diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..c96c5ff --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,92 @@ +name: Docker Image CI + +on: + workflow_dispatch: + push: + branches: + - '*' + tags: + - '[0-9]+.[0-9]+.[0-9]+' + pull_request: + branches: + - '*' + + +jobs: + + lint: + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@master + - name: lint + uses: luke142367/Docker-Lint-Action@v1.0.0 + with: + target: Dockerfile + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + build: + + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + piccio/shell-tools + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build and push + id: docker_build + uses: docker/build-push-action@v5 + with: + context: ./ + file: ./Dockerfile + push: true + tags: piccio/cn-exercise:${{ github.ref_name }} + if: github.event_name != 'pull_request' + + security: + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + piccio/cn-exercise + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: piccio/cn-exercise:${{ github.ref_name }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + scan-ref: . + if: github.event_name != 'pull_request' + +