95 lines (86 loc) · 3.43 KB
/
publish-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
on:
workflow_call:
inputs:
image-name:
required: true
type: string
secrets:
gh-token:
required: true
docker-username:
required: true
docker-password:
required: true
jobs:
build:
name: Build and push Docker image
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
# Extract metadata (tags, labels) for Docker
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
with:
images: ${{ inputs.image-name }}
tags: |
type=ref,event=tag
type=ref,event=pr
# set unstable tag for develop branch
type=raw,value=unstable,enable=${{ github.ref == format('refs/heads/{0}', 'develop') }}
# Build Docker image with Buildx
- name: Build Docker image
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
with:
context: .
push: false
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Scan Docker image (not for release builds since we will have multiple tags)
- name: Scan Docker image
if: github.event_name != 'release'
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'sarif'
output: 'trivy-results.sarif'
# Publish scan report to GitHub
- name: Publish scan report to GitHub
if: ${{ github.event_name != 'release' && always() }}
uses: github/codeql-action/upload-sarif@67a35a08586135a9573f4327e904ecbf517a882d # v2.2.8
with:
sarif_file: trivy-results.sarif
# Create Software Bill of Materials (SBOM) (not for release builds since we will have multiple tags)
- name: Create Software Bill of Materials (SBOM)
if: github.event_name == 'push'
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'github'
output: 'dependency-results.sbom.json'
github-pat: ${{ secrets.gh-token }}
# Login to Docker registry if not PR build
- name: Log in to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
with:
username: ${{ secrets.docker-username }}
password: ${{ secrets.docker-password }}
# Publish Docker image for CI builds if not PR build
- name: Push container image
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
if: github.event_name != 'pull_request'
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Update Readme on Docker Hub
- name: Publish README to Docker Hub
if: github.event_name != 'pull_request'
uses: peter-evans/dockerhub-description@202973a37c8a723405c0c5f0a71b6d99db470dae # v3.3.0
with:
username: ${{ secrets.docker-username }}
password: ${{ secrets.docker-password }}
repository: ${{ inputs.image-name }}