name: Build and release image manually on: workflow_dispatch env: REGISTRY: ghcr.io IMAGE_NAME: ckan-spatial TAG: ghcr.io/ckan-spatial:${{ github.ref_name }} CONTEXT: . BRANCH: ${{ github.ref_name }} DOCKERFILE_PATH: /ckan DOCKERFILE: Dockerfile jobs: docker: name: manual/build-docker-push:${{ github.ref_name }} runs-on: ubuntu-latest steps: - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Check out code uses: actions/checkout@v4 - name: Login to registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract Docker metadata id: meta uses: docker/metadata-action@v4 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} labels: | org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md org.opencontainers.image.version=${{ env.BRANCH }} - name: Build and push uses: docker/build-push-action@v5 with: push: true tags: ${{ env.TAG }} labels: ${{ steps.meta.outputs.labels }} context: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }} file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} - name: Linting Dockerfile with hadolint in GH Actions uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} failure-threshold: ignore - name: Run Trivy container image vulnerability scanner uses: aquasecurity/trivy-action@0.12.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} format: sarif output: trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 if: always() with: sarif_file: trivy-results.sarif