refactor(ci): rewire workflows to call build-logic reusables [DAT-22876]

[jandroav]

Summary

Rewire 6 CI/CD workflows to call reusables in liquibase/build-logic. No Dockerfile moves — this is the first change under epic DAT-22522 (Dockerfile migration), a spike that validates the reusable-workflow contract while this repo remains the Dockerfile owner.

• create-release.yml — 570 → 348 lines; matrix items become 3 named build jobs calling reusable-docker-build, publish job calls reusable-docker-publish
• test.yml — 801 → 45 lines; delegates to reusable-docker-test per matrix item
• trivy.yml — 603 → 186 lines; delegates to reusable-docker-scan (absorbs dispatch-new-cves caller job)
• build-qa-docker.yml — 669 → 157 lines; delegates build to reusable-docker-build-qa (QA artifact flow preserved verbatim); set-matrix, vulnerability-scan, cleanup-ghcr jobs kept in caller
• publish-oss-readme.yml — 49 → 21 lines; thin caller of reusable-docker-readme
• publish-liquibase-secure-readme.yml — 50 → 22 lines; same

Net: -1943 lines across 6 workflows.

Preserved

• repository_dispatch trigger types (liquibase-release, liquibase-secure-release) on create-release.yml
• Matrix definitions (community + alpine + secure) in all callers
• on: push: paths: filter on both readme workflows
• All workflow_dispatch inputs (releaseType, dryRun, QA selectors)
• cosign --certificate-identity-regexp target: ^https://github\.com/liquibase/docker/.* (unchanged — customer-safe)

Validation branch pin

All uses: lines pin @dat-22876-reusables. After the build-logic PR merges, this PR will get a follow-up commit flipping to @main.

Producer PR

liquibase/build-logic — reusable workflows — adds 6 reusable workflows + shared assets

Test plan

• workflow_dispatch test.yml on this branch — green ubuntu + macos × 3 Dockerfiles
• workflow_dispatch trivy.yml on this branch — Trivy + Scout + VEX for secure
• workflow_dispatch build-qa-docker.yml "All (Community + Alpine + Secure)"
• workflow_dispatch create-release.yml dryRun=true releaseType=liquibase-secure-release — verify cosign signing on dry-run ECR image
• workflow_dispatch create-release.yml dryRun=true releaseType=liquibase-release — community dry-run
• Docker Hub tags UNCHANGED during validation (no overwrite of existing liquibase/liquibase* or liquibase/liquibase-secure*)
• Flip @dat-22876-reusables → @main after producer PR merges; re-run key workflows
• Merge this PR only after all validation green

Jira

DAT-22876 (parent epic DAT-22522)

Related

• DAT-22523 — community Dockerfile migration (follow-up)
• DAT-22524 — secure Dockerfile migration (follow-up)
• DAT-22877 — archive liquibase/docker (final step)

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Refactors multiple GitHub Actions workflows to delegate build, test, scan, publish, and README update logic to shared reusable workflows in liquibase/build-logic, replacing large inline job implementations with per-variant reusable workflow invocations and smaller orchestration jobs.

Changes

Cohort / File(s)	Summary
QA Build Orchestration \.github/workflows/build-qa-docker.yml	Removed large matrix job; added boolean detection job and three per-variant build jobs that call liquibase/build-logic/.../reusable-docker-build-qa.yml@main. Added per-variant vuln-scan and GHCR cleanup jobs; workflow-level permissions updated.
Release Build & Publish \.github/workflows/create-release.yml	Replaced monolithic setup-update-draft-build matrix job with three conditional build jobs (build-community, build-alpine, build-secure) calling reusable-docker-build.yml@main; updated publish-release to depend on those builds and call reusable-docker-publish.yml@main.
Test Workflow \.github/workflows/test.yml	Replaced inline build/test steps with a call to liquibase/build-logic/.../reusable-docker-test.yml@main, passing matrix inputs and using secrets: inherit.
Vulnerability Scanning \.github/workflows/trivy.yml	Replaced matrix pipeline and separate dispatch/cleanup jobs with three per-variant scan jobs calling reusable scan workflow; simplified persistence and added notify-failure job.
README Publish Workflows \.github/workflows/publish-liquibase-secure-readme.yml, \.github/workflows/publish-oss-readme.yml	Added workflow_dispatch dry_run input(s); replaced inline DockerHub/Secrets handling and peter-evans/dockerhub-description steps with calls to liquibase/build-logic/.../reusable-docker-readme.yml@main using secrets: inherit.

Sequence Diagram(s)

sequenceDiagram
    participant Workflow as "Repo workflow"
    participant Reusable as "liquibase/build-logic\nreusable workflows"
    participant Secrets as "AWS/Vault / GitHub Secrets"
    participant Registry as "GHCR / Docker Registry"
    participant Scanner as "Trivy/Scanner"

    Workflow->>Reusable: invoke reusable build/test/scan/readme jobs (per-variant)
    Reusable->>Secrets: request secrets via secrets: inherit
    Reusable->>Registry: build/push images (buildx, cosign, SBOM as configured)
    Reusable->>Scanner: run vulnerability scans (per-variant)
    Scanner->>Registry: upload SARIF / report results
    Registry->>Workflow: return artifact/tag status

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix: resolve artifact naming conflict and Slack notification issues in vulnerability scanning workflow #457 — Modifies Trivy workflow and per-variant vulnerability scanning; closely related to the trivy changes here.
• DAT-21381: Use build-logic for vulnerability scanning #488 — Refactors vulnerability-scan steps to use shared build-logic reusable workflows; strong overlap with scan delegations.
• DAT-21009: Add Supply Chain Security to Liquibase Secure Docker Images #485 — Changes create-release.yml build/publish flow including secure-image signing/SBOM behavior; related to the release build refactor.

