Skip to content

Build and push image📦 #38

Build and push image📦

Build and push image📦 #38

Workflow file for this run

name: Build and push image📦
on:
workflow_dispatch:
# schedule:
# - cron: "00 12 1 * *"
# push:
# branches: ["main"]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
if: github.actor == 'ammnt'
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
security-events: write
attestations: write
steps:
- name: Checkout repository🧱
uses: actions/[email protected]
- name: Install cosign🔒
uses: sigstore/[email protected]
- name: Setup Docker buildx🛠️
uses: docker/[email protected]
- name: Log into GHCR🔑
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log into Docker Hub🔑
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract Docker metadata🔬
id: meta
uses: docker/[email protected]
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build the Docker image⛓️
id: build
uses: docker/[email protected]
with:
provenance: false
context: .
platforms: linux/amd64
load: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Analyze image with Docker Scout💊
uses: docker/[email protected]
with:
command: cves,sbom
image: ghcr.io/ammnt/freenginx:main
sarif-file: sarif.output.json
summary: false
- name: Upload Docker Scout report📊
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif.output.json
- name: Analyze image with Trivy💊
uses: aquasecurity/[email protected]
with:
image-ref: ghcr.io/ammnt/freenginx:main
scan-type: image
format: "github"
output: "dependency-results.sbom.json"
severity: "MEDIUM,HIGH,CRITICAL"
scanners: "vuln"
github-pat: ${{ secrets.GH_TOKEN }}
- name: Upload Trivy report📊
uses: actions/[email protected]
with:
name: trivy-sbom-report
path: "${{ github.workspace }}/dependency-results.sbom.json"
retention-days: 20
- name: Analyze image with Grype💊
id: anchore
uses: anchore/[email protected]
with:
image: ghcr.io/ammnt/freenginx:main
fail-build: false
severity-cutoff: critical
- name: Upload Grype report📊
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.anchore.outputs.sarif }}
- name: Analyze image with Syft💊
uses: anchore/[email protected]
with:
syft-version: v1.11.1
image: ghcr.io/ammnt/freenginx:main
artifact-name: image.spdx.json
dependency-snapshot: false
- name: Analyze image with Snyk💊
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ghcr.io/ammnt/freenginx:main
args: --file=Dockerfile
- name: Upload Snyk report📊
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
- name: Analyze image with Clair💊
run: |
docker run -d --name db arminc/clair-db
sleep 15
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
sleep 1
DOCKER_GATEWAY=$(docker network inspect bridge --format "{{range .IPAM.Config}}{{.Gateway}}{{end}}")
wget -qO clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 && chmod +x clair-scanner
./clair-scanner --ip="$DOCKER_GATEWAY" ghcr.io/ammnt/freenginx:main || exit 0
- name: Slim the Docker image🚀
uses: kitabisa/[email protected]
env:
DSLIM_HTTP_PROBE: false
with:
target: ghcr.io/ammnt/freenginx:main
tag: ghcr.io/ammnt/freenginx:main
overwrite: true
- name: Explore the Docker image with Dive🔍
timeout-minutes: 2
env:
CI: true
run: |
wget -q https://github.com/wagoodman/dive/releases/download/v0.12.0/dive_0.12.0_linux_amd64.tar.gz
tar xvzf dive_0.12.0_linux_amd64.tar.gz -C /usr/local/bin
dive --ci-config "${{ github.workspace }}/.dive-ci/" ghcr.io/ammnt/freenginx:main
- name: Test the Docker image🧪
run: |
docker run -d --rm -p 127.0.0.1:8080:8080/tcp ghcr.io/ammnt/freenginx:main
curl -v http://127.0.0.1:8080 || exit 1
- name: Push the Docker images to registries💾
run: |
docker push ghcr.io/ammnt/freenginx:main
docker tag ghcr.io/ammnt/freenginx:main ammnt/freenginx:main
DIGEST=$(docker images --no-trunc --quiet ghcr.io/ammnt/freenginx:main)
docker push ammnt/freenginx:main
echo "DIGEST=$DIGEST" >> $GITHUB_ENV
- name: Attestation the Docker image📍
uses: actions/[email protected]
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ env.DIGEST }}
push-to-registry: false
- name: Sign the published Docker image🔐
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ env.DIGEST }}
cosign sign docker.io/${{ env.IMAGE_NAME }}@${{ env.DIGEST }}