Reusable Workflow Contract
Common inputs
Section titled “Common inputs”| Input | Required | Description |
|---|---|---|
image-name | Yes | Local image and reporting name |
docker-context | Yes | Build context |
dockerfile | Yes | Dockerfile path |
docker-runtime-target | No | Named final stage |
build-args | No | Approved non-secret build arguments |
| registry repository inputs | Per target | ECR, ACR, SPCS destinations |
| language version | Yes | Node or Python runtime |
sonar-project-key | Yes when enabled | Sonar project identity |
run-terraform-scan | No | Hybrid repository switch |
Outputs
Section titled “Outputs”The workflow exposes image version, source SHA, ECR digest, ACR digest, SPCS reference where available, SBOM artifact name, and summarized gate results.
Compatibility
Section titled “Compatibility”A minor workflow release may add optional inputs or improve implementation without changing outcomes. A major release is required when an input is removed, default gate behavior changes materially, or required repository structure changes.
Secrets
Section titled “Secrets”Prefer named secrets and OIDC identities over broad secrets: inherit. During migration, inheritance may be used inside the organization, but the common workflow must document every secret it consumes.