Skip to content

test: reversion

test: reversion #55

name: "Build Docker image and run Trivy vulnerability scan"
on:
push:
tags:
- "3.*" # Trigger the action on any tag push for version 3 on
# branches: [main] # Causes the action to run on push
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
name: Build Docker image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
steps:
#----------------------------------------------
# Checkout repo
#----------------------------------------------
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
#----------------------------------------------
# Set up Docker BuildX environment
#----------------------------------------------
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
#----------------------------------------------
# Log Docker into the GitHub Container Repository
#----------------------------------------------
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GH_PAT }} # GitHub Personal Access Token
#----------------------------------------------
# Extract Docker image metadata from GitHub events
#----------------------------------------------
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: ${{ github.ref_name }} # Use the tag name
flavor: |
latest=true
#----------------------------------------------
# Build and push Docker image
#----------------------------------------------
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
scan:
name: Image vulnerability scan
runs-on: ubuntu-latest
needs: [build]
permissions:
actions: read
contents: read
packages: read
security-events: write
steps:
#----------------------------------------------
# Run vulnerability scan on built image
#----------------------------------------------
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: "image"
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
vuln-type: "os,library"
severity: "HIGH,CRITICAL"
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
# cleanup:
# name: Cleanup old tags (keep latest 16)
# runs-on: ubuntu-latest
# needs: [build]
# steps:
# - name: Checkout repository
# uses: actions/checkout@v4
# with:
# fetch-depth: 0
# - name: Run tag cleanup script
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# run: |
# echo "Fetching list of tags..."
# tags=$(curl -H "Authorization: token $GITHUB_TOKEN" -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/tags | jq -r '.[] | .name + " " + (.commit.committer.date)')
# # Prepare a list to hold all tags
# tag_list=()
# while IFS= read -r line; do
# tag_list+=("$line")
# done <<< "$tags"
# # Sort tags by push date (latest first)
# IFS=$'\n' sorted_tags=($(sort -r -t ' ' -k 2 <<< "${tag_list[*]}"))
# # Keep the latest 16 tags
# keep_tags=("${sorted_tags[@]:0:16}")
# keep_tags_names=()
# for tag in "${keep_tags[@]}"; do
# tag_name=$(echo "$tag" | cut -d ' ' -f 1)
# keep_tags_names+=("$tag_name")
# done
# echo "Keeping latest 16 tags: ${keep_tags_names[*]}"
# # Loop through each tag and delete if not in keep list
# for line in "${sorted_tags[@]}"; do
# tag_name=$(echo "$line" | cut -d ' ' -f 1)
# if ! [[ " ${keep_tags_names[*]} " =~ " $tag_name " ]]; then
# echo "Deleting tag $tag_name..."
# curl -X DELETE -H "Authorization: token $GITHUB_TOKEN" \
# https://api.github.com/repos/${{ github.repository }}/git/refs/tags/$tag_name
# else
# echo "Keeping tag $tag_name"
# fi
# done