add Docker metadata extraction and final build step in CI workflow #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| # Publish semver tags as releases. | |
| tags: [ 'v*.*.*' ] | |
| pull_request: | |
| branches: [ "main" ] | |
| env: | |
| REGISTRY: docker.io | |
| DOCKER_USERNAME: argentinaluiz | |
| IMAGE_NAME: argentinaluiz/docker-prod-test | |
| SHA: ${{ github.event.pull_request.head.sha || github.event.after }} | |
| jobs: | |
| ci: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # Ler o conteúdo do repositório | |
| packages: write # Permitir publicar pacotes no GitHub Packages | |
| pull-requests: write # Permitir criar e atualizar pull requests | |
| security-events: write # Enviar eventos de segurança para o Github Security | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - name: Build for CI | |
| id: build-ci | |
| uses: docker/[email protected] | |
| with: | |
| context: ./src/ci/nestjs-project | |
| file: ./src/ci/nestjs-project/Dockerfile.prod | |
| push: false | |
| load: true # driver docker-container | |
| target: ci | |
| tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:ci | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| secrets: | | |
| github_token=${{ secrets.MY_GITHUB_TOKEN }} | |
| - name: Up containers | |
| run: docker compose -f ./src/ci/nestjs-project/compose.ci.yaml up -d --wait-timeout 10 | |
| - name: Run tests | |
| run: echo "Running tests..." | |
| - name: Build for analysis | |
| id: build-for-analysis | |
| uses: docker/[email protected] | |
| with: | |
| context: ./src/ci/nestjs-project | |
| file: ./src/ci/nestjs-project/Dockerfile.prod | |
| push: false | |
| load: true | |
| tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| secrets: | | |
| github_token=${{ secrets.MY_GITHUB_TOKEN }} | |
| - name: Analyze for critical and high CVEs | |
| id: docker-scout-cves | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves | |
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }} | |
| only-severities: critical,high | |
| only-fixed: true | |
| summary: true # publicar github actions e pull request | |
| exit-code: true | |
| - name: Analyze for all CVEs | |
| id: docker-scout-all-cves | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves | |
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }} | |
| summary: true | |
| sarif-file: sarif.output.json | |
| - name: Upload SARIF result | |
| id: upload-sarif | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: sarif.output.json | |
| - name: Extract Docker metadata | |
| id: meta | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: docker/[email protected] | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| labels: | | |
| org.opencontainers.image.revision=${{ env.SHA }} | |
| tags: | | |
| type=edge,branch=$repo.default_branch | |
| type=semver,pattern=v{{version}} | |
| type=sha,prefix=,suffix=,format=short | |
| - name: Build final | |
| id: build-final | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: docker/[email protected] | |
| with: | |
| context: ./src/ci/nestjs-project | |
| file: ./src/ci/nestjs-project/Dockerfile.prod | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: mode=max | |
| sbom: true | |
| secrets: | | |
| github_token=${{ secrets.MY_GITHUB_TOKEN }} |