Docker Image Build #162

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/docker-image-build.yaml at 98dad3e

	name: Docker Image Build

	on:
	schedule:
	- cron: '45 0 * * *'
	push:
	branches: [ "develop", "main" ]
	pull_request:
	branches: [ "main" ]

	env:
	# Use docker.io for Docker Hub if empty
	REGISTRY: ghcr.io
	# github.repository as <account>/<repo>
	IMAGE_NAME: ${{ github.repository }}

	jobs:
	build:

	runs-on: ubuntu-latest

	permissions:
	contents: read
	packages: write
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	# Login against a Docker registry
	# https://github.com/docker/login-action
	- name: Log into registry ${{ env.REGISTRY }}
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# Get commit hash short
	- name: Get Commit Hash
	id: commit
	uses: prompt/actions-commit-hash@v3

	# Extract metadata (tags, labels) for Docker
	# https://github.com/docker/metadata-action
	- name: Extract Docker metadata
	id: image-metadata
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
	tags: \|
	type=raw,value=latest,enable={{is_default_branch}}
	type=raw,value=${{ steps.commit.outputs.short }}

	# Install QEMU static binaries.
	- name: Set up QEMU
	id: qemu
	uses: docker/setup-qemu-action@v3

	# Build image for scanning local
	- name: Build Docker container
	id: image-build-security-scan
	uses: docker/build-push-action@v6
	with:
	tags: security-scan
	labels: ${{ steps.image-metadata.outputs.labels }}
	#platforms: linux/amd64,linux/arm64
	push: false
	load: true

	# Local scan image for vulnerabilities
	- name: Scan image for Vulnerabilities
	id: image-security-scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'security-scan'
	exit-code: '1'
	ignore-unfixed: false
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	format: 'sarif'
	output: 'trivy-results.sarif'

	# Upload scan results
	- name: Upload scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: 'trivy-results.sarif'

	# Build image and push
	- name: Build Docker and push container
	uses: docker/build-push-action@v6
	with:
	tags: ${{ steps.image-metadata.outputs.tags }}
	labels: ${{ steps.image-metadata.outputs.labels }}
	#platforms: linux/amd64,linux/arm64
	push: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker Image Build #162

Workflow file

Docker Image Build #162

Jobs

Run details

Workflow file for this run