.github/workflows/pipeline.yml

name: Container release pipeline


on:
  push:
  workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
  pull_request:
    types:
      - opened
  schedule:
    - cron: "0 0 * * 0" # weekly at sunday night


# Avoid running this workflow multiple times at the same branch
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true


env:
  IMAGE_NAME: rouhim/sons-of-the-forest-server
  IMAGE_TAG: latest


jobs:


  check-containerfile:
    name: Check container file
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          hide-progress: false
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'


  build-test-push-image:
    needs: check-containerfile
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Build container image
        uses: docker/build-push-action@v6
        with:
          tags: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          platforms: linux/amd64
          context: container-data
          file: container-data/Containerfile
          load: true
          push: false

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: image
          image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'

      - name: Test the built image
        run: |
          mkdir -p config/ data/
          chmod 777 config/ data/
          timeout 10m bash .github/workflows/test-image.sh

      - name: Build and push container image
        if: github.ref == 'refs/heads/main'
        uses: docker/build-push-action@v6
        with:
          tags: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          platforms: linux/amd64
          context: container-data
          file: container-data/Containerfile
          load: false
          push: true

      - name: Update docker hub description
        if: github.ref == 'refs/heads/main'
        uses: peter-evans/dockerhub-description@v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
          repository: ${{ env.IMAGE_NAME }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: image
          image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
          format: 'sarif'
          output: 'trivy-results.sarif'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'