Skip to content

Reusable Workflow Contract

InputRequiredDescription
image-nameYesLocal image and reporting name
docker-contextYesBuild context
dockerfileYesDockerfile path
docker-runtime-targetNoNamed final stage
build-argsNoApproved non-secret build arguments
registry repository inputsPer targetECR, ACR, SPCS destinations
language versionYesNode or Python runtime
sonar-project-keyYes when enabledSonar project identity
run-terraform-scanNoHybrid repository switch

The workflow exposes image version, source SHA, ECR digest, ACR digest, SPCS reference where available, SBOM artifact name, and summarized gate results.

A minor workflow release may add optional inputs or improve implementation without changing outcomes. A major release is required when an input is removed, default gate behavior changes materially, or required repository structure changes.

Prefer named secrets and OIDC identities over broad secrets: inherit. During migration, inheritance may be used inside the organization, but the common workflow must document every secret it consumes.