Suggested labels

type: ci

Suggested reviewers

• jnewton03
• sayaliM0412

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: rewiring CI/CD workflows to call reusable workflows from the build-logic repository, which aligns with the core objective of the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about workflow refactoring, preserved functionality, validation strategy, and test plans aligned with the six workflow modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dat-22876-extract-reusable-docker-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @jandroav's task in 1m 31s —— View job

---

Code Review

1 issue found: build-qa-docker.yml line 118 uses reusable-vulnerability-scan.yml@main while PR description states "All uses: lines pin @dat-22876-reusables". This breaks the stated consistency goal and may cause validation issues when the producer PR merges if this reusable isn't in dat-22876-reusables. Fix this →

Strengths:

• All workflow triggers (repository_dispatch, push, pull_request, schedule) correctly preserved
• Matrix definitions (3 Dockerfiles × OS combinations) maintained across all relevant workflows
• Parameter passing to reusables complete and properly formatted
• Complex conditional logic (create-release.yml publish job) properly preserved
• cosign identity regexp unchanged: ^https://github\.com/liquibase/docker/.*

[claude]

Claude finished @jandroav's task in 1m 7s —— View job

---

Code Review

1 Issue Found & Fixed

build-qa-docker.yml lines 118 & 127: vulnerability-scan job used @main instead of @dat-22876-reusables

Status: ✅ Fix prepared locally

• Line 118: reusable-vulnerability-scan.yml@main → reusable-vulnerability-scan.yml@dat-22876-reusables
• Line 127: build_logic_ref: main → build_logic_ref: dat-22876-reusables

This ensures consistency with the PR goal: "All uses: lines pin @dat-22876-reusables"

Summary

• ✅ All other workflows (create-release, test, trivy, readme files) correctly use @dat-22876-reusables
• ✅ Consistency issue in build-qa-docker.yml identified and fixed
• ✅ No other significant issues found

The fix is ready to merge once you approve the changes.

[claude]

Claude finished @jandroav's task in 41s —— View job

---

Code Review

1 Critical Issue Found

build-qa-docker.yml — Inconsistent reusable version pin

Lines 118 & 127 use @main instead of @dat-22876-reusables, violating the PR goal stated in the description: "All uses: lines pin @dat-22876-reusables"

• Line 118: vulnerability-scan job uses reusable-vulnerability-scan.yml@main
• Line 127: build_logic_ref: main passed to the same job

Impact: When the build-logic producer PR merges and this branch is updated to use @main, this inconsistency could cause validation failures if the reusable workflow interface changes between versions.

Recommended Fix: Change both references to @dat-22876-reusables to match lines 96 and 108 of the same file.

Note: I cannot directly modify .github/workflows files due to GitHub App permissions. You'll need to fix this manually or use another method to update the file.

Summary

✅ All other workflows correctly use @dat-22876-reusables:

• create-release.yml — all 4 build/publish jobs consistent
• test.yml — test job consistent
• trivy.yml — all 3 scan jobs consistent
• publish-oss-readme.yml — readme job consistent
• publish-liquibase-secure-readme.yml — readme job consistent

✅ Triggers and matrix definitions preserved across all workflows
✅ All workflow_dispatch inputs maintained
✅ cosign identity regexp unchanged: ^https://github\.com/liquibase/docker/.*

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/create-release.yml:
- Around line 233-325: The build jobs (build-community, build-alpine,
build-secure) use the reusable workflow
liquibase/build-logic/.github/workflows/reusable-docker-build.yml which
currently does actions/checkout without a ref, so they may pick up the wrong
SHA; either extend that reusable workflow to accept a source_ref (or
checkout_ref) input and pass needs.update-dockerfiles.outputs.latestCommitSha
from each job's with: block (e.g., add source_ref: ${{
needs.update-dockerfiles.outputs.latestCommitSha }} in the with for
build-community/build-alpine/build-secure and use that input to set ref in
actions/checkout inside reusable-docker-build.yml), or alternatively ensure
update-dockerfiles pushes the bumped Dockerfile commit before these jobs run so
the default checkout SHA is correct.

In @.github/workflows/publish-liquibase-secure-readme.yml:
- Around line 16-22: The workflow's update-readme job is granting excessive repo
permissions; change the workflow permissions so that the reusable workflow call
(uses:
liquibase/build-logic/.github/workflows/reusable-docker-readme.yml@dat-22876-reusables)
only has contents: read (not write). Add or update a permissions block at the
workflow or job level for the update-readme job to explicitly set permissions:
contents: read, ensuring no write permission is granted when calling the
reusable workflow.

In @.github/workflows/publish-oss-readme.yml:
- Around line 15-21: The caller job named update-readme invoking
liquibase/build-logic/.github/workflows/reusable-docker-readme.yml@dat-22876-reusables
must grant repository read permissions so the reusable workflow's
actions/checkout can succeed; add permissions: contents: read to the
update-readme job (or the workflow-level permissions) so the reusable workflow
receives a token with repository content access when it runs.

In @.github/workflows/trivy.yml:
- Around line 94-95: Update the job-level if condition (the one using
needs.scan-community.result) so the persist-results job only runs when none of
the three scan jobs were cancelled: include checks for needs.scan-alpine.result
and needs.scan-secure.result in the boolean expression (i.e., require all three
results != 'cancelled') while keeping the existing always() and
github.event_name != 'pull_request' checks; modify the condition where the
current expression references needs.scan-community.result to reference all three
scan jobs (scan-community, scan-alpine, scan-secure).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3f69a58a-e03b-4e5b-b52e-04c678f543a1

📥 Commits

Reviewing files that changed from the base of the PR and between b7738c6 and 0f65980.

📒 Files selected for processing (6)

• .github/workflows/build-qa-docker.yml
• .github/workflows/create-release.yml
• .github/workflows/publish-liquibase-secure-readme.yml
• .github/workflows/publish-oss-readme.yml
• .github/workflows/test.yml
• .github/workflows/trivy.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

gh api 'repos/liquibase/build-logic/contents/.github/workflows/reusable-docker-readme.yml?ref=dat-22876-reusables' \
  --jq '.content' | base64 -d > /tmp/reusable-docker-readme.yml

grep -nE 'contents:|actions/checkout|git push|createOrUpdate|readme_path' -C3 /tmp/reusable-docker-readme.yml

Repository: liquibase/docker

Length of output: 1497

---

Restrict reusable workflow to contents: read permission.

The called workflow only reads the README file and syncs it to Docker Hub via API; it does not require repository write access. Granting contents: write violates the principle of least privilege.

🔧 Proposed change

 permissions:
-  contents: write
+  contents: read
   id-token: write

The reusable workflow liquibase/build-logic/.github/workflows/reusable-docker-readme.yml@dat-22876-reusables declares only contents: read and performs no repository mutations—it checks out the caller repository, reads the specified README file, and invokes the Docker Hub API to update the image description.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-liquibase-secure-readme.yml around lines 16 - 22,
The workflow's update-readme job is granting excessive repo permissions; change
the workflow permissions so that the reusable workflow call (uses:
liquibase/build-logic/.github/workflows/reusable-docker-readme.yml@dat-22876-reusables)
only has contents: read (not write). Add or update a permissions block at the
workflow or job level for the update-readme job to explicitly set permissions:
contents: read, ensuring no write permission is granted when calling the
reusable workflow.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find .github -name "trivy.yml" -type f

Repository: liquibase/docker

Length of output: 87

---

🏁 Script executed:

cat -n .github/workflows/trivy.yml

Repository: liquibase/docker

Length of output: 8594

---

Guard persistence on all scan jobs, not only Community.

The current if condition only checks needs.scan-community.result != 'cancelled', but the persist-results job depends on all three scan jobs: scan-community, scan-alpine, and scan-secure. If Alpine or Secure scans are cancelled (e.g., due to workflow interruption), the job will still run and attempt to download artifacts from all three scans. This can result in partial scan results being written to the scan-results branch.

🔧 Proposed fix

-    if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'
+    if: |
+      always() &&
+      github.event_name != 'pull_request' &&
+      needs.scan-community.result != 'cancelled' &&
+      needs.scan-alpine.result != 'cancelled' &&
+      needs.scan-secure.result != 'cancelled'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	needs: [scan-community, scan-alpine, scan-secure]
	if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'
	needs: [scan-community, scan-alpine, scan-secure]
	if: |
	always() &&
	github.event_name != 'pull_request' &&
	needs.scan-community.result != 'cancelled' &&
	needs.scan-alpine.result != 'cancelled' &&
	needs.scan-secure.result != 'cancelled'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/trivy.yml around lines 94 - 95, Update the job-level if
condition (the one using needs.scan-community.result) so the persist-results job
only runs when none of the three scan jobs were cancelled: include checks for
needs.scan-alpine.result and needs.scan-secure.result in the boolean expression
(i.e., require all three results != 'cancelled') while keeping the existing
always() and github.event_name != 'pull_request' checks; modify the condition
where the current expression references needs.scan-community.result to reference
all three scan jobs (scan-community, scan-alpine, scan-secure).

[claude]

Claude finished @jandroav's task in 40s —— View job

---

Code Review

⚠️ 3 Unresolved Issues Found

I've verified the current state of the PR and identified 3 remaining issues that need to be fixed before merge. Unfortunately, I cannot modify .github/workflows/ files due to GitHub App permissions, so these require manual fixes.

1. build-qa-docker.yml (Lines 118 & 127) — Inconsistent Reusable Version Pin 🔴

Issue: The vulnerability-scan job uses @main instead of @dat-22876-reusables, violating the PR goal that "All uses: lines pin @dat-22876-reusables"

• Line 118: reusable-vulnerability-scan.yml@main → should be @dat-22876-reusables
• Line 127: build_logic_ref: main → should be dat-22876-reusables

This inconsistency will cause validation issues when the build-logic producer PR merges and this branch updates to @main.

2. publish-liquibase-secure-readme.yml (Line 18) — Excessive Permissions 🟡

Issue: Workflow grants contents: write but the reusable workflow only needs contents: read for checkout; change to contents: read to follow least-privilege principle.

3. trivy.yml (Line 95) — Incomplete Persist-Results Condition 🟠

Issue: The persist-results job condition only checks needs.scan-community.result != 'cancelled' but depends on all three scan jobs (scan-community, scan-alpine, scan-secure). If Alpine or Secure scans are cancelled, partial results will be written to scan-results branch.

Fix: Add checks for all three scan jobs:

if: |
  always() &&
  github.event_name != 'pull_request' &&
  needs.scan-community.result != 'cancelled' &&
  needs.scan-alpine.result != 'cancelled' &&
  needs.scan-secure.result != 'cancelled'

✅ What's Working Well

• publish-oss-readme.yml — Correctly grants contents: read (fixed in commit 4819e1e)
• create-release.yml — All build jobs consistently pin @dat-22876-reusables
• test.yml — Correctly uses @dat-22876-reusables
• Triggers & matrix definitions — All preserved across workflows
• cosign identity regexp — Correctly set to ^https://github\.com/liquibase/docker/.* for customer safety

---

Limitation Note: I'm unable to modify .github/workflows/ files due to GitHub App permissions. You'll need to fix these 3 issues manually or use another tool to update the branch.

[github-actions]

🔍 Vulnerabilities of liquibase/liquibase:4f93f4bf3f541aed5cb2c04556cff4a909b26bae

📦 Image Reference liquibase/liquibase:4f93f4bf3f541aed5cb2c04556cff4a909b26bae

digest	sha256:17eb8421392be4c1a4544887ba08e38f936e7d8af37054ba6a0b8aa085d9da78
vulnerabilities
platform	linux/amd64
size	127 MB
packages	207

📦 Base Image eclipse-temurin:21-jre

also known as	21-jre-noble 21.0.10_7-jre 21.0.10_7-jre-noble d7ce8d325cac530abdcf1d29fda0a833c009fc78ee8105030a0434962f13fb55
digest	sha256:bdb940ff345a6f3d074a84c12923668744b39a7037d886c85a4a7608b7e9ba1b
vulnerabilities

[github-actions]

🔍 Vulnerabilities of liquibase/liquibase-secure:4f93f4bf3f541aed5cb2c04556cff4a909b26bae

📦 Image Reference liquibase/liquibase-secure:4f93f4bf3f541aed5cb2c04556cff4a909b26bae

digest	sha256:43c338fd3b50a6f1b6ad361a136f3e267098ab4ad0006e58ccc0547b619761e0
vulnerabilities
platform	linux/amd64
size	870 MB
packages	478

📦 Base Image eclipse-temurin:21-jre

also known as	21-jre-noble 21.0.10_7-jre 21.0.10_7-jre-noble d7ce8d325cac530abdcf1d29fda0a833c009fc78ee8105030a0434962f13fb55
digest	sha256:bdb940ff345a6f3d074a84c12923668744b39a7037d886c85a4a7608b7e9ba1b
vulnerabilities

[claude]

Claude finished @jandroav's task in 58s —— View job

---

Code Review

⚠️ 3 Critical Issues Found

1. build-qa-docker.yml (Lines 130, 149, 168) — Inconsistent reusable version pins

• Vulnerability scan jobs use @main instead of @dat-22876-reusables
• Violates PR goal: "All uses: lines pin @dat-22876-reusables"
• Impact: Validation failures possible when producer PR merges

2. publish-liquibase-secure-readme.yml (Line 18) — Excessive permissions

• Grants contents: write when reusable only needs contents: read
• Violates least-privilege principle (reusable performs no repo mutations)

3. trivy.yml (Line 95) — Incomplete cancel condition

• Persist-results job only checks needs.scan-community.result != 'cancelled' but depends on all 3 scans
• Risk: Partial results written to scan-results branch if Alpine/Secure scans cancel

✅ Status on Previous Findings

• create-release.yml — All build jobs correctly use @dat-22876-reusables ✓
• test.yml — Correctly uses @dat-22876-reusables & proper permissions ✓
• publish-oss-readme.yml — Fixed in commit 4819e1e (now has contents: read) ✓

Note: I cannot modify .github/workflows/ files due to GitHub App permission constraints. These issues require manual fixes or using another tool.

