99permissions :
1010 contents : read
1111 packages : write
12+ security-events : write # Required if you want to upload scan results to GitHub Security tab
1213
1314jobs :
1415 build-test :
5556 BRANCH_NAME=${GITHUB_REF#refs/heads/}
5657 echo "name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
5758
59+ # --- NEW STEP: Required for advanced Docker caching and building ---
60+ - name : Set up Docker Buildx
61+ uses : docker/setup-buildx-action@v3
62+
5863 - name : Docker meta
5964 id : meta
6065 uses : docker/metadata-action@v5
@@ -64,13 +69,33 @@ jobs:
6469 type=raw,value=${{ steps.branch.outputs.name }}-{{sha}},enable=true
6570 type=raw,value=latest,enable={{is_default_branch}}
6671
72+ # --- NEW STEP: Build locally for scanning (Don't push yet) ---
73+ - name : Build and export to Docker
74+ uses : docker/build-push-action@v5
75+ with :
76+ context : .
77+ load : true # This loads the image into the local Docker daemon
78+ tags : local-image-scan:latest # A temporary tag just for scanning
79+
80+ # --- NEW STEP: Run the Security Scan ---
81+ - name : Run Trivy vulnerability scanner
82+ uses : aquasecurity/trivy-action@0.20.0
83+ with :
84+ image-ref : ' local-image-scan:latest'
85+ format : ' table'
86+ exit-code : ' 0' # Fail the build if vulnerabilities are found
87+ ignore-unfixed : true # Don't fail on bugs that have no patch yet
88+ vuln-type : ' os,library'
89+ severity : ' CRITICAL,HIGH' # Only fail on Critical and High issues
90+
6791 - name : Log in to GHCR
6892 uses : docker/login-action@v3
6993 with :
7094 registry : ghcr.io
7195 username : ${{ github.actor }}
7296 password : ${{ secrets.GITHUB_TOKEN }}
7397
98+ # Actual Push Step (Uses cache from previous build step)
7499 - name : Build and push Docker image
75100 uses : docker/build-push-action@v5
76101 with :
85110 echo "**Tags pushed:**" >> $GITHUB_STEP_SUMMARY
86111 echo '```' >> $GITHUB_STEP_SUMMARY
87112 echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
88- echo '```' >> $GITHUB_STEP_SUMMARY
113+ echo '```' >> $GITHUB_STEP_SUMMARY
0 commit comments