Add docker build workflow

rohit-dimagi · rohit-dimagi · commit fc0b2004fe3e · 2025-08-01T17:02:10.000+05:30
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
@@ -0,0 +1,90 @@
+name: Publish Python 🐍 distribution 📦 to PyPI
+
+on:
+  push:
+    tags:
+      - 'test'
+    branches:
+      - docker-build
+
+jobs:
+  docker-build:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract tag version
+        id: extract_tag
+        run: echo "IMAGE_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+      - name: Build docker image
+        uses: docker/build-push-action@v6
+        env:
+          DOCKER_BUILD_SUMMARY: false
+        with:
+          # Caching options
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          # The actual build arguments
+          context: .
+          file: ./Dockerfile
+          tags: |
+            veridise/audithub-client:${{ env.IMAGE_TAG }}
+          push: false
+          load: true
+
+      - name: Run Trivy vulnerability scanner on the image
+        env:
+          # if primary fails, this will use ghcr.io as the primary and public.ecr.aws then.
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: "veridise/audithub-client:${{ env.IMAGE_TAG }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          output: "trivy-scan.txt"
+
+      - name: Publish Trivy Output to Summary
+        if: failure() # run this step if previous step failed
+        run: |
+          if [[ -s trivy-scan.txt ]]; then
+            {
+              echo "### Security Output"
+              echo "<details><summary>Click to expand</summary>"
+              echo ""
+              echo '```terraform'
+              cat trivy-scan.txt
+              echo '```'
+              echo "</details>"
+            } >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push image
+        if: success()
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          tags: veridise/audithub-client:${{ github.sha }}, veridise/audithub-client:${{ env.IMAGE_TAG }}
+          # Caching options
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
