
jobs:
docker:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/builder-image.yml
- name: Checkout
uses: actions/checkout@v5
- name: Login to Docker Hub
uses: docker/login-action@v3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Build Katsu builder image' step
Uses Step
Loading
uses 'docker/login-action' with ref 'v3', not a pinned commit hash
.github/workflows/builder-image.yml
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Build Katsu builder image' step
Uses Step
Loading
uses 'docker/setup-qemu-action' with ref 'v3', not a pinned commit hash
.github/workflows/builder-image.yml
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Build Katsu builder image' step
Uses Step
Loading
uses 'docker/setup-buildx-action' with ref 'v3', not a pinned commit hash
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 15, 2025
View reviewed changes
.github/workflows/builder-image.yml
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push
uses: docker/build-push-action@v6

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Build Katsu builder image' step
Uses Step
Loading
uses 'docker/build-push-action' with ref 'v6', not a pinned commit hash
@Owen-sz
Copy link
Member

Owen-sz commented Oct 21, 2025

Merge into 43

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@korewaChino @Owen-sz