devpro · devpro · Feb 5, 2026 · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,34 +2,12 @@ name: CI
 
 on:
   push:
-    branches:
-      - main
+    branches: [main]
   pull_request:
-    branches:
-      - main
+    branches: [main]
   workflow_dispatch: {}
 
-env:
-  python_version: "3.13"
-
 jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checks-out the repository
-        uses: actions/checkout@v4
-      - name: Lints Markdown files
-        uses: DavidAnson/markdownlint-cli2-action@v20
-        with:
-          globs: "**/*.md"
-      - name: Set up Python ${{ env.python_version }}
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.python_version }}
-      - name: Installs Python packages
-        run: |
-          python -m pip install --upgrade pip
-          pip install yamllint
-      - name: Lint YAML files
-        run: |
-          yamllint .
+  markup-lint:
+    name: Markup
+    uses: ./.github/workflows/reusable-markup-lint.yml
diff --git a/.github/workflows/reusable-container-publication.yml b/.github/workflows/reusable-container-publication.yml
@@ -0,0 +1,138 @@
+name: Reusable - Container publication
+# description: |
+#   Builds a new container image with Docker and pushes it to a registry
+#   Make sure to add (needed by cosign):
+#   ```
+#   permissions:
+#     id-token: write
+#     contents: read
+#   ```
+
+on:
+  workflow_call:
+    inputs:
+      container-registry:
+        description: Container registry
+        type: string
+        required: false
+        default: "docker.io"
+      create-latest:
+        description: "Create latest tag?"
+        type: boolean
+        required: false
+        default: false
+      extra-build-arguments:
+        description: Container build additional arguments
+        type: string
+        required: false
+        default: ""
+      image-definition:
+        description: Path to the container definition file (Dockerfile, Containerfile)
+        type: string
+        required: true
+      image-name:
+        description: Image name
+        type: string
+        required: true
+      image-path:
+        description: Image path
+        type: string
+        required: true
+      image-tag:
+        description: Image tag
+        type: string
+        required: true
+      job-name:
+        description: Job name
+        type: string
+        required: false
+        default: Publication
+      operating-system:
+        description: Operating system executing the runner
+        type: string
+        required: false
+        default: ubuntu-latest
+      workflow-parts-version:
+        description: GitHub workflow parts version (branch/tag/SHA)
+        type: string
+        required: false
+        default: main
+      working-directory:
+        description: Working directory
+        type: string
+        required: false
+        default: "."
+    secrets:
+      container-registry-username:
+        description: Container registry username
+        required: true
+      container-registry-password:
+        description: Container registry password
+        required: true
+      extra-vars:
+        description: "Additional environment variables"
+        required: false
+
+jobs:
+  container-publication:
+    name: ${{ inputs.job-name }}
+    runs-on: ${{ inputs.operating-system }}
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: Set additional variables
+        run: |
+          if [[ -z "${{ secrets.extra-vars }}" ]]; then
+            echo "No extra-vars bundle provided - skipping."
+          else
+            echo "${{ secrets.extra-vars }}" | while IFS='=' read -r key val; do
+              if [[ -n "$val" ]]; then
+                echo "::add-mask::$val"
+              fi
+            done
+            echo "${{ secrets.extra-vars }}" >> "$GITHUB_ENV"
+          fi
+      - name: Clone repository
+        uses: actions/checkout@v6
+      - name: Checkout workflow parts
+        uses: actions/checkout@v6
+        with:
+          repository: devpro/github-workflow-parts
+          ref: ${{ inputs.workflow-parts-version }}
+          path: workflow-parts
+      - name: Login to container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.container-registry }}
+          username: ${{ secrets.container-registry-username }}
+          password: ${{ secrets.container-registry-password }}
+      - name: Build container image
+        run: docker build . --file ${{ inputs.image-definition }} --tag ${{ env.IMAGE_REF }} ${{ secrets.extra-build-arguments }}
+        shell: bash
+      - name: Generate SBOM with Syft
+        uses: anchore/sbom-action@v0
+        continue-on-error: true
+        with:
+          image: ${{ env.IMAGE_REF }}
+          # format: spdx-json # Or cyclonedx-json
+          # output-file: sbom.json
+          # upload-artifact: true # Auto-upload to workflow artifacts
+      - name: Push image to container registry
+        run: docker push ${{ env.IMAGE_REF }}
+        shell: bash
+      - name: Push latest tag to container registry
+        if: ${{ inputs.create_latest }}
+        run: |
+          docker tag ${{ env.IMAGE_REF }} ${{ env.IMAGE_REF_LATEST }}
+          docker push ${{ env.IMAGE_REF_LATEST }}
+        shell: bash
+      - name: Sign container image with Cosign
+        uses: ./workflow-parts/actions/cosign/sign
+        with:
+          image-name: ${{ inputs.image-name }}
+          image-path: ${{ inputs.image-path }}
+          image-tag: ${{ inputs.image-tag }}
+    env:
+      IMAGE_REF: ${{ inputs.image-path }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
+      IMAGE_REF_LATEST: ${{ inputs.image-path }}/${{ inputs.image-name }}:latest
diff --git a/.github/workflows/reusable-container-scan.yml b/.github/workflows/reusable-container-scan.yml
@@ -0,0 +1,91 @@
+name: Reusable - Container scan
+
+on:
+  workflow_call:
+    inputs:
+      image-definition:
+        description: Path to the container definition file (Dockerfile, Containerfile)
+        type: string
+        required: true
+      image-name:
+        description: Image name
+        type: string
+        required: true
+      image-path:
+        description: Image path
+        type: string
+        required: true
+      image-tag:
+        description: Image tag
+        type: string
+        required: true
+      job-name:
+        description: Job name
+        type: string
+        required: false
+        default: Scan
+      max-high-cves:
+        description: Maximum number of high CVEs authorized
+        type: number
+        required: false
+        default: 0
+      max-medium-cves:
+        description: Maximum number of medium CVEs authorized
+        type: number
+        required: false
+        default: 0
+      neuvector-enabled:
+        description: "Use NeuVector to scan the image?"
+        type: string
+        required: false
+        default: false
+      operating-system:
+        description: Operating system executing the runner
+        type: string
+        required: false
+        default: ubuntu-latest
+      trivy-enabled:
+        description: "Use Trivy to scan the image?"
+        type: boolean
+        required: false
+        default: true
+      working-directory:
+        description: Working directory
+        type: string
+        required: false
+        default: "."
+
+jobs:
+  container-scan:
+    name: ${{ inputs.job-name }}
+    runs-on: ${{ inputs.operating-system }}
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v6
+      - name: Build container image
+        run: docker build . --file ${{ inputs.image-definition }} --tag ${{ env.IMAGE_REF }}
+        shell: bash
+      - name: Scan container image with NeuVector
+        if: ${{ inputs.neuvector-enabled }}
+        uses: neuvector/scan-action@main
+        with:
+          image-repository: ${{ inputs.image-path }}/${{ inputs.image-name }}
+          image-tag: ${{ inputs.image-tag }}
+          min-high-cves-to-fail: '${{ inputs.max-high-cves }}'
+          min-medium-cves-to-fail: '${{ inputs.max-medium-cves }}'
+      - name: Scan container image with Trivy
+        if: ${{ inputs.trivy-enabled }}
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_REF }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+    env:
+      IMAGE_REF: ${{ inputs.image-path }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
+      GITHUB_TOKEN: ${{ github.token }}