feat: push to GHCR as secondary registry + Trivy CVE scanning in PR checks#114
Merged
jorge07 merged 1 commit intojorge07:masterfrom Feb 22, 2026
Merged
Conversation
…hecks
release.yaml:
- Add 'Login to GHCR' step (docker/login-action@v3, GITHUB_TOKEN)
- After Docker Hub push, mirror all tags to ghcr.io/jorge07/alpine-php
via 'docker buildx imagetools create' (zero-rebuild, copies the manifest)
- Add packages: write permission for GITHUB_TOKEN
pr.yaml:
- Add Trivy vulnerability scan step after image build
- Uses aquasecurity/trivy-action@0.29.0
- Scans jorge07/alpine-php:${VERSION} (main image, not dev)
- Fails CI on CRITICAL severity with a fix available (ignore-unfixed: true)
- Scans os and library vuln types
Dependabot (already configured) will keep trivy-action pinned up to date.
Closes jorge07#103 (GHCR + Trivy items)
jorge07
approved these changes
Feb 22, 2026
jorge07
approved these changes
Feb 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #103 (GHCR + Trivy items — Dependabot already active)
GHCR as secondary registry (release.yaml)
After Docker Hub push, all tags are mirrored to
ghcr.io/jorge07/alpine-phpviadocker buildx imagetools create. This copies the manifest without rebuilding — zero extra CI minutes.Tags mirrored per version:
ghcr.io/jorge07/alpine-php:8.xghcr.io/jorge07/alpine-php:8.x-devghcr.io/jorge07/alpine-php:8.x.y(semver)ghcr.io/jorge07/alpine-php:8.x.y-devUses
GITHUB_TOKEN(automatically available, no secret needed). Addedpackages: writepermission.Trivy CVE scanning (pr.yaml)
Added
aquasecurity/trivy-action@0.29.0scan after the build step:jorge07/alpine-php:${{ matrix.version }})ignore-unfixed: true)Dependabot (already configured for
github-actions) will keeptrivy-actionup to date automatically.