docker-image-release.yaml

name: Release Container Image
on:
  push:
    tags:
      - '[0-9]+.[0-9]+.[0-9]+'

jobs:
  build-and-push:
    name: Build and push image
    runs-on: ubuntu-latest
    env:
      IMG_BASE: ${{ github.repository }}
      TAG: ${{ github.ref_name }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          submodules: 'true'

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v2

      - name: Login to DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Quay.io
        uses: docker/login-action@v2
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_TOKEN }}

      - name: Build and push image on Dockerhub
        run: make docker-buildx IMG=${{ env.IMG_BASE }}:${{ env.TAG }} VERSION=${{ env.TAG }}

      - name: Build and push image on Quay
        run: make docker-buildx-openshift IMG=quay.io/${{ env.IMG_BASE }}:${{ env.TAG }} VERSION=${{ env.TAG }}

      - name: Run Snyk image security scan
        uses: snyk/actions/docker@master
        continue-on-error: true
        id: docker-image-scan
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ env.IMG_BASE }}:${{ env.TAG }}
          args: --file=Dockerfile --severity-threshold=high --fail-on=all # fail on vulnerabilities with fix available

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

      - name: Check docker image scan status
        if: ${{ steps.docker-image-scan.outcome == 'failure' }}
        run: exit 1