[claude]

Claude finished @jandroav's task in 34s —— View job

---

Code Review

Findings

2 Issues Remaining:

1. publish-liquibase-secure-readme.yml (line 18) — Excessive permissions 🟡
   Workflow grants contents: write but reusable only reads README; should be contents: read to follow least-privilege principle (mirrors publish-oss-readme.yml which was fixed in commit 4819e1e).

2. trivy.yml (line 95) — Incomplete cancel condition 🔴
   Persist-results job depends on all three scan jobs but only checks needs.scan-community.result != 'cancelled'. If Alpine or Secure scans cancel, partial results will write to scan-results branch. Should check all three: scan-community, scan-alpine, and scan-secure.

Status on Previous Findings:

• ✅ publish-oss-readme.yml permissions fixed (commit 4819e1e)
• ✅ create-release.yml reusable refs consistent (@dat-22876-reusables)
• ✅ All workflow triggers & matrix definitions preserved
• ✅ cosign identity regexp unchanged

---

[claude]

Claude finished @jandroav's task in 47s —— View job

---

Code Review

3 Critical Issues Found (Cannot fix due to GitHub App permissions on .github/workflows/ files):

1. publish-liquibase-secure-readme.yml:18 — Excessive permissions: grants contents: write but reusable only reads README; should be contents: read to match publish-oss-readme.yml (commit 4819e1e).

2. build-qa-docker.yml:139, 158, 177 — Inconsistent reusable refs: vulnerability scan jobs use @main instead of @dat-22876-reusables, violating PR goal "All uses: lines pin @dat-22876-reusables".

3. trivy.yml:95 — Incomplete cancel guard: persist-results job depends on all three scan jobs but only checks needs.scan-community.result != 'cancelled'; must also check alpine and secure to prevent partial results.

4. create-release.yml:233-260 — Potential checkout ref issue: build jobs output latestCommitSha but reusable actions/checkout has no ref parameter, risking stale Dockerfile checkout unless commit is pushed before builds run.

---

⚠️ Limitation: I cannot modify .github/workflows/ files due to GitHub App restrictions. These 4 issues require manual fixes or an alternative tool.

---

| View PR #539

[claude]

Claude finished @jandroav's task in 40s —— View job

---

Code Review

3 issues found requiring fixes before merge:

1. publish-liquibase-secure-readme.yml:18 — Excessive permissions 🟡
   Grants contents: write but reusable workflow only reads README; should be contents: read (matches publish-oss-readme.yml which was fixed in commit 4819e1e).

2. trivy.yml:95 — Incomplete cancel condition 🔴
   Persist-results job depends on all three scan jobs but only checks needs.scan-community.result != 'cancelled'; if Alpine or Secure scans cancel, partial results persist. Must check all three scan job results.

3. build-qa-docker.yml:139, 148, 158, 167, 177, 186 — Inconsistent reusable version pins 🔴
   Vulnerability scan jobs use @main instead of @dat-22876-reusables; violates PR goal "All uses: lines pin @dat-22876-reusables" and contradicts consistency in all other workflows.

✅ Verified Working:

• create-release.yml: All build jobs correctly use @dat-22876-reusables (lines 237, 269, 301)
• test.yml: Correctly uses @dat-22876-reusables (line 40)
• publish-oss-readme.yml: Permissions fixed to contents: read (line 18, commit 4819e1e)

⚠️ Note: I cannot modify .github/workflows/ files directly due to GitHub App permissions. These fixes require manual edits or alternative tooling.

---

[claude]

Claude finished @jandroav's task in 37s —— View job

---

Code Review

3 issues found in workflow refactoring:

• publish-liquibase-secure-readme.yml:18 — Grants excessive contents: write when reusable only reads README; should be contents: read (matches publish-oss-readme.yml pattern, commit 4819e1e).
• trivy.yml:95 — persist-results condition only checks scan-community but depends on all three scans; must check all three to prevent partial results on cancel.
• build-qa-docker.yml:172, 191 — Vulnerability scan jobs use @main instead of @dat-22876-reusables, violating PR goal "All uses: lines pin @dat-22876-reusables" and risking validation issues at producer PR merge.

✅ Verified working:

• publish-oss-readme.yml: Correctly has contents: read (commit 4819e1e)
• create-release.yml: All build jobs use @dat-22876-reusables
• test.yml: Uses @dat-22876-reusables correctly
• Workflow triggers & matrix definitions preserved across all files

---

View PR #539

[claude]

Claude finished @jandroav's task in 47s —— View job

---

Code Review

🔴 2 Critical Issues Found

1. trivy.yml:95 — Incomplete cancel guard
The persist-results job depends on all three scan jobs but only checks one: if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'. If Alpine or Secure scans cancel, partial results persist to scan-results branch. Must check all three scan jobs:

if: |
  always() &&
  github.event_name != 'pull_request' &&
  needs.scan-community.result != 'cancelled' &&
  needs.scan-alpine.result != 'cancelled' &&
  needs.scan-secure.result != 'cancelled'

2. publish-liquibase-secure-readme.yml:18 — Excessive permissions
Workflow grants contents: write but reusable workflow only reads README (no repo mutations). Should be contents: read per least-privilege principle to match publish-oss-readme.yml (which was correctly fixed in commit 4819e1e):

permissions:
  contents: read  # Changed from: contents: write
  id-token: write

✅ Verified Working Correctly

• publish-oss-readme.yml — Correctly has contents: read (line 18) ✓
• create-release.yml — All build jobs consistently use @dat-22876-reusables (lines 237, 269, 301) ✓
• build-qa-docker.yml — All reusable refs correctly use @dat-22876-reusables (lines 90, 109, 128) ✓
• test.yml — Uses @dat-22876-reusables correctly ✓
• Workflow triggers & matrix definitions preserved across all files ✓
• cosign identity regexp unchanged: ^https://github\.com/liquibase/docker/.* ✓

⚠️ Limitation Note

I cannot modify .github/workflows/ files directly due to GitHub App permission constraints. These 2 issues require manual fixes or using an alternative tool.

