.github/workflows/docker-image-push.yml

name: Build and update app

permissions:
  contents: write
  pull-requests: write

env:
  #docker env
  DOCKER_IMAGE_REPOSITORY: mintproject
  DOCKER_IMAGE_NAME: model-catalog-endpoint-wifire
  DOCKER_FILE: "Dockerfile"
  #security level
  VULNERABILITY_SCAN_LEVEL: "CRITICAL"

on:
  push:
    branches:
      - "*"
    tags:
      - v*
  pull_request:

jobs:
  # This job build the app and the image. Then, push it
  build:
    runs-on: ubuntu-latest
    name: "Build and push the Docker Image"

    steps:
      - uses: actions/checkout@v2
        with:
          lfs: true

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Create value as an environment variable
        run: |
          echo "DOCKER_TAG=${GITHUB_SHA}" >> $GITHUB_ENV

      - name: Expose value
        id: exposeValue
        run: |
          echo "::set-output name=docker_tag::${{ env.DOCKER_TAG }}"

      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v3.0.0
        with:
          push: true
          context: .
          tags: mintproject/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_TAG }}

    outputs:
      docker_tag: ${{ steps.exposeValue.outputs.docker_tag }}

  security:
    permissions:
      contents: read
      security-events: write
      packages: write
    name: "Scan vulnerabilities in the image"
    needs: [build]
    runs-on: ubuntu-latest
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
        with:
          image-ref: ${{ env.DOCKER_IMAGE_REPOSITORY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.docker_tag }}
          format: "template"
          template: "@/contrib/sarif.tpl"
          output: "trivy-results.sarif"
          severity: ${{ env.VULNERABILITY_SCAN_LEVEL }}
          exit-code: "0"
          ignore-unfixed: "true"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        if: always()
        with:
          sarif_file: "trivy-results.sarif"