Skip to content

docker build and push #203

docker build and push

docker build and push #203

Workflow file for this run

name: docker build and push
on:
push:
branches:
- main
schedule:
- cron: '15 3 * * *' # every day at 03:15 (just wanted to avoid midnight)
jobs:
push_to_registries:
name: Build Push & Scan image (ghcr.io)
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Check out the repo
uses: actions/checkout@v3
- name: Log in to the Container registry
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: |
ghcr.io/${{ github.repository }}
- name: Build and push Docker images for
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: .
file: Dockerfile
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
labels: ${{ steps.meta.outputs.labels }}
- name: wolfi-act grype scan
uses: wolfi-dev/wolfi-act@main
with:
packages: grype
debug: 'true'
command: |
set -x
grype -v -f critical -o table ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'