.github/workflows/binwalk.yml

name: ReFirmLabs/binwalk

on:
  push:
    branches:
      - main  # Change to your default branch if not main
  pull_request:
    branches:
      - main  # Change to your default branch if not main

permissions:
  contents: read
  packages: write  # Required for GitHub Container Registry
  security-events: write

jobs:
  build-and-push:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest]

    steps:
      - uses: actions/checkout@v3
      - uses: snyk/actions/setup@master

      - name: Set release version
        id: set_version
        run: echo "RELEASE_VERSION=v3.1.0" >> $GITHUB_ENV

      - name: Clone binwalk:${{ env.RELEASE_VERSION }}
        run: |
          git clone --branch ${{ env.RELEASE_VERSION }} https://github.com/ReFirmLabs/binwalk.git

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: ${{ github.workspace }}/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - name: Build and push Docker image to GitHub Container Registry
        run: |
          docker buildx build --push \
            --tag ghcr.io/${{ github.repository_owner }}/binwalk:${{ env.RELEASE_VERSION }} \
            --tag ghcr.io/${{ github.repository_owner }}/binwalk:latest \
            --platform linux/amd64,linux/arm64 ./binwalk

      - name: Logout from GitHub Container Registry
        run: docker logout ghcr.io

      - name: Check ghcr.io/${{ github.repository_owner }}/binwalk:${{ env.RELEASE_VERSION }} image
        uses: snyk/actions/docker@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ghcr.io/${{ github.repository_owner }}/binwalk:${{ env.RELEASE_VERSION }}
          args: --file=./binwalk/Dockerfile
          json: true
      - uses: garethr/snyk-to-sarif@master
      - uses: actions/upload-artifact@v4
        with:
          name: SARIF
          path: snyk.sarif
      
      - name: Upload SARIF Report to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif