Update build workflow.

dbca-wa · Jan 11, 2024 · eb76098 · eb76098
1 parent 792c6ef
commit eb76098
Showing 1 changed file with 29 additions and 13 deletions.
diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml
@@ -3,11 +3,11 @@ name: "Build Docker image and run Trivy vulnerability scan"
 on:
   push:
     # Publish `master` as `latest` image.
-    branches: [ master ]
-    # Publish `1.*` tags as releases.
-    tags: [ '1.*' ]
+    branches: [master]
+    # Publish `1.*` and `2.*1 tags as releases.
+    tags: ['1.*', '2.*']
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 env:
   REGISTRY: ghcr.io
@@ -22,45 +22,61 @@ jobs:
       packages: write
       security-events: write
     steps:
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      #----------------------------------------------
+      # Checkout repo
+      #----------------------------------------------
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         id: checkout-repo
         with:
           fetch-depth: 0
+      #----------------------------------------------
+      # Set up Docker BuildX environment
+      #----------------------------------------------
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
+      #----------------------------------------------
+      # Log Docker into the GitHub Container Repository
+      #----------------------------------------------
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      #----------------------------------------------
+      # Extract Docker image metadata from GitHub events
+      #----------------------------------------------
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
             latest=true
+      #----------------------------------------------
+      # Build and push Docker image (not on PR)
+      #----------------------------------------------
       - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
   scan:
-    name: Trivy scan
+    name: Image vulnerability scan
     runs-on: ubuntu-latest
     needs: [build]
     permissions:
       contents: read
       packages: read
       security-events: write
     steps:
+      #----------------------------------------------
+      # Run vulnerability scan on built image
+      #----------------------------------------------
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
@@ -72,6 +88,6 @@ jobs:
           template: '@/contrib/sarif.tpl'
           output: trivy-results.sarif
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: trivy-results.sarif