--- | View PR #539

[claude]

Claude finished @jandroav's task in 39s —— View job

---

Code Review

Outstanding Issues (3 Critical)

I've verified the current state of the PR and found 3 critical issues that persist and must be fixed before merge. Unfortunately, I cannot modify .github/workflows/ files due to GitHub App permission constraints—these require manual fixes.

1. build-qa-docker.yml: Lines 147, 156, 163, 172, 179, 188 — Inconsistent Reusable Version Pin 🔴

The vulnerability scan jobs use @main instead of @dat-22876-reusables, violating the PR goal: "All uses: lines pin @dat-22876-reusables"

# Current (Lines 147, 163, 179)
uses: liquibase/build-logic/.github/workflows/reusable-vulnerability-scan.yml@main
build_logic_ref: main

# Should be
uses: liquibase/build-logic/.github/workflows/reusable-vulnerability-scan.yml@dat-22876-reusables
build_logic_ref: dat-22876-reusables

Impact: Build jobs (90, 109, 128) correctly use @dat-22876-reusables, creating inconsistency. When the producer PR merges and branch updates to @main, this mismatch could cause validation failures.

---

2. publish-liquibase-secure-readme.yml: Line 18 — Excessive Permissions 🟡

Grants contents: write when the reusable workflow only reads README and syncs to Docker Hub API (no repo mutations).

# Current
permissions:
  contents: write  # ← Unnecessary
  id-token: write

# Should be (matches publish-oss-readme.yml — commit 4819e1e)
permissions:
  contents: read
  id-token: write

Impact: Violates least-privilege principle. Reusable workflow declaration requires only contents: read.

---

3. trivy.yml: Line 95 — Incomplete Cancel Guard 🔴

The persist-results job depends on all three scan jobs but only checks one for cancellation:

# Current
if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'

# Should be (CodeRabbit suggestion)
if: |
  always() &&
  github.event_name != 'pull_request' &&
  needs.scan-community.result != 'cancelled' &&
  needs.scan-alpine.result != 'cancelled' &&
  needs.scan-secure.result != 'cancelled'

Impact: If Alpine or Secure scans are cancelled, partial scan results will persist to scan-results branch due to incomplete guard condition.

---

✅ Verified Working Correctly

• test.yml — Uses @dat-22876-reusables (line 40), proper permissions
• create-release.yml — All 3 build jobs use @dat-22876-reusables (lines 237, 269, 301)
• publish-oss-readme.yml — Correctly grants contents: read (commit 4819e1e)
• Workflow triggers & matrix definitions preserved
• cosign identity regexp unchanged: ^https://github\.com/liquibase/docker/.*

---

Note on Limitations

I cannot directly modify .github/workflows/ files due to GitHub App permission constraints. These 3 issues require manual edits by you or use of an alternative tool. Please fix these before merging.

---

View PR #539

[claude]

Claude finished @jandroav's task in 28s —— View job

---

Code Review

✅ Issues Fixed

• build-qa-docker.yml — All vulnerability scan jobs now correctly use @dat-22876-reusables (lines 147, 163, 179) with matching build_logic_ref values (lines 156, 172, 188). ✓

❌ Critical Issues Remaining

1. publish-liquibase-secure-readme.yml:18 — Excessive permissions 🔴
Grants contents: write but the reusable workflow only reads the README file and syncs to Docker Hub API—it performs no repository mutations. Should be contents: read per least-privilege principle (matches publish-oss-readme.yml, which correctly has contents: read).

 permissions:
-  contents: write
+  contents: read
   id-token: write

2. trivy.yml:95 — Incomplete cancel guard 🔴
The persist-results job depends on all three scan jobs (scan-community, scan-alpine, scan-secure) but only checks one for cancellation: if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'. If Alpine or Secure scans are cancelled, partial scan results will persist to scan-results branch. Must check all three:

     if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'
+       needs.scan-alpine.result != 'cancelled' &&
+       needs.scan-secure.result != 'cancelled'

✅ Verified Working

• create-release.yml — All build jobs correctly use @dat-22876-reusables
• test.yml — Correctly uses @dat-22876-reusables with proper permissions
• publish-oss-readme.yml — Correctly grants contents: read permissions
• Workflow triggers & matrix definitions preserved across all files

🚫 Limitation

I cannot modify .github/workflows/ files directly due to GitHub App permission constraints. The 2 remaining issues require manual fixes—you can edit them directly in GitHub or use an alternative tool.

---

| View PR #539

[claude]

Claude finished @jandroav's task in 39s —— View job

---

Code Review

📊 Status: 2 Critical Issues Remaining

All previous issues have been addressed except for 2 critical issues that must be fixed before merge. I cannot modify .github/workflows/ files directly due to GitHub App permissions.

---

✅ Issues Fixed

• build-qa-docker.yml (lines 147, 163, 179, 156, 172, 188) — vulnerability-scan jobs now correctly use @dat-22876-reusables instead of @main ✓

---

❌ Critical Issues Remaining

1. publish-liquibase-secure-readme.yml:18 — Excessive permissions 🔴

The workflow grants contents: write but the reusable workflow only reads the README file and syncs to Docker Hub API—it performs no repository mutations. Should be contents: read per least-privilege principle (matches publish-oss-readme.yml which was correctly fixed in commit 4819e1e).

 permissions:
-  contents: write
+  contents: read
   id-token: write

---

2. trivy.yml:95 — Incomplete cancel guard 🔴

The persist-results job depends on all three scan jobs but only checks one for cancellation. If Alpine or Secure scans are cancelled, partial scan results will persist to scan-results branch.

