fix(ci): use repo reusable workflow

.github/workflows/build-docker.yml

@@ -0,0 +1,160 @@
+name: build-docker
+
+on:
+  workflow_call:
+    inputs:
+      build-args:
+        default: null
+        description: Build arguments
+        type: string
+      context:
+        default: "."
+        description: Context of the Dockerfile
+        type: string
+      image-name:
+        description: Image name
+        required: true
+        type: string
+      image-extra-tags:
+        default: ""
+        description: Image tags
+        type: string
+      image-target:
+        default: null
+        description: Target stage of the Dockerfile
+        type: string
+      platforms:
+        default: linux/amd64
+        description: Platforms to build for
+        type: string
+      push:
+        default: true
+        description: Whether or not to push image to registry
+        type: boolean
+      ref:
+        default: ${{ github.ref }}
+        description: Ref to checkout
+        type: string
+      runner:
+        default: ubuntu-latest
+        description: Runner to use
+        type: string
+      scout-cves:
+        default: true
+        description: Whether or not to run scout CVEs
+        type: boolean
+      scout-compare:
+        default: false
+        description: Whether or not to run scout compare
+        type: boolean
+      scout-comment-pr:
+        default: false
+        description: Whether or not to comment on PR
+        type: boolean
+    outputs:
+      digest:
+        description: Image digest
+        value: ${{ jobs.build.outputs.digest }}
+      imageid:
+        description: Image ID
+        value: ${{ jobs.build.outputs.imageid }}
+      metadata:
+        description: Build result metadata
+        value: ${{ jobs.build.outputs.metadata }}
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: true
+        description: Used to push the image to the Docker Hub registry and/or scan the image with scout
+      DOCKERHUB_PASSWORD:
+        required: true
+        description: Used to push the image to the Docker Hub registry and/or scan the image with scout
+
+jobs:
+  build:
+    outputs:
+      digest: ${{ steps.build-push.outputs.digest }}
+      imageid: ${{ steps.build-push.outputs.image-id }}
+      metadata: ${{ steps.build-push.outputs.metadata }}
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - name: Github Security Monitor
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+      - if: secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_PASSWORD
+        name: Login to Docker hub
+        uses: docker/login-action@v3
+        with:
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+      - id: meta
+        name: Docker metadata
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ inputs.image-name }}
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+      - id: build-push
+        name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          build-args: ${{ inputs.build-args }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          context: ${{ inputs.context }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ inputs.platforms }}
+          push: ${{ inputs.push }}
+          tags: |
+            ${{ steps.meta.outputs.tags }}
+            ${{ inputs.image-extra-tags }}
+          target: ${{ inputs.image-target }}
+      - if: inputs.scout-compare
+        name: Docker Scout - compare
+        uses: docker/scout-action@v1
+        with:
+          command: compare
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          ignore-unchanged: true
+          image: ${{ steps.meta.outputs.tags }}
+          only-severities: critical,high,medium
+          to: ${{ inputs.image-name }}:latest
+          write-comment: ${{ inputs.scout-comment-pr }}
+      - if: inputs.scout-cves
+        name: Docker Scout - cves
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          ignore-unchanged: true
+          image: ${{ steps.meta.outputs.tags }}
+          only-fixed: true
+          only-severities: medium,high,critical
+          sarif-file: sarif.output.json
+          summary: true
+      - name: Create unique job identifier
+        id: job-id
+        run: |
+          four_character_timestamp=$(date +%s | sha256sum | base64 | head -c 4)
+          run_id=$(echo ${{ github.run_id }} | sha256sum | base64 | head -c 4)
+          job_id="${four_character_timestamp}${run_id}"
+          echo "job-id=$job_id" >> $GITHUB_OUTPUT
+      - if: inputs.scout-cves
+        name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          if-no-files-found: warn
+          name: scout-results-${{ steps.job-id.outputs.job-id }}
+          path: sarif.output.json

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    uses: licenseware/infrastructure/.github/workflows/build-docker.yml@v2
+    uses: ./.github/workflows/build-docker.yml
     with:
       context: .
       image-name: ghcr.io/${{ github.repository }}
@@ -44,7 +44,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    uses: licenseware/infrastructure/.github/workflows/build-docker.yml@v2
+    uses: ./.github/workflows/build-docker.yml
     with:
       context: .
       image-name: ghcr.io/${{ github.repository }}