Docker CI/CD Skill
Integrate Docker with CI/CD pipelines for automated image builds, security scanning, and deployments.
Purpose
Set up automated Docker workflows with GitHub Actions, GitLab CI, and other CI/CD platforms.
Parameters
| Parameter | Type | Required | Default | Description | |-----------|------|----------|---------|-------------| | platform | enum | No | github | github/gitlab/jenkins | | registry | string | No | ghcr.io | Container registry | | scan | boolean | No | true | Include security scan |
GitHub Actions
Complete Workflow
name: Docker Build and Deploy
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=sha
type=ref,event=branch
type=semver,pattern={{version}}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Scan for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}
exit-code: '1'
severity: 'CRITICAL,HIGH'
Multi-Arch Build
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Build multi-arch
uses: docker/build-push-action@v5
with:
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
GitLab CI
# .gitlab-ci.yml
stages:
- build
- scan
- deploy
variables:
DOCKER_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
build:
stage: build
image: docker:24
services:
- docker:24-dind
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build -t $DOCKER_IMAGE .
- docker push $DOCKER_IMAGE
scan:
stage: scan
image:
name: aquasec/trivy
entrypoint: [""]
script:
- trivy image --exit-code 1 --severity CRITICAL $DOCKER_IMAGE
deploy:
stage: deploy
script:
- ssh deploy@server "docker pull $DOCKER_IMAGE && docker compose up -d"
only:
- main
Best Practices
Caching
# GitHub Actions BuildKit cache
cache-from: type=gha
cache-to: type=gha,mode=max
# GitLab cache
cache:
key: docker-$CI_COMMIT_REF_SLUG
paths:
- .docker-cache
Security
# Scan before push
- name: Scan
run: trivy image --exit-code 1 --severity CRITICAL $IMAGE
# Sign images (cosign)
- name: Sign
run: cosign sign $IMAGE
Error Handling
Common Errors
| Error | Cause | Solution |
|-------|-------|----------|
| unauthorized | Bad credentials | Check registry login |
| rate limit | Docker Hub limits | Use authenticated pulls |
| cache miss | First build | Cache will populate |
Fallback Strategy
- Build without cache if cache corrupted
- Use fallback registry if primary down
- Deploy previous version on failure
Troubleshooting
Debug Checklist
- [ ] Registry credentials valid?
- [ ] Docker daemon running?
- [ ] Build context correct?
- [ ] Dockerfile present?
Usage
Skill("docker-ci-cd")
Assets
assets/github-actions-docker.yaml- GitHub Actions templatescripts/build-and-push.sh- Build script
Related Skills
- docker-production
- docker-security