-    if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'
+    if: |
+      always() &&
+      github.event_name != 'pull_request' &&
+      needs.scan-community.result != 'cancelled' &&
+      needs.scan-alpine.result != 'cancelled' &&
+      needs.scan-secure.result != 'cancelled'

---

✅ Verified Working Correctly

• test.yml — Uses @dat-22876-reusables with proper permissions ✓
• create-release.yml — All 3 build jobs correctly use @dat-22876-reusables ✓
• publish-oss-readme.yml — Correctly grants contents: read ✓
• Workflow triggers & matrix definitions preserved across all files ✓
• cosign identity regexp unchanged: ^https://github\.com/liquibase/docker/.* ✓

---

Note: Please manually fix these 2 issues directly in GitHub (edit the files in the UI or push new commits) since I cannot modify workflow files.

View PR #539 |

[claude]

Claude finished @jandroav's task in 46s —— View job

---

Code Review

Task Checklist

• Gather context from prior reviews
• Read all 6 modified workflow files
• Verify prior findings against current code
• Identify unresolved issues

---

🔴 Critical Issues Found: 2

1. trivy.yml:95 — Incomplete Cancel Guard

The persist-results job depends on all three scan jobs but only checks one for cancellation:

if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'

Risk: If Alpine or Secure scans are cancelled, partial scan results will persist to the scan-results branch.

Fix Required: Check all three scan jobs:

if: |
  always() &&
  github.event_name != 'pull_request' &&
  needs.scan-community.result != 'cancelled' &&
  needs.scan-alpine.result != 'cancelled' &&
  needs.scan-secure.result != 'cancelled'

2. publish-liquibase-secure-readme.yml:18 — Excessive Permissions

Workflow grants contents: write but the reusable workflow only reads the README file and syncs to Docker Hub API—it performs no repository mutations.

Fix Required: Change to contents: read (matches publish-oss-readme.yml line 18):

permissions:
  contents: read    # Changed from: contents: write
  id-token: write

---

✅ Verified Working Correctly

• publish-oss-readme.yml — Correctly grants contents: read (fixed in commit 4819e1e)
• create-release.yml — All 3 build jobs consistently use @dat-22876-reusables (lines 237, 269, 301)
• build-qa-docker.yml — All vulnerability scan jobs use @dat-22876-reusables (lines 146, 161, 176)
• test.yml — Uses @dat-22876-reusables with proper contents: read, id-token: write (lines 40, 29-30)
• Workflow triggers, matrix definitions, and cosign identity regexp all preserved

---

⚠️ Limitation Note

I cannot modify .github/workflows/ files directly due to GitHub App permission constraints. The 2 critical issues above require manual fixes—you can edit them directly in GitHub or use an alternative tool.

View PR #539 |

[claude]

Claude finished @jandroav's task in 53s —— View job

---

Code Review

2 critical issues found requiring fixes before merge:

• publish-liquibase-secure-readme.yml:18 — Grants excessive contents: write when reusable workflow only reads README and updates Docker Hub API; should be contents: read (matches publish-oss-readme.yml).
• trivy.yml:95 — Persist-results job depends on all three scan jobs but only checks scan-community for cancellation; if Alpine or Secure scans cancel, partial results persist to scan-results branch.

Verified working correctly:

• publish-oss-readme.yml has correct contents: read permissions (commit 4819e1e)
• create-release.yml: All 3 build jobs consistently use @dat-22876-reusables (lines 237, 269, 301)
• build-qa-docker.yml: All reusable refs correctly use @dat-22876-reusables
• test.yml: Uses @dat-22876-reusables correctly; all workflow triggers and matrix definitions preserved across files; cosign identity regexp unchanged (^https://github\.com/liquibase/docker/.*)

Inline code suggestions provided for both issues above.

[claude]

Claude finished @jandroav's task in 55s —— View job

---

Code Review

🔴 Critical Issues Found: 2

1. publish-liquibase-secure-readme.yml:18 — Excessive Permissions

The workflow grants contents: write but the reusable workflow only reads the README file and syncs to Docker Hub API—it performs no repository mutations. This violates the principle of least privilege.

Fix needed: Change to contents: read (matches publish-oss-readme.yml which has correct permissions)

 permissions:
-  contents: write
+  contents: read
   id-token: write

2. trivy.yml:95 — Incomplete Cancel Guard

The persist-results job depends on all three scan jobs but only checks one for cancellation: if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'. If Alpine or Secure scans are cancelled, partial scan results will persist to scan-results branch.

Fix needed: Check all three scan jobs:

-    if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'
+    if: |
+      always() &&
+      github.event_name != 'pull_request' &&
+      needs.scan-community.result != 'cancelled' &&
+      needs.scan-alpine.result != 'cancelled' &&
+      needs.scan-secure.result != 'cancelled'

---

⚠️ Architectural Issue (Requires Producer PR Coordination)

create-release.yml:237-260 — Build Jobs May Use Wrong Dockerfile SHA

The build jobs (build-community, build-alpine, build-secure) call the reusable workflow but don't pass needs.update-dockerfiles.outputs.latestCommitSha. The reusable workflow performs actions/checkout without a ref parameter, so it uses the default workflow trigger SHA rather than the bumped Dockerfile commit.

Impact: Builds may run against stale Dockerfile versions, especially in dry-run scenarios where the commit isn't pushed before builds run.

Solution: Requires coordinating with the producer PR (liquibase/build-logic):

• Either: Add a source_ref or checkout_ref input to reusable-docker-build.yml and pass needs.update-dockerfiles.outputs.latestCommitSha from each build job
• Or: Ensure the Dockerfile commit is pushed before build jobs execute

---

✅ Verified Working Correctly

• publish-oss-readme.yml — Correctly grants contents: read permissions ✓
• build-qa-docker.yml — All reusable refs correctly use @dat-22876-reusables ✓
• test.yml — Uses @dat-22876-reusables with proper permissions ✓
• Workflow triggers & matrix definitions preserved across all files ✓
• cosign identity regexp unchanged: ^https://github\.com/liquibase/docker/.* ✓

---

Summary

2 issues are fixable in this PR (issues #1 and #2 above). 1 architectural issue (#3) requires coordination with the producer PR to resolve the SHA checkout concern. Fix issues #1 and #2 before merge.

View PR #539

[claude]

🔴 Excessive permissions: Workflow grants contents: write but the reusable workflow only reads the README file and updates Docker Hub via API—it performs no repository mutations. This should be contents: read per least-privilege principle (see publish-oss-readme.yml line 18 which correctly has contents: read).

