.github/workflows/build.yml

name: Build and push image📦

on:
  workflow_dispatch:
  # schedule:
  # - cron: "00 12 1 * *"
  push:
    branches: ["main"]
  pull_request:
    branches-ignore: ["main"]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build:
    if: github.actor == 'ammnt'
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write
      id-token: write
      security-events: write
      attestations: write

    steps:
      - name: Checkout repository🧱
        uses: actions/checkout@v4.1.6

      - name: Install cosign🔒
        uses: sigstore/cosign-installer@v3.5.0

      - name: Setup Docker buildx🛠️
        uses: docker/setup-buildx-action@v3.3.0

      - name: Log into GHCR🔑
        uses: docker/login-action@v3.2.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log into Docker Hub🔑
        uses: docker/login-action@v3.2.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Extract Docker metadata🔬
        id: meta
        uses: docker/metadata-action@v5.5.1
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build the Docker image⛓️
        id: build
        uses: docker/build-push-action@v5.3.0
        with:
          provenance: false
          context: .
          platforms: linux/amd64
          load: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Analyze image with Docker Scout💊
        uses: docker/scout-action@v1.9.3
        with:
          command: cves,sbom
          image: ghcr.io/ammnt/nginx:main
          sarif-file: sarif.output.json
          summary: false

      - name: Upload Docker Scout report📊
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarif.output.json

      - name: Analyze image with Trivy💊
        uses: aquasecurity/trivy-action@0.22.0
        with:
          image-ref: ghcr.io/ammnt/nginx:main
          scan-type: image
          format: "github"
          output: "dependency-results.sbom.json"
          severity: "MEDIUM,HIGH,CRITICAL"
          scanners: "vuln"
          github-pat: ${{ secrets.GH_TOKEN }}

      - name: Upload Trivy report📊
        uses: actions/upload-artifact@v4.3.3
        with:
          name: trivy-sbom-report
          path: "${{ github.workspace }}/dependency-results.sbom.json"
          retention-days: 20

      - name: Analyze image with Anchore💊
        id: anchore
        uses: anchore/scan-action@v3.6.4
        with:
          image: ghcr.io/ammnt/nginx:main
          fail-build: false
          severity-cutoff: critical

      - name: Upload Anchore report📊
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.anchore.outputs.sarif }}

      - name: Analyze image with Syft💊
        uses: anchore/sbom-action@v0.16.0
        with:
          syft-version: v1.6.0
          image: ghcr.io/ammnt/nginx:main
          artifact-name: image.spdx.json
          dependency-snapshot: false

      - name: Analyze image with Snyk💊
        continue-on-error: true
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ghcr.io/ammnt/nginx:main
          args: --file=Dockerfile

      - name: Upload Snyk report📊
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif

      - name: Analyze image with Clair💊
        run: |
          docker run -d --name db arminc/clair-db
          sleep 15
          docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
          sleep 1
          DOCKER_GATEWAY=$(docker network inspect bridge --format "{{range .IPAM.Config}}{{.Gateway}}{{end}}")
          wget -qO clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 && chmod +x clair-scanner
          ./clair-scanner --ip="$DOCKER_GATEWAY" ghcr.io/ammnt/nginx:main || exit 0

      - name: Slim the Docker image🚀
        uses: kitabisa/docker-slim-action@v1.1.1
        env:
          DSLIM_HTTP_PROBE: false
        with:
          target: ghcr.io/ammnt/nginx:main
          tag: ghcr.io/ammnt/nginx:main
          overwrite: true

      - name: Explore the Docker image with Dive🔍
        timeout-minutes: 2
        env:
          CI: true
        run: |
          wget -q https://github.com/wagoodman/dive/releases/download/v0.12.0/dive_0.12.0_linux_amd64.tar.gz
          tar xvzf dive_0.12.0_linux_amd64.tar.gz -C /usr/local/bin
          dive --ci-config "${{ github.workspace }}/.dive-ci/" ghcr.io/ammnt/nginx:main

      - name: Test the Docker image🧪
        run: |
          docker run -d --rm -p 127.0.0.1:8080:8080/tcp ghcr.io/ammnt/nginx:main
          curl -v http://127.0.0.1:8080 || exit 1

      - name: Push the Docker images to registries💾
        run: |
          docker push ghcr.io/ammnt/nginx:main
          docker tag ghcr.io/ammnt/nginx:main ammnt/nginx:main
          DIGEST=$(docker images --no-trunc --quiet ghcr.io/ammnt/nginx:main)
          docker push ammnt/nginx:main
          echo "DIGEST=$DIGEST" >> $GITHUB_ENV

      - name: Attestation the Docker image📍
        uses: actions/attest-build-provenance@v1.2.0
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ env.DIGEST }}
          push-to-registry: false

      - name: Sign the published Docker image🔐
        env:
          COSIGN_EXPERIMENTAL: "true"
        run: |
          cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
          cosign sign docker.io/${{ env.IMAGE_NAME }}@${{ env.DIGEST }}