Skip to content

Refactor Docker build to use pre-built binaries and add security scanning#398

Closed
boykush wants to merge 3 commits intomainfrom
claude/add-sast-docker-image-SEW7g
Closed

Refactor Docker build to use pre-built binaries and add security scanning#398
boykush wants to merge 3 commits intomainfrom
claude/add-sast-docker-image-SEW7g

Conversation

@boykush
Copy link
Owner

@boykush boykush commented Feb 14, 2026

Summary

This PR refactors the Docker build process and CI/CD pipeline to improve security and build efficiency:

  1. Docker Build Refactoring: Simplifies the Dockerfile by removing the multi-stage Rust build and instead copying a pre-built binary from the build context. This reduces image size and build time.

  2. CI/CD Pipeline Changes:

    • Updates publish-docker-package.yml to trigger on successful completion of the "Build binary and update homebrew" workflow instead of on release events
    • Downloads the pre-built binary from the release artifacts before building the Docker image
    • Removes conditional logic for PR checks since the workflow now only runs on successful upstream workflow completion
    • Simplifies version extraction to use GitHub CLI

  3. Security Scanning: Adds a new trivy-docker-scan.yml workflow that:

    • Scans the Dockerfile for security misconfigurations
    • Scans the base image (debian:bookworm-slim) for OS package vulnerabilities
    • Runs on Dockerfile changes and weekly to detect new vulnerabilities
    • Uploads results to GitHub Security tab for visibility

Related Issues

Additional Notes

The refactored approach decouples Docker image building from binary compilation, allowing the binary to be built once and reused across different deployment targets. The Trivy scanning provides continuous security monitoring of both the Dockerfile configuration and base image dependencies.

https://claude.ai/code/session_01GzHUQbhSrNrwQjmXR8JFi9

@claude
refactor: use GitHub Release binary instead of cargo install in Docke…
7819c87 
…r build

Replace cargo install with pre-built binary from GitHub Releases,
eliminating the Rust toolchain builder stage. The workflow now triggers
via workflow_run after binary build completes, ensuring the release
asset is available before Docker image build.

https://claude.ai/code/session_01GzHUQbhSrNrwQjmXR8JFi9
@claude
ci: add Trivy Docker image security scan workflow
1d188ad 
Scan Dockerfile config and base image for CRITICAL/HIGH vulnerabilities
on PRs touching Dockerfile and weekly schedule. Results are uploaded to
GitHub Security tab via SARIF.

https://claude.ai/code/session_01GzHUQbhSrNrwQjmXR8JFi9
@github-advanced-security
Copy link

github-advanced-security bot commented Feb 14, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@claude
refactor: use multi-stage build to download binary from GitHub Release
5e79ace 
The downloader stage fetches the pre-built binary from GitHub Releases,
and the final stage copies only the binary into a clean image. This
keeps the Dockerfile self-contained while eliminating the Rust toolchain
dependency.

https://claude.ai/code/session_01GzHUQbhSrNrwQjmXR8JFi9
@github-actions
Copy link

github-actions bot commented Feb 14, 2026

Performance Test Results 🚀

Build Time: 2.872 seconds
Status: ✅ PASS

Executed with: scraps build -v
Repository: boykush/wiki
Runner: Ubuntu latest

@github-actions
Copy link

github-actions bot commented Feb 14, 2026

Performance Test Results 🚀

Build Time: 2.793 seconds
Status: ✅ PASS

Executed with: scraps build -v
Repository: boykush/wiki
Runner: Ubuntu latest

@boykush boykush closed this Feb 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@boykush @claude