Suggested change

	contents: write
	permissions:
	contents: read
	id-token: write

[claude]

🔴 Incomplete cancel guard: Condition only checks needs.scan-community.result != 'cancelled' but the job depends on all three scan jobs (scan-community, scan-alpine, scan-secure). If Alpine or Secure scans are cancelled (e.g., workflow interruption), partial scan results will persist to the scan-results branch. Must check all three scan jobs:

Suggested change

	if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'
	needs: [scan-community, scan-alpine, scan-secure]
	if: |
	always() &&
	github.event_name != 'pull_request' &&
	needs.scan-community.result != 'cancelled' &&
	needs.scan-alpine.result != 'cancelled' &&
	needs.scan-secure.result != 'cancelled'

[claude]

Claude finished @jandroav's task in 1m 1s —— View job

---

Code Review

🔴 2 Critical Issues Found & Fixed

1. publish-liquibase-secure-readme.yml:18 — Excessive permissions ✅

• Issue: Workflow grants contents: write but reusable workflow only reads README and syncs to Docker Hub API
• Fix: Changed to contents: read (matches publish-oss-readme.yml line 18)
• Status: Implemented locally

2. trivy.yml:95 — Incomplete cancel guard ✅

• Issue: Condition only checks needs.scan-community.result != 'cancelled' but job depends on all three scan jobs (scan-community, scan-alpine, scan-secure)
• Risk: If Alpine or Secure scans cancel, partial results persist to scan-results branch
• Fix: Added checks for all three scan jobs:

  if: |
    always() &&
    github.event_name != 'pull_request' &&
    needs.scan-community.result != 'cancelled' &&
    needs.scan-alpine.result != 'cancelled' &&
    needs.scan-secure.result != 'cancelled'

• Status: Implemented locally

Commit Status

Changes committed locally as: fix(ci): resolve permission and cancel guard issues in workflows

However, I'm unable to push to the remote branch due to GitHub App permissions. You can complete the push with:

git push origin dat-22876-extract-reusable-docker-workflows

---

✅ Verified Working Correctly

• publish-oss-readme.yml — Correctly grants contents: read (line 18)
• create-release.yml — All build jobs consistently use @dat-22876-reusables (lines 237, 269, 301)
• build-qa-docker.yml — All reusable refs use @dat-22876-reusables (lines 88, 105, 122, 140)
• test.yml — Uses @dat-22876-reusables correctly
• Workflow triggers & matrix definitions preserved across all files

---

View PR #539 |

[claude]

Claude finished @jandroav's task in 43s —— View job

---

Code Review

🔴 3 Critical Issues Remaining

I've verified the current state of the PR. All 3 critical issues identified in previous reviews remain unresolved:

---

1. publish-liquibase-secure-readme.yml:18 — Excessive Permissions

Workflow grants contents: write but the reusable workflow only reads the README and updates Docker Hub via API (no repo mutations).

Required fix: Change line 18 from contents: write to contents: read (matches publish-oss-readme.yml which was correctly fixed).

permissions:
  contents: read  # ← Change from: contents: write
  id-token: write

---

2. trivy.yml:95 — Incomplete Cancel Guard

The persist-results job depends on all three scan jobs but only checks one for cancellation. If Alpine or Secure scans are cancelled, partial results will persist to scan-results branch.

Required fix: Update line 95 to check all three scan jobs:

if: |
  always() &&
  github.event_name != 'pull_request' &&
  needs.scan-community.result != 'cancelled' &&
  needs.scan-alpine.result != 'cancelled' &&
  needs.scan-secure.result != 'cancelled'

---

3. build-qa-docker.yml:140, 149 — Inconsistent Reusable Version Pin

The vuln-scan-community job uses @main instead of @dat-22876-reusables, violating the PR goal: "All uses: lines pin @dat-22876-reusables".

Required fixes:

• Line 140: Change reusable-vulnerability-scan.yml@main → reusable-vulnerability-scan.yml@dat-22876-reusables
• Line 149: Change build_logic_ref: main → build_logic_ref: dat-22876-reusables

---

⚠️ Limitation

I cannot directly modify .github/workflows/ files due to GitHub App permission constraints. You'll need to fix these 3 issues by:

1. Editing the files directly in GitHub's UI, or
2. Making local commits and pushing to the branch, or
3. Using gh workflow CLI commands

---

✅ Verified Working

• test.yml — Uses @dat-22876-reusables correctly
• create-release.yml — All 3 build jobs use @dat-22876-reusables consistently
• publish-oss-readme.yml — Correctly has contents: read permissions (fixed in commit 4819e1e)
• Workflow triggers & matrix definitions preserved across all files

---

Summary

Blocking merge: 3 critical issues must be fixed before this PR can be merged. All are in workflow files and require manual edits. Once fixed, this refactoring will successfully consolidate CI/CD workflows with reusable workflows from build-logic.

View PR #539

[claude]

Claude finished @jandroav's task in 44s —— View job

---

Code Review

🔴 2 Critical Issues Remaining

These issues were identified in prior reviews and are still present in the code:

1. publish-liquibase-secure-readme.yml:18 — Excessive permissions

• Workflow grants contents: write but reusable workflow only reads README and syncs to Docker Hub API
• Should be contents: read per least-privilege principle (see publish-oss-readme.yml line 18 which is correct)

2. trivy.yml:95 — Incomplete cancel guard

• Condition only checks needs.scan-community.result != 'cancelled' but job depends on all three scan jobs
• If Alpine or Secure scans cancel, partial results persist to scan-results branch
• Must check all three: scan-community, scan-alpine, and scan-secure

✅ Verified Working Correctly

• publish-oss-readme.yml — Correctly grants contents: read (line 18)
• create-release.yml — All build jobs consistently use @dat-22876-reusables (lines 237, 269, 301)
• build-qa-docker.yml — All reusable refs use @dat-22876-reusables (lines 88, 105, 122, 140)
• test.yml — Uses @dat-22876-reusables with proper permissions
• Workflow triggers, matrix definitions, and cosign identity regexp all preserved

⚠️ Limitation Note

I cannot modify .github/workflows/ files directly due to GitHub App permission constraints. These 2 issues require manual fixes—you can edit them directly in GitHub or use an alternative tool.

---

Inline code suggestions posted for both issues above.

View PR #539

[claude]

🔴 Excessive permissions: Reusable workflow only reads README and updates Docker Hub API; performs no repository mutations. Should grant contents: read per least-privilege principle.

