name: Build and push ckan-docker image from PR Merge on: pull_request: types: - closed branches: - master - 'ckan-*.*.*' - '!dev/ckan-*.*.*' - '!feature/*' - '!fix/*' env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }} CONTEXT: . BRANCH: ${{ github.head_ref }} DOCKERFILE_PATH: /ckan DOCKERFILE: Dockerfile jobs: docker: name: runner/build-docker-push:${{ github.head_ref }} runs-on: ubuntu-latest if: github.event.pull_request.merged == true steps: - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Check out code uses: actions/checkout@v4 - name: Login to registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract Docker metadata id: meta uses: docker/metadata-action@v4 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} labels: | org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md org.opencontainers.image.version=${{ env.BRANCH }} - name: Build and push uses: docker/build-push-action@v5 with: push: true tags: ${{ env.TAG }} labels: ${{ steps.meta.outputs.labels }} context: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }} file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} - name: Linting Dockerfile with hadolint in GH Actions uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} no-fail: true - name: Run Trivy container image vulnerability scanner uses: aquasecurity/trivy-action@0.12.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} format: sarif output: trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 if: always() with: sarif_file: trivy-results.sarif