Change message when project is busy #1169
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # GHCR: | |
| # GitHub Container Repository | |
| # Images from ghcr are used when deploying prod and dev. | |
| # | |
| # Trivy | |
| # Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for | |
| # security issues, and targets where it can find those issues. | |
| # | |
| # This action publishes a docker image and then runs the trivy security scan on that image. | |
| # Potential security issues will be uploaded to the security tab in the repository. | |
| # | |
| # https://github.com/aquasecurity/trivy | |
| # --------------------------------------- | |
| # Publish Docker Image to GHCR and run Trivy Security Scan | |
| name: Publish to GHCR (+ Trivy scan) | |
| on: | |
| workflow_dispatch: | |
| branches: [dev] | |
| pull_request: | |
| push: | |
| branches: | |
| - master | |
| - dev | |
| release: | |
| types: [published] | |
| jobs: | |
| push_to_registry: | |
| if: github.repository == 'ScilifelabDataCentre/dds_web' | |
| name: Push image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| concurrency: | |
| group: ${{ github.ref }}-docker-trivy | |
| cancel-in-progress: true | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v3 | |
| - name: Log in to Github Container Repository | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: | | |
| ghcr.io/scilifelabdatacentre/dds-backend | |
| - name: Ensure lowercase name | |
| run: echo IMAGE_REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV | |
| - name: Build for scan | |
| uses: docker/build-push-action@v3 | |
| with: | |
| file: Dockerfiles/backend.Dockerfile | |
| context: . | |
| push: false | |
| tags: ghcr.io/${{ env.IMAGE_REPOSITORY }}:sha-${{ github.sha }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: "ghcr.io/${{ env.IMAGE_REPOSITORY }}:sha-${{ github.sha }}" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| severity: "CRITICAL,HIGH" | |
| - name: Upload Trivy scan results to Github Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| category: trivy-build | |
| - name: Publish image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| file: Dockerfiles/backend.Dockerfile | |
| context: . | |
| push: true | |
| build-args: version=${{ github.ref_name }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} |