Skip to content
Build and push image📦

updated: README.md and dependencies - release 1.27.0 #18

Sign in to view logs

updated: README.md and dependencies - release 1.27.0

updated: README.md and dependencies - release 1.27.0 #18

Workflow file for this run

.github/workflows/build.yml at fc795d4
name: Build and push image📦
on:
workflow_dispatch:
# schedule:
# - cron: "00 17 * * SAT"
push:
branches: ["main"]
# pull_request:
# branches: ["main"]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
if: github.actor == 'ammnt'
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
security-events: write
steps:
- name: Checkout repository🧱
uses: actions/[email protected]
- name: Install cosign🔒
uses: sigstore/[email protected]
- name: Setup Docker buildx🛠️
uses: docker/[email protected]
- name: Log into ${{ env.REGISTRY }}🔑
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log into Docker Hub🔑
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract Docker metadata🔬
id: meta
uses: docker/[email protected]
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build the Docker image⛓️
id: build
uses: docker/[email protected]
with:
provenance: false
context: .
platforms: linux/amd64
load: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Slim the Docker image🚀
uses: kitabisa/[email protected]
env:
DSLIM_HTTP_PROBE: false
with:
target: ghcr.io/ammnt/freenginx:main
tag: ghcr.io/ammnt/freenginx:main
overwrite: true
- name: Test the Docker image🧪
run: |
docker run -d --rm -p 127.0.0.1:8080:8080/tcp ghcr.io/ammnt/freenginx:main
curl -v http://127.0.0.1:8080 || exit 1
- name: Analyze for critical and high CVEs💊
uses: docker/[email protected]
with:
command: cves,sbom
image: ghcr.io/ammnt/freenginx:main
sarif-file: sarif.output.json
summary: true
- name: Upload SARIF result📊
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif.output.json
- name: Run Trivy vulnerability scanner💊
uses: aquasecurity/[email protected]
with:
image-ref: ghcr.io/ammnt/freenginx:main
scan-type: image
format: "github"
output: "dependency-results.sbom.json"
severity: "MEDIUM,HIGH,CRITICAL"
scanners: "vuln"
- name: Upload Trivy report as a Github artifact📊
uses: actions/[email protected]
with:
name: trivy-sbom-report
path: "${{ github.workspace }}/dependency-results.sbom.json"
retention-days: 20
- name: Scan the image and upload dependency results🔍
uses: anchore/[email protected]
with:
syft-version: v1.3.0
image: ghcr.io/ammnt/angie:main
artifact-name: image.spdx.json
dependency-snapshot: false
- name: Run Snyk to check Docker image for vulnerabilities🔍
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ghcr.io/ammnt/angie:main
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning📊
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
- name: Push the Docker images to registries💾
run: |
docker push ghcr.io/ammnt/freenginx:main
docker tag ghcr.io/ammnt/freenginx:main ammnt/freenginx:main
docker push ammnt/freenginx:main
- name: Sign the published Docker image🔐
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
cosign sign docker.io/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}