Chore: building application-sdk's base image #892
+761
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
📜 Docstring Coverage ReportRESULT: PASSED (minimum: 30.0%, actual: 76.7%) Detailed Coverage Report |
|
🛠 Docs available at: https://k.atlan.dev/application-sdk/chainguard-image |
📦 Trivy Vulnerability Scan Results
Report Summary
Scan Result Details✅ No vulnerabilities found during the scan for |
📦 Trivy Secret Scan Results
Report Summary
Scan Result Details✅ No secrets found during the scan for |
Collaborator
☂️ Python Coverage
Overall Coverage
New FilesNo new covered files... Modified FilesNo covered modified files...
|
|
🛠 Full Test Coverage Report: https://k.atlan.dev/coverage/application-sdk/pr/892 |
…o use that action
…ngs from Dockerfile
token does not have permissions to push to dockerhub. Getting this error message : #31 exporting to image #31 pushing layers 0.4s done #31 ERROR: failed to push registry-1.docker.io/atlanhq/application-sdk:chainguard-image-a13ffd1abcd: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fapplication-sdk%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes ------ > exporting to image: ------ ERROR: failed to build: failed to solve: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fapplication-sdk%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes Reference Check build summary support Error: buildx failed with: ERROR: failed to build: failed to solve: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fapplication-sdk%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes
abhishekagrawal-atlan
requested review from
AtMrun,
firecast and
inishchith
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds Docker image building infrastructure for the application-sdk using a Chainguard-based base image, along with automated CI/CD through GitHub Actions for building and publishing images with integrated security scanning.
Key Changes:
- Added Dockerfile that builds application-sdk from source using a Chainguard Python base image with comprehensive dependency installation
- Implemented GitHub Actions workflow to automatically build and push Docker images on changes to main and chainguard-image branches
- Created reusable composite action with mandatory Snyk and Trivy security scanning before image publication
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| Dockerfile | Defines multi-stage build process for application-sdk using Chainguard base image, installing Dapr CLI and Python dependencies |
| .github/workflows/build-image.yaml | Workflow that triggers on pushes to build and publish Docker images with security scanning integration |
| .github/actions/secure-build-push-apps/action.yaml | Reusable composite action that enforces Snyk and Trivy security scanning before allowing image pushes to registries |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
vishnub-atlan
previously approved these changes
Dec 16, 2025
inishchith
reviewed
Dec 16, 2025
inishchith
reviewed
Dec 16, 2025
AtMrun
reviewed
Dec 16, 2025
firecast
requested changes
Dec 16, 2025
Collaborator
Author
|
@firecast : responded to all the open comments + fixed PR based on the feedback. can you please have a look and approve if all looks good. |
inishchith
reviewed
Dec 18, 2025
inishchith
reviewed
Dec 18, 2025
inishchith
reviewed
Dec 18, 2025
inishchith
previously approved these changes
Dec 19, 2025
firecast
requested changes
Dec 23, 2025
firecast
requested changes
Dec 23, 2025
firecast
approved these changes
Jan 5, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changelog
Additional context (e.g. screenshots, logs, links)
Checklist
Copyleft License Compliance
Note
Introduces a base Dockerfile and a GitHub Actions workflow using a composite action to build, scan (Snyk/Trivy), and push multi-arch images to GHCR.
Dockerfilefromghcr.io/atlanhq/pyatlan-chainguard-base:8.3.0-3.11installing Dapr CLI, addinguv, creatingappuser, initializing Dapr (slim), removing unused Dapr binaries, and defining common env vars and defaultCMD./.github/actions/secure-build-push-appsto build single-platform for scan, run Snyk and Trivy, decide pass/fail, then build and optionally push multi-platform images; includes Snyk registry import/monitor fallback./.github/workflows/build-image.yamlto build and push to GHCR on pushes (main/chainguard-image), tagginglatestand short-sha-based versions, using the composite action..dockerignoreto minimize build context.Written by Cursor Bugbot for commit b773c50. This will update automatically on new commits. Configure here.