d48e06f438
- run trivy from makefile so that it can be run both locally and through github actions - usage: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=regist.ry/user/image:tag - tested by downgrading the base image to alpine 3.15.7 and verifying that vulnerabilities are reported (https://github.com/nodiscc/Shaarli/actions/runs/4860040980/jobs/8663400103) - TEMP/TESTING only push image to ghcr.io, run trivy on trivy branch/docker tag as well as master - ref. https://github.com/shaarli/Shaarli/issues/1531
45 lines
1.4 KiB
YAML
45 lines
1.4 KiB
YAML
name: Build/push Docker image (master/latest)
|
|
on:
|
|
push:
|
|
branches: [ master, trivy ]
|
|
jobs:
|
|
docker-build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v2
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
|
|
# - name: Login to DockerHub
|
|
# uses: docker/login-action@v2
|
|
# with:
|
|
# username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
# password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@v2
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Set shaarli version to the latest commit hash
|
|
run: sed -i "s/dev/$(git rev-parse --short HEAD)/" shaarli_version.php
|
|
|
|
- name: Build and push
|
|
id: docker_build
|
|
uses: docker/build-push-action@v4
|
|
with:
|
|
context: .
|
|
push: true
|
|
# tags: |
|
|
# ${{ secrets.DOCKER_IMAGE }}:trivy
|
|
# ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
|
|
tags: ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
|
|
- name: Image digest
|
|
run: echo ${{ steps.docker_build.outputs.digest }}
|
|
- name: Run trivy image scanner
|
|
run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
|