Summary
Create one generic reusable image-publish workflow and convert the existing API/synthesis publish workflows into thin manual wrappers.
Files to create/modify
Create .github/workflows/reusable-publish-image.yml
Modify .github/workflows/api-image-publish.yml
Modify .github/workflows/synthesis-image-publish.yml
Implementation notes
Reusable workflow should accept inputs such as image_name, dockerfile, image_repository, and tag.
Keep the operator approval gate (SYNTHESIS_IMAGE_PUBLISH_APPROVED) and the registry var validation.
Keep Trivy image scanning before push even though CI already scans images.
Keep environment: prod on the publish job so OIDC vars are available when called from other workflows (issue Fix OIDC credential resolution in ACR image publish workflows #145
Emit image_ref and image_tag outputs for downstream promotion.
The API and synthesis wrappers should remain independently dispatchable and simply pass their specific Dockerfile/repository values.
Acceptance criteria
Dependencies
Summary
Create one generic reusable image-publish workflow and convert the existing API/synthesis publish workflows into thin manual wrappers.
Files to create/modify
.github/workflows/reusable-publish-image.yml.github/workflows/api-image-publish.yml.github/workflows/synthesis-image-publish.ymlImplementation notes
image_name,dockerfile,image_repository, andtag.SYNTHESIS_IMAGE_PUBLISH_APPROVED) and the registry var validation.environment: prodon the publish job so OIDC vars are available when called from other workflows (issue Fix OIDC credential resolution in ACR image publish workflows #145).image_refandimage_tagoutputs for downstream promotion.Acceptance criteria
environment: prodfor OIDC vars.image_refandimage_tag.Dependencies