Ismo Vuorinen
9aa16a8164
* feat: use our own actions in our workflows * fix: add missing inputs to validate-inputs, refactor node * chore: cr comment fixes * fix: update-validators formatting * chore: update validators, add tests, conventions * feat: validate severity with severity_enum * feat: add 10 generic validators to improve input validation coverage Add comprehensive validation system improvements across multiple phases: Phase 2A - Quick Wins: - Add multi_value_enum validator for 2-10 value enumerations - Add exit_code_list validator for Unix/Linux exit codes (0-255) - Refactor coverage_driver to use multi_value_enum Phase 2B - High-Value Validators: - Add key_value_list validator with shell injection prevention - Add path_list validator with path traversal and glob support Quick Wins - Additional Enums: - Add network_mode validator for Docker network modes - Add language_enum validator for language detection - Add framework_mode validator for PHP framework modes - Update boolean pattern to include 'push' Phase 2C - Specialized Validators: - Add json_format validator for JSON syntax validation - Add cache_config validator for Docker BuildKit cache configs Improvements: - All validators include comprehensive security checks - Pattern-based validation with clear error messages - 23 new test methods with edge case coverage - Update special case mappings for 20+ inputs - Fix build-args mapping test expectation Coverage impact: 22 actions now at 100% validation (88% → 92%) Test suite: 762 → 785 tests (+23 tests, all passing) * chore: regenerate rules.yml with improved validator coverage Regenerate validation rules for all actions with new validators: - compress-images: 86% → 100% (+1 input: ignore-paths) - docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args) - docker-publish: 73% → 100% (+1 input: build-args) - language-version-detect: 67% → 100% (+1 input: language) - php-tests: 89% (fixed framework→framework_mode mapping) - prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins) - security-scan: 86% (maintained coverage) Overall: 23 of 25 actions now at 100% validation coverage (92%) * fix: address PR #377 review comments - Add | None type annotations to 6 optional parameters (PEP 604) - Standardize injection pattern: remove @# from comma_separated_list validator (@ and # are not shell injection vectors, allows npm scoped packages) - Remove dead code: unused value expression in key_value_list validator - Update tests to reflect injection pattern changes
ivuorinen/actions/docker-build
Docker Build
Description
Builds a Docker image for multiple architectures with enhanced security and reliability.
Inputs
| name | description | required | default |
|---|---|---|---|
image-name |
The name of the Docker image to build. Defaults to the repository name. |
false |
"" |
tag |
The tag for the Docker image. Must follow semver or valid Docker tag format. |
true |
"" |
architectures |
Comma-separated list of architectures to build for. |
false |
linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6 |
dockerfile |
Path to the Dockerfile |
false |
Dockerfile |
context |
Docker build context |
false |
. |
build-args |
Build arguments in format KEY=VALUE,KEY2=VALUE2 |
false |
"" |
cache-from |
External cache sources (e.g., type=registry,ref=user/app:cache) |
false |
"" |
push |
Whether to push the image after building |
false |
true |
max-retries |
Maximum number of retry attempts for build and push operations |
false |
3 |
token |
GitHub token for authentication |
false |
"" |
buildx-version |
Specific Docker Buildx version to use |
false |
latest |
buildkit-version |
Specific BuildKit version to use |
false |
v0.11.0 |
cache-mode |
Cache mode for build layers (min, max, or inline) |
false |
max |
build-contexts |
Additional build contexts in format name=path,name2=path2 |
false |
"" |
network |
Network mode for build (host, none, or default) |
false |
default |
secrets |
Build secrets in format id=path,id2=path2 |
false |
"" |
auto-detect-platforms |
Automatically detect and build for all available platforms |
false |
false |
platform-build-args |
Platform-specific build args in JSON format |
false |
"" |
parallel-builds |
Number of parallel platform builds (0 for auto) |
false |
0 |
cache-export |
Export cache destination (e.g., type=local,dest=/tmp/cache) |
false |
"" |
cache-import |
Import cache sources (e.g., type=local,src=/tmp/cache) |
false |
"" |
dry-run |
Perform a dry run without actually building |
false |
false |
verbose |
Enable verbose logging with platform-specific output |
false |
false |
platform-fallback |
Continue building other platforms if one fails |
false |
true |
scan-image |
Scan built image for vulnerabilities |
false |
false |
sign-image |
Sign the built image with cosign |
false |
false |
sbom-format |
SBOM format (spdx-json, cyclonedx-json, or syft-json) |
false |
spdx-json |
Outputs
| name | description |
|---|---|
image-digest |
The digest of the built image |
metadata |
Build metadata in JSON format |
platforms |
Successfully built platforms |
platform-matrix |
Build status per platform in JSON format |
build-time |
Total build time in seconds |
scan-results |
Vulnerability scan results if scanning enabled |
signature |
Image signature if signing enabled |
sbom-location |
SBOM document location |
Runs
This action is a composite action.
Usage
- uses: ivuorinen/actions/docker-build@main
with:
image-name:
# The name of the Docker image to build. Defaults to the repository name.
#
# Required: false
# Default: ""
tag:
# The tag for the Docker image. Must follow semver or valid Docker tag format.
#
# Required: true
# Default: ""
architectures:
# Comma-separated list of architectures to build for.
#
# Required: false
# Default: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
dockerfile:
# Path to the Dockerfile
#
# Required: false
# Default: Dockerfile
context:
# Docker build context
#
# Required: false
# Default: .
build-args:
# Build arguments in format KEY=VALUE,KEY2=VALUE2
#
# Required: false
# Default: ""
cache-from:
# External cache sources (e.g., type=registry,ref=user/app:cache)
#
# Required: false
# Default: ""
push:
# Whether to push the image after building
#
# Required: false
# Default: true
max-retries:
# Maximum number of retry attempts for build and push operations
#
# Required: false
# Default: 3
token:
# GitHub token for authentication
#
# Required: false
# Default: ""
buildx-version:
# Specific Docker Buildx version to use
#
# Required: false
# Default: latest
buildkit-version:
# Specific BuildKit version to use
#
# Required: false
# Default: v0.11.0
cache-mode:
# Cache mode for build layers (min, max, or inline)
#
# Required: false
# Default: max
build-contexts:
# Additional build contexts in format name=path,name2=path2
#
# Required: false
# Default: ""
network:
# Network mode for build (host, none, or default)
#
# Required: false
# Default: default
secrets:
# Build secrets in format id=path,id2=path2
#
# Required: false
# Default: ""
auto-detect-platforms:
# Automatically detect and build for all available platforms
#
# Required: false
# Default: false
platform-build-args:
# Platform-specific build args in JSON format
#
# Required: false
# Default: ""
parallel-builds:
# Number of parallel platform builds (0 for auto)
#
# Required: false
# Default: 0
cache-export:
# Export cache destination (e.g., type=local,dest=/tmp/cache)
#
# Required: false
# Default: ""
cache-import:
# Import cache sources (e.g., type=local,src=/tmp/cache)
#
# Required: false
# Default: ""
dry-run:
# Perform a dry run without actually building
#
# Required: false
# Default: false
verbose:
# Enable verbose logging with platform-specific output
#
# Required: false
# Default: false
platform-fallback:
# Continue building other platforms if one fails
#
# Required: false
# Default: true
scan-image:
# Scan built image for vulnerabilities
#
# Required: false
# Default: false
sign-image:
# Sign the built image with cosign
#
# Required: false
# Default: false
sbom-format:
# SBOM format (spdx-json, cyclonedx-json, or syft-json)
#
# Required: false
# Default: spdx-json