sh steps into a proper GitHub Actions step.

- Source: Jenkins pipeline builds and pushes a Docker image, then scans it with Trivy.
- Goal: Convert the
docker buildcommand embedded inshinto a native GitHub Actions step and replace hard-coded values with repository/workflow variables.
- The
docker buildwas inside anshstep and was not converted into a proper GitHub Actionsrunstep. - The
withDockerRegistryblock had no matching transformer, so it was left commented out in the generated workflow.
sh steps contain Docker commands
- We ran a dry-run with a helper transformer that prints each
shidentifier to locate the embedded Docker command.
sh identifier JSON for the Docker build:
docker build command appears in the sh identifier and is transformable.
Custom sh transformer: extract and convert the docker build
- We added a transformer that targets
shnodes and only transforms steps that match the specificdocker buildinvocation for this repository/image. - The transformer substitutes hard-coded values with GitHub Actions variables, e.g.
siddharth67→vars.DOCKERHUB_USERNAME,solar-system→vars.IMAGE_NAME, and$GIT_COMMIT→github.sha.
ss-pipeline-transformer.rb):
- Uses
digto safely navigate nested JSON and extract the script string. - Matches only the intended
docker buildfor this repository to avoid false positives. - Substitutions convert Jenkins-specific/ hard-coded values to GitHub Actions expressions: use
vars.DOCKERHUB_USERNAME,vars.IMAGE_NAME, andgithub.sha. - The transformer returns a hash that becomes a GitHub Actions step with
name,run, andshell.
docker build command converted and variables substituted (no hard-coded credentials or commit tags remain).
Best-practice mapping (quick reference)
| Jenkins construct | GitHub Actions equivalent | Notes / Example |
|---|---|---|
sh 'docker build -t owner/repo:$GIT_COMMIT .' | run: docker build -t ${{ vars.DOCKERHUB_USERNAME }}/${{ vars.IMAGE_NAME }}:${{ github.sha }} . | Replace owner, repo, and Jenkins variables with vars / github.sha. |
withDockerRegistry(credentialsId: 'docker-hub-credentials') | uses: docker/login-action@v2 or `run: echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login ...` | Requires mapping Jenkins credentials to GitHub Secrets. |
publishHTML([...]) | Upload artifact or use a GH Action that publishes HTML reports | Use actions/upload-artifact or a static-site publish workflow. |
Define the repository or organization variables used by the transformer (for example,
vars.DOCKERHUB_USERNAME and vars.IMAGE_NAME) in your GitHub repository or organization settings so the workflow can access them at runtime. For more, see Using variables in GitHub Actions.Do not store credentials directly in workflows. Map Jenkins
credentialsId to GitHub Secrets (e.g. secrets.DOCKERHUB_USERNAME and secrets.DOCKERHUB_TOKEN) or use docker/login-action with secure inputs. You will need a separate transformer for withDockerRegistry to perform this mapping correctly.- Transform
withDockerRegistryblocks:- Create a transformer that recognizes
withDockerRegistryand emits a GitHub Actions step to authenticate to the container registry (for example,docker/login-action), mapping Jenkins credentials tosecrets.*.
- Create a transformer that recognizes
- Ensure Trivy/report publishing:
- If Trivy steps are in
sh, they can be transformed similarly. Add steps to upload artifacts or publish HTML reports (e.g.,actions/upload-artifact).
- If Trivy steps are in
- Validate end-to-end:
- Run the importer in dry-run first, then with real output, and test the generated workflow in a branch.
- Jenkinsfile syntax: https://www.jenkins.io/doc/book/pipeline/jenkinsfile/
- GitHub Actions expressions and variables: https://docs.github.com/en/actions/learn-github-actions/expressions
- docker/login-action: https://github.com/docker/login-action
- Trivy: https://aquasecurity.github.io/trivy/latest/
docker build in sh into a proper GitHub Actions run step and replaced hard-coded values with workflow variables. Next step: implement a transformer to convert withDockerRegistry into secure GitHub Actions authentication and finalize the push flow.