docker-image-build.yaml

name: Docker Image Build

on:
  schedule:
    - cron: '45 0 * * *'
  push:
    branches: [ "develop", "main" ]
  pull_request:
    branches: [ "main" ]

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build:

    runs-on: ubuntu-latest

    permissions:
      actions: write
      contents: read
      packages: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Login against a Docker registry
      # https://github.com/docker/login-action
      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      
      # Get commit hash short
      - name: Get Commit Hash
        id: commit
        uses: prompt/actions-commit-hash@v3

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: image-metadata
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=raw,value=latest,enable={{is_default_branch}}
            type=raw,value=${{ steps.commit.outputs.short }}
      
      # Install QEMU static binaries.
      - name: Set up QEMU
        id: qemu
        uses: docker/setup-qemu-action@v3

      # Build image for scanning local
      - name: Build Docker container
        id: image-build-security-scan
        uses: docker/build-push-action@v6
        with:
          tags: security-scan
          labels: ${{ steps.image-metadata.outputs.labels }}
          #platforms: linux/amd64,linux/arm64
          push: false
          load: true
          
      # Local scan image for vulnerabilities 
      - name: Scan image for Vulnerabilities
        id: image-security-scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'security-scan'
          exit-code: '1'
          ignore-unfixed: false
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          format: 'sarif'
          output: 'trivy-results.sarif'

      # Upload scan results
      - name: Upload scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
        
      # Build image and push
      - name: Build Docker and push container
        uses: docker/build-push-action@v6
        with:
          tags: ${{ steps.image-metadata.outputs.tags }}
          labels: ${{ steps.image-metadata.outputs.labels }}
          #platforms: linux/amd64,linux/arm64
          push: true