Skip to content
Docker

Docker #23

Sign in to view logs

Docker

Docker #23

Workflow file for this run

.github/workflows/docker-build.yml at f968b57
name: Docker
on:
push:
branches:
- main
paths-ignore:
- '.github/**'
- '!.github/workflows/docker.yml'
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
docker-action:
name: Docker Action container
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
issues: write
pull-requests: write
id-token: write
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Get Date Tag
run: echo "TIMESTAMP_TAG=$(date '+%Y%m%d%H%M')" >> $GITHUB_ENV
- name: Semantic Release
id: semantic_release
uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # v4.1.1
with:
dry_run: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker metadata
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
id: metadata
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=${{ env.TIMESTAMP_TAG }}
- name: Build for development
uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0
env:
REGISTRY: ${{ env.REGISTRY }}
IMAGE_NAME: ${{ env.IMAGE_NAME }}
TIMESTAMP_TAG: ${{ env.TIMESTAMP_TAG }}
with:
files: |
./docker-bake.hcl
${{ steps.metadata.outputs.bake-file }}
push: true
load: false
no-cache: true
targets: build
provenance: false
- name: Run Trivy to check Docker images for vulnerabilities
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TIMESTAMP_TAG }}"
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'