Arne Baeumler
ef33c6b82d
Some checks failed
Build, Scan and Publish Docker Image / build-and-push (push) Failing after 1m27s
65 lines
1.9 KiB
YAML
65 lines
1.9 KiB
YAML
---
|
|
name: Build, Scan and Publish Docker Image
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
tags:
|
|
- 'v*'
|
|
|
|
jobs:
|
|
build-and-push:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to Gitea Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: git.br0tkasten.de
|
|
username: ${{ secrets.PACKAGE_USER }}
|
|
password: ${{ secrets.PACKAGE_TOKEN }}
|
|
|
|
- name: Extract metadata (tags, labels) for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: git.br0tkasten.de/${{ gitea.repository }}
|
|
flavor: |
|
|
latest=true
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=semver,pattern={{version}}
|
|
type=sha
|
|
|
|
# Step 1: Build the image locally (do not push yet)
|
|
- name: Build Docker image locally
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
load: true # This loads the image into the local docker daemon for Trivy to find
|
|
tags: local_scan_target:${{ github.sha }}
|
|
|
|
# Step 2: Scan the local image with Trivy
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: 'local_scan_target:${{ github.sha }}'
|
|
format: 'table'
|
|
exit-code: '1' # This will fail the pipeline if vulnerabilities are found
|
|
ignore-unfixed: true
|
|
vuln-type: 'os,library'
|
|
severity: 'CRITICAL,HIGH'
|
|
env:
|
|
- TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }}
|
|
- TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
|
|
|
|
# Step 3: If scan passes, Build and Push to Registry
|
|
- name: Build and push Docker image
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }} |