From d3dde05440c331deff841a20f8ea964016252e9e Mon Sep 17 00:00:00 2001
From: Andreas Beuge <andreas.beuge@parcellab.com>
Date: Fri, 2 Jan 2026 12:39:14 +0100
Subject: [PATCH 1/8] feat: add optional login for base image registry

---
 .github/workflows/container.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
index dde7d48..80e9c8b 100644
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -6,6 +6,11 @@ on:
         required: true
         description: The container image name
         type: string
+      baseImageRegistry:
+        required: false
+        description: The registry to pull base images
+        default: dhi.io
+        type: string
       contextPath:
         required: false
         description: The container context to build the image
@@ -42,6 +47,12 @@ on:
       AWS_ROLE_TO_ASSUME:
         required: true
         description: AWS OIDC role for GitHub to assume
+      baseImageRegistryUsername:
+        required: false
+        description: The username for the base image registry
+      baseImageRegistryPassword:
+        required: false
+        description: The password for the base image registry
 
 jobs:
   build-ecr-single:
@@ -52,6 +63,12 @@ jobs:
     steps:
       - name: Checkout current git repository
         uses: actions/checkout@v4
+      - name: Login to base image registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ inputs.baseImageRegistry }}
+          username: ${{ secrets.baseImageRegistryUsername }}
+          password: ${{ secrets.baseImageRegistryPassword }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: Configure AWS credentials

From a68cfdfd38e1bea7b38034e1a6fc7c9af54fce47 Mon Sep 17 00:00:00 2001
From: Andreas Beuge <andreas.beuge@parcellab.com>
Date: Fri, 2 Jan 2026 12:42:16 +0100
Subject: [PATCH 2/8] feat: make login conditionally if baseImageRegistry is
 set

---
 .github/workflows/container.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
index 80e9c8b..0ceeb2c 100644
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -9,7 +9,6 @@ on:
       baseImageRegistry:
         required: false
         description: The registry to pull base images
-        default: dhi.io
         type: string
       contextPath:
         required: false
@@ -64,6 +63,7 @@ jobs:
       - name: Checkout current git repository
         uses: actions/checkout@v4
       - name: Login to base image registry
+        if: ${{ !contains(inputs.baseImageRegistry, '') }}
         uses: docker/login-action@v3
         with:
           registry: ${{ inputs.baseImageRegistry }}

From 9bb8d41e7fc91621566ea8b47d8663e4bbc33dc2 Mon Sep 17 00:00:00 2001
From: Andreas Beuge <andreas.beuge@parcellab.com>
Date: Fri, 2 Jan 2026 12:50:55 +0100
Subject: [PATCH 3/8] feat: fix condition

---
 .github/workflows/container.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
index 0ceeb2c..71bc146 100644
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -63,7 +63,7 @@ jobs:
       - name: Checkout current git repository
         uses: actions/checkout@v4
       - name: Login to base image registry
-        if: ${{ !contains(inputs.baseImageRegistry, '') }}
+        if: ${{ inputs.baseImageRegistry && inputs.baseImageRegistry != '' }}
         uses: docker/login-action@v3
         with:
           registry: ${{ inputs.baseImageRegistry }}

From 0fdd75c34943d1641577bce7f9af0610540db86d Mon Sep 17 00:00:00 2001
From: Andreas Beuge <andreas.beuge@parcellab.com>
Date: Fri, 2 Jan 2026 12:59:33 +0100
Subject: [PATCH 4/8] feat: add missing env for scan

---
 .github/workflows/container.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
index 71bc146..6a228d7 100644
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -53,6 +53,12 @@ on:
         required: false
         description: The password for the base image registry
 
+env:
+  IMAGE_SCAN_SEVERITY: LOW
+  IMAGE_SCAN_SEVERITY_THRESHOLD: CRITICAL
+  IMAGE_SCAN_ANNOTATIONS: true
+  IMAGE_SCAN_TRIVY_TIMEOUT: 10m
+
 jobs:
   build-ecr-single:
     permissions:

From ec6ba47c42a82bab251ec2defee02d7abc34a505 Mon Sep 17 00:00:00 2001
From: andibeuge <97287249+andibeuge@users.noreply.github.com>
Date: Fri, 2 Jan 2026 14:56:39 +0100
Subject: [PATCH 5/8] Update .github/workflows/container.yaml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/container.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
index 6a228d7..f55e972 100644
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -8,7 +8,7 @@ on:
         type: string
       baseImageRegistry:
         required: false
-        description: The registry to pull base images
+        description: The registry to pull base images from
         type: string
       contextPath:
         required: false

From 18269ff927e1f56baec31a2f3cae0cd394301083 Mon Sep 17 00:00:00 2001
From: andibeuge <97287249+andibeuge@users.noreply.github.com>
Date: Fri, 2 Jan 2026 14:57:28 +0100
Subject: [PATCH 6/8] Update .github/workflows/container.yaml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/container.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
index f55e972..a2fc45a 100644
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -69,7 +69,7 @@ jobs:
       - name: Checkout current git repository
         uses: actions/checkout@v4
       - name: Login to base image registry
-        if: ${{ inputs.baseImageRegistry && inputs.baseImageRegistry != '' }}
+        if: ${{ inputs.baseImageRegistry }}
         uses: docker/login-action@v3
         with:
           registry: ${{ inputs.baseImageRegistry }}

From 28b70e92525c9eb823751e685d4888bdb4d6b189 Mon Sep 17 00:00:00 2001
From: Andreas Beuge <andreas.beuge@parcellab.com>
Date: Fri, 2 Jan 2026 15:07:14 +0100
Subject: [PATCH 7/8] chore: move env vars to inputs

---
 .github/workflows/container.yaml | 34 ++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
index a2fc45a..622b080 100644
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -30,6 +30,26 @@ on:
         description: The file path for the Container image
         default: Containerfile
         type: string
+      imageScanSeverity:
+        required: false
+        description: The base severity for the image scan
+        default: LOW
+        type: string
+      imageScanSeverityThreshold:
+        required: false
+        description: The severity threshold to fail the pipeline on findings
+        default: CRITICAL
+        type: string
+      imageScanTimeout:
+        required: false
+        description: Timeout for the trivy scan
+        default: 10m
+        type: string
+      imageScanAnnotations:
+        required: false
+        description: Boolean flag to scan annotations
+        default: true
+        type: boolean
       runner:
         required: false
         description: Runner type
@@ -53,12 +73,6 @@ on:
         required: false
         description: The password for the base image registry
 
-env:
-  IMAGE_SCAN_SEVERITY: LOW
-  IMAGE_SCAN_SEVERITY_THRESHOLD: CRITICAL
-  IMAGE_SCAN_ANNOTATIONS: true
-  IMAGE_SCAN_TRIVY_TIMEOUT: 10m
-
 jobs:
   build-ecr-single:
     permissions:
@@ -115,11 +129,11 @@ jobs:
         with:
           image: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:latest
           dockerfile: Containerfile
-          severity: ${{ env.IMAGE_SCAN_SEVERITY }}
-          severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }}
-          annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }}
+          severity: ${{ inputs.imageScanSeverity }}
+          severity_threshold: ${{ inputs.imageScanSeverityThreshold }}
+          annotations: ${{ inputs.imageScanAnnotations }}
         env:
-          TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }}
+          TRIVY_TIMEOUT: ${{ inputs.imageScanTimeout }}
       - name: Push image to ECR
         run: |
           docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}

From 6fde328682662d14ccacde956f1026639470309b Mon Sep 17 00:00:00 2001
From: Andreas Beuge <andreas.beuge@parcellab.com>
Date: Fri, 2 Jan 2026 15:14:03 +0100
Subject: [PATCH 8/8] feat: added scan parameter validation

---
 .github/workflows/container.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
index 622b080..861a122 100644
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -82,6 +82,13 @@ jobs:
     steps:
       - name: Checkout current git repository
         uses: actions/checkout@v4
+      - name: Validate base image registry secrets
+        if: ${{ inputs.baseImageRegistry }}
+        run: |
+          if [ -z "${{ secrets.baseImageRegistryUsername }}" ] || [ -z "${{ secrets.baseImageRegistryPassword }}" ]; then
+            echo "baseImageRegistry is set but baseImageRegistryUsername or baseImageRegistryPassword secrets are missing."
+            exit 1
+          fi
       - name: Login to base image registry
         if: ${{ inputs.baseImageRegistry }}
         uses: docker/login-action@v3