Docker Image Build and Release #13

Workflow file for this run

.github/workflows/docker-publish.yml at 9963a5e

	name: Docker Image Build and Release

	on:
	push:
	branches: [master]
	pull_request:
	branches: [master]
	create:
	tags:
	release:
	types: [published, edited]

	concurrency: ci-${{ github.ref }}

	env:
	# Use docker.io for Docker Hub if empty
	REGISTRY: ghcr.io
	# github.repository as <account>/<repo>
	IMAGE_NAME: ${{ github.repository }}
	IMAGE_NAME_GHCR: ghcr.io/${{ github.repository }}
	IMAGE_NAME_DOCKER: securecompliance/openvas

	permissions:
	contents: read
	packages: write

	jobs:
	build_test_trivy:
	name: Build and Test - Trivy
	# ...but only when a `release` is `published` (combined with `on`)
	if: github.event_name == 'release'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v2

	- name: PrepareReg Names
	run: \|
	echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" \| tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
	echo IMAGE_TAG=$(echo ${{ github.ref }} \| tr '[:upper:]' '[:lower:]' \| awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV

	- name: Set tag var
	id: vars
	run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} \| cut -d'/' -f3)-${GITHUB_SHA}


	- name: Build the Docker image
	run: docker build . --file Dockerfile --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}

	- uses: actions/[email protected]
	with:
	path: .trivy
	key: ${{ runner.os }}-trivy-${{ github.run_id }}
	restore-keys: \|
	${{ runner.os }}-trivy-

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	cache-dir: .trivy

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	if: always()
	with:
	image-ref: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
	format: "template"
	template: "@/contrib/sarif.tpl"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH"
	cache-dir: .trivy

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v1
	if: always()
	with:
	sarif_file: "trivy-results.sarif"

	- name: Correct Trivy cache permissions
	if: always()
	run: sudo chown -R $USER:$GROUP .trivy

	build_test_anchore:
	name: Build and Test - Anchore
	# ...but only when a `release` is `published` (combined with `on`)
	if: github.event_name == 'release'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v2

	- name: PrepareReg Names
	run: \|
	echo IMAGE_REPOSITORY_GHCR=$(echo "ghcr.io/${{ github.repository }}" \| tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
	echo IMAGE_TAG=$(echo ${{ github.ref }} \| tr '[:upper:]' '[:lower:]' \| awk '{split($0,a,"/"); print a[3]}') >> $GITHUB_ENV

	- name: Set tag var
	id: vars
	run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} \| cut -d'/' -f3)-${GITHUB_SHA}

	- name: Build the Docker image
	run: docker build . --file Dockerfile --tag ${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}

	- uses: anchore/scan-action@v2
	if: always()
	id: scan
	with:
	image: "${{ env.IMAGE_REPOSITORY_GHCR }}:${{ github.sha }}"
	acs-report-enable: true

	- name: upload Anchore scan SARIF report
	if: always()
	uses: github/codeql-action/upload-sarif@v1
	with:
	sarif_file: ${{ steps.scan.outputs.sarif }}

	build_release:
	name: Build and Release
	runs-on: ubuntu-latest

	outputs:
	labels: ${{ steps.meta.outputs.labels }}
	tags: ${{ steps.meta.outputs.tags }}

	steps:
	- name: Checkout repository
	uses: actions/checkout@v2
	with:
	submodules: recursive

	- uses: docker/setup-buildx-action@v1
	id: buildx
	with:
	install: true

	# Login against a Docker registry except on PR
	# https://github.com/docker/login-action
	- name: Login to GitHub Container Registry ${{ env.REGISTRY }}
	uses: docker/login-action@v1
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Login to DockerHub
	if: github.event_name != 'pull_request'
	uses: docker/login-action@v1
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Relase Prepare for latest Tag
	id: releasePreareLatestTag
	shell: bash
	run: \|
	if [[ "$GITHUB_EVENT_NAME" == "create" ]] && [[ "$GITHUB_REF" =~ ^refs/tags/v.* ]]; then
	echo -n "::set-output name=latest::true"
	else
	echo -n "::set-output name=latest::false"
	fi

	- name: Relase Prepare
	id: releasePreare
	run: \|
	echo -n "::set-output name=images::"
	if [ "${GITHUB_EVENT_NAME}" != "pull_request" ]; then
	echo -n "${IMAGE_NAME_DOCKER}"
	echo -n ","
	fi
	echo -n "${IMAGE_NAME_GHCR}"


	# Extract metadata (tags, labels) for Docker
	# https://github.com/docker/metadata-action
	- name: Extract Docker metadata
	id: meta2
	uses: docker/metadata-action@v3
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	images: ${{ steps.releasePreare.outputs.images }}
	flavor: \|
	latest=${{ steps.releasePreareLatestTag.outputs.latest}}
	prefix=
	suffix=
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	type=semver,pattern={{version}}
	type=semver,pattern={{raw}}
	type=semver,pattern={{major}}.{{minor}}

	# Build and push Docker image with Buildx (don't push on PR)
	# https://github.com/docker/build-push-action
	- name: Build and push Docker image
	uses: docker/build-push-action@v2
	with:
	context: .
	push: true
	tags: ${{ steps.meta2.outputs.tags }}
	labels: ${{ steps.meta2.outputs.labels }}
	build-args: \|
	SETUP=0

	- name: Update changelog
	uses: thomaseizinger/[email protected]
	with:
	version: ${{ github.event.inputs.version }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker Image Build and Release #13

Workflow file

Docker Image Build and Release #13

Jobs

Run details

Workflow file for this run