bump updates #167

Workflow file for this run

	name: Docker Build, Scan & Publish

	on:
	push:
	branches: [ main ]
	tags: [ 'v*' ]
	pull_request:
	branches: [ main ]
	workflow_dispatch:

	env:
	REGISTRY: ghcr.io

	jobs:
	build-base:
	name: Build Base
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write

	outputs:
	image-tag: ${{ steps.image-tag.outputs.tag }}

	steps:
	- uses: actions/checkout@v6

	- name: Set lowercase image prefix
	run: echo "IMAGE_PREFIX=${GITHUB_REPOSITORY_OWNER,,}/integr8scode" >> $GITHUB_ENV

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Log in to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract metadata
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/base
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=sha,prefix=sha-
	type=raw,value=latest,enable={{is_default_branch}}

	- name: Determine image tag for dependent builds
	id: image-tag
	run: \|
	if [ "${{ github.event_name }}" = "pull_request" ]; then
	echo "tag=pr-${{ github.event.number }}" >> $GITHUB_OUTPUT
	else
	echo "tag=latest" >> $GITHUB_OUTPUT
	fi

	- name: Build and push
	uses: docker/build-push-action@v6
	with:
	context: ./backend
	file: ./backend/Dockerfile.base
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha,scope=base
	cache-to: type=gha,mode=max,scope=base

	build-backend:
	name: Build Backend
	needs: build-base
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write

	outputs:
	image-ref: ${{ steps.image-ref.outputs.ref }}

	steps:
	- uses: actions/checkout@v6

	- name: Set lowercase image prefix
	run: echo "IMAGE_PREFIX=${GITHUB_REPOSITORY_OWNER,,}/integr8scode" >> $GITHUB_ENV

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Log in to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract metadata
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/backend
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=sha,prefix=sha-
	type=raw,value=latest,enable={{is_default_branch}}

	- name: Set image reference for scan
	id: image-ref
	run: \|
	if [ "${{ github.event_name }}" = "pull_request" ]; then
	echo "ref=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/backend:pr-${{ github.event.number }}" >> $GITHUB_OUTPUT
	else
	echo "ref=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/backend:latest" >> $GITHUB_OUTPUT
	fi

	- name: Build and push
	uses: docker/build-push-action@v6
	with:
	context: ./backend
	file: ./backend/Dockerfile
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha,scope=backend
	cache-to: type=gha,mode=max,scope=backend
	build-contexts: \|
	base=docker-image://${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/base:${{ needs.build-base.outputs.image-tag }}

	build-frontend:
	name: Build Frontend
	needs: build-base
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write

	outputs:
	image-ref: ${{ steps.image-ref.outputs.ref }}

	steps:
	- uses: actions/checkout@v6

	- name: Set lowercase image prefix
	run: echo "IMAGE_PREFIX=${GITHUB_REPOSITORY_OWNER,,}/integr8scode" >> $GITHUB_ENV

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Log in to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract metadata
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=sha,prefix=sha-
	type=raw,value=latest,enable={{is_default_branch}}

	- name: Set image reference for scan
	id: image-ref
	run: \|
	if [ "${{ github.event_name }}" = "pull_request" ]; then
	echo "ref=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:pr-${{ github.event.number }}" >> $GITHUB_OUTPUT
	else
	echo "ref=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:latest" >> $GITHUB_OUTPUT
	fi

	- name: Build and push
	uses: docker/build-push-action@v6
	with:
	context: ./frontend
	file: ./frontend/Dockerfile.prod
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha,scope=frontend
	cache-to: type=gha,mode=max,scope=frontend

	scan-backend:
	name: Scan Backend
	needs: build-backend
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- uses: actions/checkout@v6

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	with:
	image-ref: ${{ needs.build-backend.outputs.image-ref }}
	format: 'sarif'
	output: 'trivy-backend-results.sarif'
	ignore-unfixed: true
	severity: 'CRITICAL,HIGH'
	timeout: '5m0s'
	trivyignores: 'backend/.trivyignore'
	version: 'v0.68.2'

	- name: Upload Trivy scan results
	if: always()
	uses: github/codeql-action/upload-sarif@v4
	with:
	sarif_file: 'trivy-backend-results.sarif'
	category: 'trivy-backend'

	scan-frontend:
	name: Scan Frontend
	needs: build-frontend
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	with:
	image-ref: ${{ needs.build-frontend.outputs.image-ref }}
	format: 'sarif'
	output: 'trivy-frontend-results.sarif'
	ignore-unfixed: true
	severity: 'CRITICAL,HIGH'
	timeout: '5m0s'
	version: 'v0.68.2'

	- name: Upload Trivy scan results
	if: always()
	uses: github/codeql-action/upload-sarif@v4
	with:
	sarif_file: 'trivy-frontend-results.sarif'
	category: 'trivy-frontend'

	summary:
	name: Summary
	if: github.event_name != 'pull_request'
	needs: [build-base, build-backend, build-frontend, scan-backend, scan-frontend]
	runs-on: ubuntu-latest

	steps:
	- name: Set lowercase image prefix
	run: echo "IMAGE_PREFIX=${GITHUB_REPOSITORY_OWNER,,}/integr8scode" >> $GITHUB_ENV

	- name: Generate summary
	run: \|
	echo "## Docker Images Published" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "\| Image \| Pull Command \|" >> $GITHUB_STEP_SUMMARY
	echo "\|-------\|--------------\|" >> $GITHUB_STEP_SUMMARY
	echo "\| Base \| \`docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/base:latest\` \|" >> $GITHUB_STEP_SUMMARY
	echo "\| Backend \| \`docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/backend:latest\` \|" >> $GITHUB_STEP_SUMMARY
	echo "\| Frontend \| \`docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:latest\` \|" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "### Scan Results" >> $GITHUB_STEP_SUMMARY
	echo "- Backend scan: ✅ Passed" >> $GITHUB_STEP_SUMMARY
	echo "- Frontend scan: ✅ Passed" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bump updates #167

Workflow file

bump updates #167

Uh oh!

Workflow file for this run