Container release pipeline #77
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Container release pipeline | |
on: | |
push: | |
workflow_dispatch: # Allows you to run this workflow manually from the Actions tab | |
pull_request: | |
types: | |
- opened | |
schedule: | |
- cron: "0 0 * * 0" # weekly at sunday night | |
# Avoid running this workflow multiple times at the same branch | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true | |
env: | |
IMAGE_NAME: rouhim/sons-of-the-forest-server | |
IMAGE_TAG: latest | |
jobs: | |
check-containerfile: | |
name: Check container file | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'config' | |
hide-progress: false | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
build-test-push-image: | |
needs: check-containerfile | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- name: Build container image | |
uses: docker/build-push-action@v5 | |
with: | |
tags: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
platforms: linux/amd64 | |
context: container-data | |
file: container-data/Containerfile | |
load: true | |
push: false | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: image | |
image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
- name: Test the built image | |
run: | | |
mkdir -p config/ data/ | |
chmod 777 config/ data/ | |
timeout 10m bash .github/workflows/test-image.sh | |
- name: Build and push container image | |
if: github.ref == 'refs/heads/main' | |
uses: docker/build-push-action@v5 | |
with: | |
tags: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
platforms: linux/amd64 | |
context: container-data | |
file: container-data/Containerfile | |
load: false | |
push: true | |
- name: Update docker hub description | |
if: github.ref == 'refs/heads/main' | |
uses: peter-evans/dockerhub-description@v4 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
repository: ${{ env.IMAGE_NAME }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: image | |
image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-results.sarif' |