Two GitHub Actions workflows orchestrate the build and deployment pipeline and ensure a single immutable image digest flows from pull request to production.
- Build and test:
./mvnw -B -ntp test packageruns insidequarkus-app. - Build native image:
./mvnw -B -ntp package -Pnative -DskipTestspackages the native runner once and tags it for the commit and pull request. - SBOM / vulnerability scan: Anchore's sbom-action (
v0) and scan-action (v6) produce SBOM and vulnerability reports, uploaded as thepr-security-reportsartifact and to code scanning. The job summary shows the exact image reference used for later promotion. - Optional signing: if Cosign keys are present, the same image digest is signed.
The repository variable SECURITY_GATING toggles scan enforcement:
permissive(default) – scan failures do not block the workflow.enforcing– scan failures cause the job to fail.
The deploy workflow resolves the pull request image digest and promotes it without rebuilding. It may tag the digest for traceability and then authenticates to GKE to apply manifests and roll out the exact image by digest.
- Security reports: artifact
pr-security-reportsand code scanning results. - Image identity: written to the PR workflow summary and stored in
image-ref.txtwithin the artifact.
Switch to mandatory gating by setting repository variable SECURITY_GATING to enforcing in repository settings.
After merging to main:
git fetch origin && git checkout main && git pull
git tag -a v2.2.11 -m "Homedir 2.2.11"
git push origin v2.2.11
# Optional GitHub Release
gh release create v2.2.11 -F RELEASE_NOTES.md -t "Homedir 2.2.11"