Skip to content

Testing workflow

Testing workflow #5

Workflow file for this run

name: Build and push image to registry
on:
pull_request:
types:
- opened
- reopened
- synchronize
push:
tags:
- '*'
permissions:
contents: read
jobs:
hadolint:
uses: ./.github/workflows/docker-lint.yml
tests:
uses: ./.github/workflows/docker-tests.yml
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
pull-requests: write
name: Build and push
runs-on: ubuntu-22.04
needs:
- hadolint
- tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
registry: ${{ vars.REGISTRY_URI }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_TOKEN }}
- uses: rlespinasse/[email protected]
- name: Calculate tag
id: tag
run: |
if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
TAG="pr-${{ github.event.number }}"
else
TAG=${{ github.ref_name }}
fi
echo "IMAGE=${{ vars.REGISTRY_URI }}/${{ vars.REGISTRY_ORGANIZATION }}/bbb-webhooks:$TAG" >> $GITHUB_OUTPUT
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ steps.tag.outputs.IMAGE }}
- name: Build and push image
uses: docker/build-push-action@v5
with:
push: true
tags: ${{ steps.tag.outputs.IMAGE }}
context: .
platforms: linux/amd64
cache-from: type=registry,ref=${{ steps.tag.outputs.IMAGE }}
cache-to: type=registry,ref=${{ steps.tag.outputs.IMAGE }},image-manifest=true,oci-mediatypes=true,mode=max
labels: |
${{ steps.meta.outputs.labels }}
- name: Add comment to pr
if: ${{ github.event_name == 'pull_request' }}
uses: actions/github-script@v7
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: "Updated Docker image pushed to `${{ steps.tag.outputs.IMAGE }}`"
})
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.tag.outputs.IMAGE }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
env:
TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
TRIVY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'