feat: add CI workflow and Docker bake configuration for improved build and test processes

Author: argentinaluiz

.github/workflows/ci-bake.yaml renamed to .github/workflows/ci-bake.txt

@@ -122,11 +122,11 @@ jobs:
         env:
           github_token: ${{ secrets.GITHUB_TOKEN }}
         with:
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           provenance: mode=max
           sbom: true
           targets: prod
-          files: |
+          files: | 
             ./src/ci/docker-bake.hcl
             cwd://${{ steps.meta.outputs.bake-file }}
           set: |

.github/workflows/ci.yaml

@@ -0,0 +1,150 @@
+name: CI
+
+on:
+  push:
+    branches: [ "main" ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches: [ "main" ]
+
+env:
+  REGISTRY: docker.io
+  DOCKER_USERNAME: argentinaluiz
+  IMAGE_NAME: argentinaluiz/docker-prod-test
+  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
+  CLOUD_BUILDER_NAME: test-ci
+jobs:
+  ci:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # Ler o conteúdo do repositório
+      packages: write # Permitir publicar pacotes no GitHub Packages
+      pull-requests: write # Permitir criar e atualizar pull requests
+      security-events: write # Enviar eventos de segurança para o Github Security
+      id-token: write # Permitir emitir tokens OIDC para autenticação com provedores externos
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: cloud
+          endpoint: "${{ env.DOCKER_USERNAME }}/${{ env.CLOUD_BUILDER_NAME }}"
+          install: true
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+      
+      - name: Build for CI
+        id: build-ci
+        uses: docker/[email protected]
+        with:
+          context: ./src/ci/nestjs-project
+          file: ./src/ci/nestjs-project/Dockerfile.prod
+          push: false
+          load: true # driver docker-container
+          target: ci
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:ci
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          secrets: |
+            github_token=${{ secrets.MY_GITHUB_TOKEN }}
+    
+      - name: Up containers
+        run: docker compose -f ./src/ci/nestjs-project/compose.ci.yaml up -d --wait-timeout 10
+      
+      - name: Run tests
+        run: echo "Running tests..."
+      
+      - name: Build for analysis
+        id: build-for-analysis
+        uses: docker/[email protected]
+        with:
+          context: ./src/ci/nestjs-project
+          file: ./src/ci/nestjs-project/Dockerfile.prod
+          push: false
+          load: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          secrets: |
+            github_token=${{ secrets.MY_GITHUB_TOKEN }}
+      
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
+          only-severities: critical,high
+          only-fixed: true
+          summary: true # publicar github actions e pull request
+          exit-code: true
+      
+      - name: Analyze for all CVEs
+        id: docker-scout-all-cves
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
+          summary: true
+          sarif-file: sarif.output.json
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif.output.json
+      
+      - name: Extract Docker metadata
+        id: meta
+        if: github.event_name != 'pull_request'
+        uses: docker/[email protected]
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.revision=${{ env.SHA }}
+          tags: |
+            type=edge,branch=$repo.default_branch
+            type=semver,pattern=v{{version}}
+            type=sha,prefix=,suffix=,format=short
+      
+      - name: Build final
+        id: build-final
+        if: github.event_name != 'pull_request'
+        uses: docker/[email protected]
+        with:
+          context: ./src/ci/nestjs-project
+          file: ./src/ci/nestjs-project/Dockerfile.prod
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: mode=max
+          sbom: true
+          secrets: |
+            github_token=${{ secrets.MY_GITHUB_TOKEN }}
+      
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.2.4'
+      
+      - name: Sign the published Docker image
+        if: github.event_name != 'pull_request'
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-final.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+

src/ci/docker-bake.hcl

@@ -3,7 +3,8 @@ variable "IMAGE_NAME" {
   default = "argentinaluiz/docker-prod-test"
 }
 
-target "docker-metadata-action" {}
+target "docker-metadata-action" {
+}
 
 
 group "default" {
@@ -14,6 +15,7 @@ target "prod" {
     inherits = ["docker-metadata-action"]
     context = "./src/ci/nestjs-project"
     dockerfile = "./Dockerfile.prod"
+    tags = [ "${IMAGE_NAME}:latest" ]
     secret = [ 
     {
       type = "env"