docker-ckan/.github/workflows/docker-build.yml

name: Build and push ckan-docker image from PR Merge

on:
  pull_request:
    types:
        - closed
    branches:
        - master
        - 'ckan-*.*.*'
        - '!dev/ckan-*.*.*'
        - '!feature/*'
        - '!fix/*'

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
  TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }}
  CONTEXT: .
  BRANCH: ${{ github.head_ref }}
  DOCKERFILE_PATH: /ckan
  DOCKERFILE: Dockerfile

jobs:
  docker:
    name: runner/build-docker-push:${{ github.head_ref }}
    runs-on: ubuntu-latest
    if: github.event.pull_request.merged == true

    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Check out code
        uses: actions/checkout@v4

      - name: Login to registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
            org.opencontainers.image.version=${{ env.BRANCH }}            

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: ${{ env.TAG }}
          labels: ${{ steps.meta.outputs.labels }}
          context: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}
          file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}

      - name: Linting Dockerfile with hadolint in GH Actions
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
          no-fail: true

      - name: Run Trivy container image vulnerability scanner
        uses: aquasecurity/trivy-action@0.18.0
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
          format: sarif
          output: trivy-results.sarif
  
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: trivy-results.sarif