Skip to content
This repository was archived by the owner on Aug 22, 2025. It is now read-only.

First pass at a build Docker image gh action #22

Merged
merged 1 commit into from
Mar 14, 2023
Merged

First pass at a build Docker image gh action #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions .github/workflows/build-and-sign-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
# This workflow will build and push a signed Docker image

name: Build and sign image

on:
# THIS BLOCK IS FOR TESTING
branch_protection_rule:
types:
- created

# THIS BLOCK IS THE ACTUAL DESIRED EVENT TRIGGER
# pull_request:
# branches:
# - "*" # Run on all branches
# types:
# - closed ## This needs to be uncommented after testing

env:
REGISTRY: hub.docker.com
IMAGE_NAME: "ciroque/nginx-k8s-loadbalancer" # ${{ github.repository }}

jobs:
build_and_sign_image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write

steps:
- name: Checkout
uses: actions/checkout@v3

- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
with:
cosign-release: 'v1.13.1'

- name: Docker Buildx
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

- name: Log into registry ${{ env.REGISTRY }} for ${{ github.actor }}
uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}

- name: Build Docker Image
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2
continue-on-error: true
with:
image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }}
format: 'sarif'
output: 'trivy-results-${{ inputs.image }}.sarif'
ignore-unfixed: 'true'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6
continue-on-error: true
with:
sarif_file: 'trivy-results-${{ inputs.image }}.sarif'
2 changes: 1 addition & 1 deletion .github/workflows/go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ name: Go

on:
push:
branches: [ "main" ]
branches: [ "main", "*" ]
pull_request:
branches: [ "main" ]

Expand Down