Update push.yml

hpi-schul-cloud · Jul 12, 2023 · ce7a3f4 · ce7a3f4
1 parent 2040948
commit ce7a3f4
Showing 1 changed file with 71 additions and 11 deletions.
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -1,24 +1,58 @@
-name: Push
+---
+name: Build and push Docker Image
 
 on:
   push:
-    branches:
-      - master
+    branches-ignore:
+      - dependabot/**
+  pull_request:
+      types: [labeled]
 
 permissions:
   contents: read
 
 jobs:
-  deploy:
+  build_and_push:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     strategy:
       matrix:
-        node-version: [18.x]
+        tenants: [default, brb, nbc]
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
+
+      - name: Docker meta Service Name
+        id: docker_meta_img
+        uses: docker/metadata-action@v4
         with:
-          node-version: ${{ matrix.node-version }}
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch,enable=false,priority=600
+            type=sha,enable=true,priority=600,prefix=
+      - name: Log into registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: test image exists
+        run: |
+         mkdir -p ~/.docker
+         echo '{"experimental": "enabled"}' >> ~/.docker/config.json
+         echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV
+
+      - name: Build and push ${{ github.repository }}
+        if: ${{ env.IMAGE_EXISTS == 0 }}
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
+          labels: ${{ steps.docker_meta_img.outputs.labels }}
 
   branch_name:
     runs-on: ubuntu-latest
@@ -30,8 +64,9 @@ jobs:
         run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
         id: extract_branch
 
-  deploy_app:
+  deploy:
     needs:
+      - build_and_push
       - branch_name
     uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main
     with:
@@ -41,9 +76,34 @@ jobs:
       DEV_VAULT: ${{ secrets.DEV_VAULT }}
       DEV_KUBE_CONFIG: ${{ secrets.DEV_KUBE_CONFIG }}
 
-  deploy_successful:
+  deploy-successful:
     needs:
-      - deploy_app
+      - deploy
     runs-on: ubuntu-latest
     steps:
       - run: echo "deploy was successful"
+
+  trivy-vulnerability-scanning:
+    needs:
+      - build_and_push
+      - branch_name
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: run trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        with:
+          image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: 1
+          ignore-unfixed: true
+      - name: upload trivy results
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'