cd.yml

name: CD

on:
  push:
    branches: [master]
  schedule:
    - cron: '30 3 * * *'
  workflow_dispatch:
    inputs:
      force_rebuild:
        description: 'Force container rebuild'
        required: true
        type: choice
        options: [yes, no]

permissions:
  packages: write
  contents: read

jobs:
  CentOS:
    name: CentOS
    runs-on: ubuntu-latest
    timeout-minutes: 10

    strategy:
      matrix:
        version: [ '7' ]

    steps:
      - name: Login to DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Check for rebuild
        id: update_check
        continue-on-error: true
        run : |
          # [update-check]

          echo -e "::group::\033[34mChecking for packages updates…\033[0m"

          if [[ "${{ github.event.inputs.force_rebuild }}" == "true" ]] ; then
            echo "::warning::Rebuild ${{matrix.version}} (reason: forced rebuild)"
            echo "build=true" >> $GITHUB_OUTPUT
            exit 0
          else
            if ! docker pull ${{github.repository}}:${{matrix.version}} ; then
              echo "::warning::Rebuild ${{matrix.version}} (reason: new image)"
              echo "build=true" >> $GITHUB_OUTPUT
              exit 0
            fi

            if ! docker run --rm ${{github.repository}}:${{ matrix.version }} yum check-update ; then
              echo "::warning::Rebuild ${{matrix.version}} (reason: packages update)"
              echo "build=true" >> $GITHUB_OUTPUT
              exit 0
            fi
          fi

          echo "::endgroup::"

          echo -e "::group::\033[34mChecking for rebuilt base image…\033[0m"

          docker pull centos:${{matrix.version}}

          orig_dig=$(docker inspect "centos:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')
          our_dig=$(docker inspect "${{github.repository}}:${{matrix.version}}" | jq -r '.[0].RootFS.Layers[0]')

          echo ""
          echo "Original: ${orig_dig}"
          echo "Our:      ${our_dig}"

          if [[ "$orig_dig" != "$our_dig" ]] ; then
            echo "::warning::Rebuild ${{matrix.version}} (reason: rebuilt base image)"
            echo "build=true" >> $GITHUB_OUTPUT
            exit 0
          fi

          echo "::endgroup::"

      - name: Checkout
        if: ${{ steps.update_check.outputs.build == 'true' }}
        uses: actions/checkout@v3

      - name: Set build context
        if: ${{ steps.update_check.outputs.build == 'true' }}
        id: build_context
        run: |
          echo "dockerfile=centos${{matrix.version}}.docker" >> $GITHUB_OUTPUT

      - name: Rebuild and push image
        if: ${{ steps.update_check.outputs.build == 'true' }}
        uses: docker/build-push-action@v3
        with:
          context: .
          file: ${{ steps.build_context.outputs.dockerfile }}
          push: true
          tags: |
            ghcr.io/${{github.repository}}:${{matrix.version}}
            ${{github.repository}}:${{matrix.version}}

      - name: Show info about images
        uses: essentialkaos/docker-info-action@v1
        with:
          image: ${{github.repository}}:${{matrix.version}}

      - name: Scan final image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'ghcr.io/${{github.repository}}:${{matrix.version}}'
          format: 'table'
          ignore-unfixed: true
          severity: 'LOW,MEDIUM,HIGH,CRITICAL'
          scanners: 'vuln'