Docker & Kubernetes Workflows
Five workflows handle the full container lifecycle: build, scan for vulnerabilities, push to a registry, and deploy via Helm charts to EKS or AKS.
docker-build-push​
Build Docker images and push to Docker Hub or AWS ECR — handles authentication, tagging, and pushing to your chosen registry.
When to use: On merge to main/master to publish a new image version.
jobs:
build:
uses: clouddrove/github-shared-workflows/.github/workflows/docker-build-push.yml@master
with:
provider: dockerhub # dockerhub | ecr
images: myorg/myapp
IMAGE_TAG: ${{ github.sha }}
BUILD_PATH: .
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
For ECR:
with:
provider: ecr
ECR_REPOSITORY: my-app
aws_region: us-east-1
IMAGE_TAG: ${{ github.sha }}
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
| Input | Required | Default | Description |
|---|---|---|---|
provider | No | dockerhub | dockerhub or ecr |
images | No | — | Docker Hub image name (org/name) |
ECR_REPOSITORY | No | — | ECR repository name |
IMAGE_TAG | No | latest | Tag to apply to the image |
BUILD_PATH | No | . | Docker build context path |
aws_region | No | us-east-1 | AWS region (ECR only) |
docker-scanner​
Scan Docker images for vulnerabilities using Trivy — builds the image locally and scans it, optionally blocking the workflow on critical findings.
When to use: On every pull request to catch vulnerabilities before they reach production.
jobs:
scan:
uses: clouddrove/github-shared-workflows/.github/workflows/docker-scanner.yml@master
with:
severity: CRITICAL,HIGH
dockerfile-path: ./Dockerfile
security-upload: true # upload results to GitHub Security tab
block_action: true # fail the workflow on findings
| Input | Required | Default | Description |
|---|---|---|---|
severity | No | CRITICAL,HIGH | Severity levels to report |
dockerfile-path | No | ./Dockerfile | Path to Dockerfile |
security-upload | No | true | Upload SARIF to GitHub Security tab |
block_action | No | false | Fail workflow when findings exist |
docker-scout​
Scan Docker images with Docker Scout and post results to PR — compares your image against a baseline tag and comments the vulnerability diff on the pull request.
When to use: On pull requests when you want a human-readable comparison of what vulnerabilities were added or removed.
jobs:
scout:
uses: clouddrove/github-shared-workflows/.github/workflows/docker-scout.yml@master
with:
IMAGES: myorg/myapp
IMAGE_TAG: ${{ github.sha }}
COMPARE_TAG: latest # baseline to compare against
WRITE-COMMENT: true
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
TOKEN: ${{ secrets.GITHUB_TOKEN }}
| Input | Required | Description |
|---|---|---|
IMAGES | Yes | Docker Hub image name |
IMAGE_TAG | Yes | Tag of image to scan |
COMPARE_TAG | No | Baseline tag for comparison |
WRITE-COMMENT | No | Post diff as PR comment |
docker-smurf-helm​
All-in-one: build, scan, push image, then deploy with Helm — orchestrates the full pipeline across multiple cloud providers in a single call.
When to use: When you want a single workflow that handles the entire build-and-deploy process for a containerized application.
jobs:
deploy:
uses: clouddrove/github-shared-workflows/.github/workflows/docker-smurf-helm.yml@master
with:
docker_enable: true
docker_push: true
docker_image_name: myorg/myapp
docker_registry: dockerhub
helm_enable: true
helm_release_name: myapp
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
| Input | Required | Default | Description |
|---|---|---|---|
docker_enable | No | true | Run Docker build steps |
docker_push | No | false | Push image to registry |
docker_image_name | No | — | Image name |
docker_registry | No | dockerhub | Registry provider |
helm_enable | No | false | Run Helm deploy steps |
helm_release_name | No | — | Helm release name |
helm-deploy​
Deploy Helm charts to AWS EKS or Azure AKS — authenticates with the cluster, runs helm upgrade --install, and supports automatic rollback on failure.
When to use: After pushing a new image, to update the running application in your Kubernetes cluster.
# Deploy to EKS
jobs:
deploy:
uses: clouddrove/github-shared-workflows/.github/workflows/helm-deploy.yml@master
with:
provider: eks
eks-cluster-name: my-production-cluster
helm-chart-directory: ./charts/myapp
release-name: myapp
namespace: production
timeout: 5m
rollback: true
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
# Deploy to AKS
with:
provider: aks
azure-cluster-name: my-aks-cluster
release-name: myapp
namespace: production
secrets:
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
| Input | Required | Default | Description |
|---|---|---|---|
provider | No | eks | eks or aks |
eks-cluster-name | No | — | EKS cluster name |
azure-cluster-name | No | — | AKS cluster name |
helm-chart-directory | No | ./ | Path to Helm chart |
release-name | No | — | Helm release name |
namespace | No | default | Kubernetes namespace |
timeout | No | 5m | Helm operation timeout |
rollback | No | false | Auto-rollback on failure |