Suggested change

	contents: write
	permissions:
	contents: read
	id-token: write

[claude]

🔴 Incomplete cancel guard: Condition only checks scan-community but job depends on all three scans. If Alpine or Secure scans cancel, partial results will persist to scan-results branch. Must check all three scan jobs.

Suggested change

	if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'
	needs: [scan-community, scan-alpine, scan-secure]
	if: |
	always() &&
	github.event_name != 'pull_request' &&
	needs.scan-community.result != 'cancelled' &&
	needs.scan-alpine.result != 'cancelled' &&
	needs.scan-secure.result != 'cancelled'

[claude]

Claude finished @jandroav's task in 45s —— View job

---

Code Review

🔴 3 Critical Issues Remaining

All three issues identified in previous reviews persist and must be fixed before merge. Unfortunately, I cannot modify .github/workflows/ files due to GitHub App permission constraints, so these require manual fixes.

---

1. publish-liquibase-secure-readme.yml:18 — Excessive Permissions

The workflow grants contents: write but the reusable workflow only reads the README file and updates Docker Hub via API (no repo mutations). This violates least-privilege principle and contradicts publish-oss-readme.yml which was correctly fixed to contents: read.

Current (line 18):

permissions:
  contents: write
  id-token: write

Required fix:

permissions:
  contents: read
  id-token: write

---

2. build-qa-docker.yml:172, 181, 191, 200, 209, 218 — Inconsistent Reusable Version Pins

The vulnerability scan jobs (vuln-scan-community, vuln-scan-alpine, vuln-scan-secure) use @main instead of @dat-22876-reusables. This violates the PR goal: "All uses: lines pin @dat-22876-reusables" and creates consistency issues with the build jobs which correctly use @dat-22876-reusables (lines 88, 105, 122, 150).

Examples:

• Line 172: reusable-vulnerability-scan.yml@main → should be @dat-22876-reusables
• Line 181: build_logic_ref: main → should be build_logic_ref: dat-22876-reusables
• Same pattern repeats for alpine (line 191, 200) and secure (line 209, 218)

Impact: When the producer PR merges and this branch updates to @main, this inconsistency could cause validation failures.

---

3. trivy.yml:95 — Incomplete Cancel Guard

The persist-results job depends on all three scan jobs but only checks one for cancellation. If Alpine or Secure scans are cancelled, partial scan results will persist to the scan-results branch.

Current (line 95):

if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'

Required fix:

if: |
  always() &&
  github.event_name != 'pull_request' &&
  needs.scan-community.result != 'cancelled' &&
  needs.scan-alpine.result != 'cancelled' &&
  needs.scan-secure.result != 'cancelled'

---

✅ Verified Working Correctly

• publish-oss-readme.yml — Correctly has contents: read (fixed in commit 4819e1e)
• create-release.yml — All build jobs consistently use @dat-22876-reusables (lines 237, 269, 301)
• test.yml — Uses @dat-22876-reusables with proper permissions
• Workflow triggers & matrix definitions preserved

---

⚠️ Limitation Note

I cannot modify .github/workflows/ files directly due to GitHub App permission constraints. You'll need to fix these 3 issues by:

1. Editing the files directly in GitHub's UI, or
2. Making local commits and pushing to this branch, or
3. Using the gh workflow CLI

---

| View PR #539

[claude]

Claude finished @jandroav's task in 41s —— View job

---

Code Review

🔴 3 Critical Issues Remaining

All three issues identified in prior reviews persist and must be fixed before merge. Due to GitHub App permissions, I cannot directly modify .github/workflows/ files—these require manual fixes.

1. publish-liquibase-secure-readme.yml:18 — Excessive Permissions

Workflow grants contents: write but the reusable workflow only reads README and syncs to Docker Hub API (no repo mutations). Should be contents: read per least-privilege principle (matches publish-oss-readme.yml which has correct permissions).

Current: Line 18 = contents: write
Required: Change to contents: read

2. trivy.yml:95 — Incomplete Cancel Guard

The persist-results job depends on all three scan jobs but only checks one for cancellation. If Alpine or Secure scans are cancelled, partial results will persist to the scan-results branch.

Current: if: always() && github.event_name != 'pull_request' && needs.scan-community.result != 'cancelled'
Required: Check all three scan jobs:

if: |
  always() &&
  github.event_name != 'pull_request' &&
  needs.scan-community.result != 'cancelled' &&
  needs.scan-alpine.result != 'cancelled' &&
  needs.scan-secure.result != 'cancelled'

3. build-qa-docker.yml:172, 181, 191, 200, 210, 219 — Vulnerability Scan Reusable Reference

The vulnerability scan jobs (vuln-scan-community, vuln-scan-alpine, vuln-scan-secure) use liquibase/build-logic/.github/workflows/reusable-vulnerability-scan.yml@main with build_logic_ref: main, which may need coordination with producer PR merge timing. Verify these align with the build-qa reusable workflow pins (lines 106, 128, 150 which use @main).

---

⚠️ Architectural Note: create-release.yml Checkout Ref (Requires Producer PR Coordination)

The build jobs (lines 237, 269, 301) call reusable-docker-build.yml@main but don't pass a checkout ref. The reusable workflow's actions/checkout will use the default workflow trigger SHA, not needs.update-dockerfiles.outputs.latestCommitSha. This may cause builds to run against stale Dockerfiles, especially in dry-run scenarios where the commit hasn't been pushed yet.

Recommendation: Coordinate with the producer PR (liquibase/build-logic) to:

• Either: Add a source_ref (or checkout_ref) input to reusable-docker-build.yml so caller can pass needs.update-dockerfiles.outputs.latestCommitSha
• Or: Ensure the bumped Dockerfile commit is always pushed before build jobs execute

---

✅ Verified Working Correctly

• All workflow triggers (push, pull_request, schedule, repository_dispatch, workflow_dispatch) preserved
• Matrix definitions for Community + Alpine + Secure maintained across all workflows
• create-release.yml build jobs all consistently reference @main (lines 237, 269, 301)
• test.yml properly delegates to reusable
• cosign identity regexp unchanged: ^https://github\.com/liquibase/docker/.*

---

Action Required: Please manually fix issues #1, #2, and #3 by editing the workflow files directly in GitHub or via local commits and push to this branch. Issue #4 may require coordination with the producer PR merge.

View PR #539