ci
also add scanning snyk
workflow ci
name: CI - Build & Push Docker Image
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
workflow_dispatch: # allows manual trigger
jobs:
build:
runs-on: ubuntu-latest
steps:
# 1️⃣ Checkout the code
- name: Checkout repository
uses: actions/checkout@v3
# 2️⃣ Extract metadata (tags, labels) for Docker
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: pavan8767/3-tier-backend
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=sha
# 3️⃣ Set up Docker Buildx (multi-platform support)
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
# 4️⃣ Cache Docker layers (speed up builds)
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
# 5️⃣ Login to DockerHub securely
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# 6️⃣ Build and push Docker image
- name: Build and push
uses: docker/build-push-action@v4
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
# 7️⃣ Move cache for next run
- name: Move Docker cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
best practices
Perfect — your current workflow will already push a latest tag, but let’s add best practices for Docker image builds 🚀
Here’s an improved GitHub Actions workflow with versioning, caching, and security practices:
name: CI - Build & Push Docker Image
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
workflow_dispatch: # allows manual trigger
jobs:
build:
runs-on: ubuntu-latest
steps:
# 1️⃣ Checkout the code
- name: Checkout repository
uses: actions/checkout@v3
# 2️⃣ Extract metadata (tags, labels) for Docker
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: pavan8767/3-tier-backend
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=sha
# 3️⃣ Set up Docker Buildx (multi-platform support)
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
# 4️⃣ Cache Docker layers (speed up builds)
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
# 5️⃣ Login to DockerHub securely
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# 6️⃣ Build and push Docker image
- name: Build and push
uses: docker/build-push-action@v4
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
# 7️⃣ Move cache for next run
- name: Move Docker cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache🔥 What’s improved here?
Multi-tagging & versioning
Each build gets tags like:
latestmainpr-123v1.0.0sha-<commit>→ So you can roll back easily.
Docker layer caching
Speeds up builds by reusing unchanged layers.
Metadata labels
Adds useful info (
org.opencontainers.image.*) inside the image.
Multi-platform builds (amd64 + arm64) (you can extend
platforms: linux/amd64,linux/arm64if needed).Workflow triggers
On push, PRs, and manual runs.
👉 Next step: Do you want me to also create a production-ready Dockerfile for your backend (with FastAPI + Alembic migrations auto-run inside container)?
Last updated