mirror of
https://github.com/tmdinosaurcenter/kiosk-guestbook.git
synced 2026-06-04 04:29:25 -06:00
steve
aa7fefe497
Runs aquasecurity/trivy-action after the build step and fails the workflow if any CRITICAL or HIGH severity vulnerabilities are found, blocking the push to Docker Hub.
52 lines
1.8 KiB
YAML
52 lines
1.8 KiB
YAML
name: Docker Image CI
|
|
on:
|
|
push:
|
|
branches: [ "main" ]
|
|
pull_request:
|
|
branches: [ "main" ]
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v4
|
|
- name: Log in to DockerHub
|
|
if: github.event_name == 'push'
|
|
uses: docker/login-action@v4
|
|
with:
|
|
username: ${{ vars.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
- name: Build the Docker image
|
|
id: build-image
|
|
run: |
|
|
IMAGE_TAG=my-image-name:${{ github.sha }}
|
|
docker build . --file Dockerfile --tag $IMAGE_TAG
|
|
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
|
|
# Uncomment below to push the image to Docker Hub (or another registry)
|
|
- name: Scan image for vulnerabilities
|
|
uses: aquasecurity/trivy-action@0.30.0
|
|
with:
|
|
image-ref: ${{ env.IMAGE_TAG }}
|
|
format: table
|
|
exit-code: '1'
|
|
severity: CRITICAL,HIGH
|
|
- name: Push the Docker image
|
|
if: github.event_name == 'push'
|
|
run: |
|
|
docker tag $IMAGE_TAG snachodog/kiosk-guestbook:latest
|
|
docker push snachodog/kiosk-guestbook:latest
|
|
- name: Notify via ntfy
|
|
if: github.event_name == 'push'
|
|
env:
|
|
NTFY_URL: ${{ secrets.NTFY_URL }}
|
|
NTFY_TOKEN: ${{ secrets.NTFY_TOKEN }}
|
|
run: |
|
|
curl -s -o /dev/null \
|
|
-H "Title: kiosk-guestbook image pushed to Docker Hub" \
|
|
-H "Tags: white_check_mark" \
|
|
-H "Authorization: Bearer $NTFY_TOKEN" \
|
|
-d "The kiosk-guestbook container has been pushed to Docker Hub and is ready to pull. Commit: ${{ github.sha }} — ${{ github.event.head_commit.message }}" \
|
|
"$NTFY_URL"
|