MyShaarli/.github/workflows/docker-latest.yml
nodiscc 3b5923b7e1
tools/CI: scan repository with trivy security scanner (yarn.lock, composer.lock)
- run scan on each push/pull request update
- can be run locally using make test_trivy_repo
- exit with error code 0/success when vulnerabilities are found,  as not to make the workflow fail, a separate periodic run that exits with code 1 should be added in parallel
- update trivy to v0.43.0
- https://github.com/aquasecurity/trivy/releases/tag/v0.43.0
- also consider TRIVY_EXIT_CODE when running trivy on the latest docker image
- ref. https://github.com/shaarli/Shaarli/issues/1531
2023-06-30 23:56:09 +02:00

45 lines
1.4 KiB
YAML

name: Build/push Docker image (master/latest)
on:
push:
branches: [ master ]
jobs:
docker-build:
runs-on: ubuntu-latest
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout
uses: actions/checkout@v3
- name: Set shaarli version to the latest commit hash
run: sed -i "s/dev/$(git rev-parse --short HEAD)/" shaarli_version.php
- name: Build and push
id: docker_build
uses: docker/build-push-action@v4
with:
context: .
push: true
platforms: linux/amd64,linux/arm64,linux/arm/v7
tags: |
${{ secrets.DOCKER_IMAGE }}:latest
ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
- name: Run trivy scanner on latest docker image
run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest