Skip to content

Publish Docker Image #11

Publish Docker Image

Publish Docker Image #11

name: Publish Docker Image
on:
workflow_call:
inputs:
environment:
type: string
required: false
description: 'The environment to publish the Docker image to.'
tags:
type: string
required: true
description: 'The tags to apply to the Docker image.'
images:
type: string
required: true
description: 'The images to publish'
trigger_internal_ci:
description: 'Trigger the internal CI'
required: false
type: boolean
default: false
workflow_dispatch:
inputs:
trigger_internal_ci:
description: 'Trigger the internal CI'
required: true
type: boolean
default: false
jobs:
build-and-push-image:
name: Build and Push Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
environment: ${{ inputs.environment }}
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Set up QEMU
if: ${{ github.event_name != 'pull_request' }}
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
if: ${{ github.event_name != 'pull_request' }}
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
# Only log in to Docker Hub if the event is a release
if: ${{ inputs.environment == 'docker-publish' && github.event_name != 'pull_request' }}
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Log in to the Container registry
uses: docker/login-action@v3
if: ${{ github.event_name != 'pull_request' }}
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
# default to ghcr.io for workflow_dispatch
images: ${{ inputs.images || format('ghcr.io/{0}', github.repository) }}
# use the branch + sha if workflow_dispatch
tags: ${{ inputs.tags || format('type=raw,value={0}-{1}', github.ref_name, github.sha) }}
- name: Push to Registry(s)
uses: docker/build-push-action@v6
with:
context: .
platforms: ${{ github.event_name != 'pull_request' && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
push: ${{ github.event_name != 'pull_request' }}
load: ${{ github.event_name == 'pull_request' }}
provenance: false
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Scan for vulnerabilities
uses: crazy-max/ghaction-container-scan@v3
if: ${{ github.event_name == 'pull_request' || github.ref_name == 'master' }}
with:
image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
annotations: true
severity: LOW
dockerfile: ./Dockerfile
env:
# See https://github.com/aquasecurity/trivy/discussions/7538
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
- name: Internal CI
uses: peter-evans/repository-dispatch@v3
if: ${{ inputs.trigger_internal_ci }}
continue-on-error: true
with:
token: ${{ secrets.INTERNAL_CI_TOKEN }}
repository: vechain/thor-internal-ci
event-type: internal-thor-ci
client-payload: '{"thor_image": "${{ fromJSON(steps.build-and-push-image.outputs.meta.json).tags[0] }}"}'