improved README.md #210
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, test, scan and push images | |
| on: | |
| push: | |
| branches: | |
| - develop | |
| tags: | |
| - v*.*.* | |
| pull_request: | |
| branches: | |
| - develop | |
| - main | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| NAMESPACE: austriandatalab | |
| SUB_NAMESPACE: indiegamestream | |
| jobs: | |
| build-push-image: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| # Add your images here (name of the component + directory that contains Dockerfile) | |
| - name: frontend | |
| directory: frontend | |
| - name: api | |
| directory: api | |
| - name: operator | |
| directory: operator | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| name: ${{ matrix.image.name }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check if test stage exists | |
| run: | | |
| if grep -q -i -E '^\s*FROM\s+[^\s]+\s+AS\s+test\s*$' ${{ matrix.image.directory }}/Dockerfile ; then | |
| echo "Test stage exists, continuing with tests." | |
| echo "test_stage_exists=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "Test stage does not exist, skipping tests." | |
| echo "test_stage_exists=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| id: check_test_stage | |
| - name: Build Docker image to test stage | |
| if: steps.check_test_stage.outputs.test_stage_exists == 'true' | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ${{ matrix.image.directory }} | |
| file: ${{ matrix.image.directory }}/Dockerfile | |
| push: false | |
| tags: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.SUB_NAMESPACE }}/${{ matrix.image.name }}-test:${{ github.sha }} | |
| target: test | |
| - name: Run test stage | |
| if: steps.check_test_stage.outputs.test_stage_exists == 'true' | |
| run: | | |
| docker run --rm ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.SUB_NAMESPACE }}/${{ matrix.image.name }}-test:${{ github.sha }} | |
| - name: Login to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.SUB_NAMESPACE }}/${{ matrix.image.name }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=sha,format=long | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ${{ matrix.image.directory }} | |
| file: ${{ matrix.image.directory }}/Dockerfile | |
| push: false | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: '${{ fromJSON(steps.meta.outputs.json).tags[0] }}' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| limit-severities-for-sarif: true | |
| exit-code: '1' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ${{ matrix.image.directory }} | |
| file: ${{ matrix.image.directory }}/Dockerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| category: ${{ matrix.image.name }} |