Docker CI #55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # This workflow will build a Docker image | |
| name: Docker CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - "**.md" | |
| schedule: | |
| - cron: 0 6 * * 3 | |
| pull_request: | |
| branches: [main] | |
| paths-ignore: | |
| - "**.md" | |
| env: | |
| REPO: ${{ github.event.repository.name }} | |
| OWNER: ${{ github.event.repository.owner.login }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| HEAD_OWNER: ${{ github.event.pull_request.head.repo.owner.login }} | |
| jobs: | |
| build-template: | |
| name: Build Docker | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
| - uses: actions/checkout@v3 | |
| # Runs a single command using the runners shell | |
| - name: Install Node.Js | |
| uses: actions/setup-node@v3.6.0 | |
| with: | |
| node-version: 18 | |
| - name: Install npm package | |
| run: npm install -g markdown-toc@latest secretlint@latest | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| logout: true | |
| - name: Login to Github Packages | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| #password: ${{ secrets.GHCR_PAT }} # ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push debug | |
| run: echo "docker push ${{ env.OWNER }}/pgclient:latest,${{ github.repository }}:${{ github.sha }}" | |
| - name: Build and push | |
| id: docker_build | |
| uses: docker/build-push-action@v3 | |
| with: | |
| #context: . | |
| #tags: ${{ github.event.repository.name }}/pgclient:latest,${{ env.OWNER }}/pgclient:latest | |
| tags: | | |
| ${{ env.OWNER }}/pgclient:latest | |
| ghcr.io/${{ env.OWNER }}/pgclient:latest | |
| build-args: | | |
| PG_MAJOR=14 | |
| BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') | |
| GIT_SHA=${GITHUB_SHA::8} | |
| # build on feature branches, push only on main branch | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| - name: Image digest | |
| run: echo ${{ steps.docker_build.outputs.digest }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.OWNER }}/pgclient:latest | |
| format: "template" | |
| template: "@/contrib/sarif.tpl" | |
| output: "trivy-results.sarif" | |
| # format: 'table' | |
| # exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Print the GitHub context | |
| env: | |
| GITHUB_CONTEXT: ${{ toJson(github) }} | |
| run: echo "$GITHUB_CONTEXT" |