.github/workflows/docker.yaml

# This workflow will build a Java project with Gradle
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle

name: Docker

on:
  push:
    branches:
      - 'master'
  pull_request:
    branches:
      - master

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up JDK 17
        uses: actions/setup-java@v2
        with:
          java-version: '17'
          distribution: 'adopt'
      - name: Validate Gradle wrapper
        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b

      - name: Build with Gradle
        uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021
        with:
#          arguments: build -x test
          arguments: build

      - name: Read version from service.properties
        id: observer_properties
        uses: christian-draeger/read-properties@1.0.1
        with:
          path: './src/main/resources/service.properties'
          property: 'version'

      - name: Setup Custom Contexts
        shell: bash
        run: |
          echo "##[set-output name=branch;]$(echo ${GITHUB_REF##*/})"
          echo "##[set-output name=snapshot_tag;]$(echo ${{ github.head_ref }} | sed 's/[][*]\|[[:space:]]//g')"
        id: job_context

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push SNAPSHOT
        id: docker_build_snapshot
        if: steps.job_context.outputs.branch != 'master'
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: observertc/observer:${{ steps.observer_properties.outputs.value }}-SNAPSHOT.${{ steps.job_context.outputs.snapshot_tag }}

      - name: Build and push RELEASE
        id: docker_build_release
        if: steps.job_context.outputs.branch == 'master'
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: observertc/observer:latest,observertc/observer:${{ steps.observer_properties.outputs.value }}
      
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: steps.job_context.outputs.branch == 'master'
        with:
          image-ref: 'observertc/observer:${{ steps.observer_properties.outputs.value }}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
#          severity: 'CRITICAL,HIGH'
          severity: 'CRITICAL'