build-no-cache.yml

name: Rebuild master docker image
on:
  workflow_dispatch:

  schedule:
    - cron: '0 12 * * 0'

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: set-up-environment
        uses: DFE-Digital/github-actions/set-up-environment@master

      - uses: Azure/login@v2
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Fetch secrets from key vault
        uses: azure/CLI@v2
        id: fetch-secrets
        with:
          inlineScript: |
            SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv)
            echo "::add-mask::$SECRET_VALUE"
            echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT
            SECRET_VALUE=$(az keyvault secret show --name "SNYK-TOKEN" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv)
            echo "::add-mask::$SECRET_VALUE"
            echo "SNYK-TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@master

      - name: Get Short SHA
        id: vars
        run: echo "sha_short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT

      - name: Login to GitHub Container Repository
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build docker image
        uses: docker/build-push-action@v6
        with:
          tags: ${{ env.DOCKER_REPOSITORY }}:master
          load: true
          push: false
          build-args: GIT_COMMIT_SHA=${{ steps.vars.outputs.sha_short }}

      - name: Run Snyk to check Docker image for vulnerabilities
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ steps.fetch-secrets.outputs.SNYK-TOKEN }}
        with:
          image: ${{ env.DOCKER_REPOSITORY }}:master
          args: --severity-threshold=high --file=Dockerfile

      - name: Push image to registry
        if: success()
        run: docker image push --all-tags ${{ env.DOCKER_REPOSITORY }}

      - name: Slack Notification
        if: failure() && github.ref == 'refs/heads/master'
        uses: rtCamp/action-slack-notify@master
        env:
           SLACK_COLOR: ${{ env.SLACK_ERROR }}
           SLACK_MESSAGE: 'There has been a failure building the application'
           SLACK_TITLE: 'Failure Building Application'
           SLACK_WEBHOOK: ${{ steps.fetch-secrets.outputs.SLACK-WEBHOOK }}