Skip to content

Merge pull request #19 from ba-st/update_3.7.1.1 #156

Merge pull request #19 from ba-st/update_3.7.1.1

Merge pull request #19 from ba-st/update_3.7.1.1 #156

Workflow file for this run

name: Build and Publish Docker Images
on:
workflow_dispatch:
push:
branches:
- '**'
tags:
- 'v*.*.*'
pull_request:
jobs:
build_and_publish:
name: Build and Publish Docker images
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
strategy:
matrix:
version:
- '3.7.1.1'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
# GS64 server image
- name: Gather docker meta data for server image
id: docker_meta_runtime
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/gs64
- name: Docker build and push server image
uses: docker/build-push-action@v6
with:
context: ./source
file: ./source/Dockerfile
build-args: GS_VERSION=${{ matrix.version }}
target: docker-gs64-server
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta_runtime.outputs.tags }}
labels: ${{ steps.docker_meta_runtime.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# GS64 server image + rowan extent
- name: Gather docker meta data for rowan image
id: docker_meta_runtime_rowan
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/gs64-rowan
- name: Docker build and push rowan image
uses: docker/build-push-action@v6
with:
context: ./source
file: ./source/Dockerfile
build-args: GS_VERSION=${{ matrix.version }}
target: docker-gs64-rowan
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta_runtime_rowan.outputs.tags }}
labels: ${{ steps.docker_meta_runtime_rowan.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# GS64 server image + base extent0.dbf
- name: Gather docker meta data for base image
id: docker_meta_runtime_base
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/gs64-base
- name: Docker build and push base image
uses: docker/build-push-action@v6
with:
context: ./source
file: ./source/Dockerfile
build-args: GS_VERSION=${{ matrix.version }}
target: docker-gs64-base
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta_runtime_base.outputs.tags }}
labels: ${{ steps.docker_meta_runtime_base.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# GS64 gem image
- name: Gather docker meta data for gem image
id: docker_meta_runtime_gem
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/gs64-gem
- name: Docker build and push gem image
uses: docker/build-push-action@v6
with:
context: ./source
file: ./source/Dockerfile
build-args: GS_VERSION=${{ matrix.version }}
target: docker-gs64-gem
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta_runtime_gem.outputs.tags }}
labels: ${{ steps.docker_meta_runtime_gem.outputs.labels }}
secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
# Scan for vulnerabilities
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
if: ${{ github.event_name != 'pull_request' }}
with:
image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.ref_name }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
ignore-unfixed: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ github.event_name != 'pull_request' }}
with:
sarif_file: 'trivy-results.sarif'