.github/workflows/delivery.yml

name: Delivery

on: 
  pull_request:
    types: [synchronize, opened, reopened]
  push:
    branches: [ master ]
  release:
    # Note: a current limitation is that when a release is edited after publication, then the Docker tags are not automatically updated.
    types: [ published ]

permissions:
  contents: write
  packages: write

jobs:
  publish-docker-image:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=semver,pattern={{major}}.{{minor}}.{{patch}}
            type=raw,value=edge

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}      
      
      - name: Build container and export to local Docker
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true
          tags: local/yivitube:scan
      
      - name: Scan Image
        uses: anchore/scan-action@v3
        id: scan
        with:
          image: local/yivitube:scan
          fail-build: true
          output-format: sarif
  
      - name: Upload Anchore Scan SARIF Report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}
      
      - name: Push image to GitHub Container Registry
        uses: docker/build-push-action@v5
        with:
          push: github.event_name != 'pull_request'
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}