pr-debian.yml

name: build and scan image (Debian version)

on:
  push:
    branches-ignore:
      - "master"

env:
  IMAGE_NAME: "simaofsilva/noip-renewer"
  PIP_VERSION: "23.3.1" # renovate: datasource=pypi depName=pip versioning=pep440
  GECKODRIVER_VERSION: "0.33.0" # renovate: datasource=github-tags depName=mozilla/geckodriver

jobs:
  build_debian:
    runs-on: ubuntu-latest
    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3.0.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3.0.0

      - name: Checkout
        uses: actions/checkout@v4.1.1

      - name: Build image for tests
        uses: docker/build-push-action@v5.0.0
        with:
          context: .
          platforms: linux/amd64
          load: true
          tags: ${{ env.IMAGE_NAME }}:test-debian
          file: Dockerfile.debian
          build-args: |
            PIP_VERSION=${{ env.PIP_VERSION }}
            GECKODRIVER_VERSION=${{ env.GECKODRIVER_VERSION }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.IMAGE_NAME }}:test-debian
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "MEDIUM,CRITICAL,HIGH"

      # - name: Upload Trivy scan results to GitHub Security
      #   uses: github/codeql-action/upload-sarif@v2
      #   with:
      #     # Path to SARIF file relative to the root of the repository
      #     sarif_file: trivy-debian-image-scan.sarif
      #     # Optional category for the results
      #     # Used to differentiate multiple results for one commit
      #     category: debian-image-scan