From 9ac25a553e6be5be3823c9b02a4d20c520eed3e1 Mon Sep 17 00:00:00 2001
From: Lucas Bedatty <lucas.bedatty@lerian.studio>
Date: Wed, 1 Apr 2026 09:48:31 -0300
Subject: [PATCH] feat(security): add docker_build_args input to
 pr-security-scan workflow

---
 .github/workflows/pr-security-scan.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/pr-security-scan.yml b/.github/workflows/pr-security-scan.yml
index 445503a..3ead072 100644
--- a/.github/workflows/pr-security-scan.yml
+++ b/.github/workflows/pr-security-scan.yml
@@ -67,6 +67,11 @@ on:
         description: 'Enable Docker Hub Health Score compliance checks (non-root user, CVEs, licenses)'
         type: boolean
         default: true
+      docker_build_args:
+        description: 'Newline-separated Docker build arguments to pass to docker build (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). Forwarded to docker/build-push-action build-args.'
+        type: string
+        required: false
+        default: ''
       build_context_from_working_dir:
         description: 'Use the component working_dir as Docker build context instead of repo root. Useful for independent modules (e.g., tools with their own go.mod).'
         type: boolean
@@ -161,6 +166,7 @@ jobs:
           load: true
           push: false
           tags: ${{ env.DOCKERHUB_ORG }}/${{ env.APP_NAME }}:pr-scan-${{ github.sha }}
+          build-args: ${{ inputs.docker_build_args }}
           secrets: |
             ${{ secrets.MANAGE_TOKEN && format('github_token={0}', secrets.MANAGE_TOKEN) || '' }}
             ${{ secrets.NPMRC_TOKEN && format('npmrc=//npm.pkg.github.com/:_authToken={0}', secrets.NPMRC_TOKEN) || '' }}