Publish Docker Image #11
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish Docker Image | |
on: | |
workflow_call: | |
inputs: | |
environment: | |
type: string | |
required: false | |
description: 'The environment to publish the Docker image to.' | |
tags: | |
type: string | |
required: true | |
description: 'The tags to apply to the Docker image.' | |
images: | |
type: string | |
required: true | |
description: 'The images to publish' | |
trigger_internal_ci: | |
description: 'Trigger the internal CI' | |
required: false | |
type: boolean | |
default: false | |
workflow_dispatch: | |
inputs: | |
trigger_internal_ci: | |
description: 'Trigger the internal CI' | |
required: true | |
type: boolean | |
default: false | |
jobs: | |
build-and-push-image: | |
name: Build and Push Docker Image | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
environment: ${{ inputs.environment }} | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
- name: Set up QEMU | |
if: ${{ github.event_name != 'pull_request' }} | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
if: ${{ github.event_name != 'pull_request' }} | |
uses: docker/setup-buildx-action@v3 | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v3 | |
# Only log in to Docker Hub if the event is a release | |
if: ${{ inputs.environment == 'docker-publish' && github.event_name != 'pull_request' }} | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Log in to the Container registry | |
uses: docker/login-action@v3 | |
if: ${{ github.event_name != 'pull_request' }} | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
# default to ghcr.io for workflow_dispatch | |
images: ${{ inputs.images || format('ghcr.io/{0}', github.repository) }} | |
# use the branch + sha if workflow_dispatch | |
tags: ${{ inputs.tags || format('type=raw,value={0}-{1}', github.ref_name, github.sha) }} | |
- name: Push to Registry(s) | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
platforms: ${{ github.event_name != 'pull_request' && 'linux/amd64,linux/arm64' || 'linux/amd64' }} | |
push: ${{ github.event_name != 'pull_request' }} | |
load: ${{ github.event_name == 'pull_request' }} | |
provenance: false | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Scan for vulnerabilities | |
uses: crazy-max/ghaction-container-scan@v3 | |
if: ${{ github.event_name == 'pull_request' || github.ref_name == 'master' }} | |
with: | |
image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
annotations: true | |
severity: LOW | |
dockerfile: ./Dockerfile | |
env: | |
# See https://github.com/aquasecurity/trivy/discussions/7538 | |
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
- name: Internal CI | |
uses: peter-evans/repository-dispatch@v3 | |
if: ${{ inputs.trigger_internal_ci }} | |
continue-on-error: true | |
with: | |
token: ${{ secrets.INTERNAL_CI_TOKEN }} | |
repository: vechain/thor-internal-ci | |
event-type: internal-thor-ci | |
client-payload: '{"thor_image": "${{ fromJSON(steps.build-and-push-image.outputs.meta.json).tags[0] }}"}' |