1- name : Build and Push Docker Image
1+ name : Build, Test and Push Docker Image
22
33on :
44 workflow_call :
1818 required : true
1919
2020jobs :
21- build-and-push :
21+ build-test :
22+ if : github.event_name == 'pull_request'
2223 runs-on : ubuntu-latest
23- env :
24- IS_TAG_TRIGGER : ${{ startsWith(github.ref, 'refs/tags/v') }}
2524 steps :
26- - name : Get branch names
27- id : branch-names
28- uses : tj-actions/branch-names@v8
25+ - name : Checkout Repository
26+ uses : actions/checkout@v4
2927
30- # Verify tag is on main or release branch
31- - name : Verify tag is on main or release branch
32- if : env.IS_TAG_TRIGGER == 'true'
33- run : |
34- if [[ "${{ steps.branch-names.outputs.base_ref_branch }}" == "main" || "${{ steps.branch-names.outputs.base_ref_branch }}" =~ ^release/ ]]; then
35- echo "✅ Tag ${{ steps.branch-names.outputs.tag }} is on an allowed branch: ${{ steps.branch-names.outputs.base_ref_branch }}"
36- else
37- echo "Current base branch: ${{ steps.branch-names.outputs.base_ref_branch }}"
38- echo "Tags must be created on main or release/* branches."
39- exit 1
28+ - name : Set up Docker Buildx
29+ uses : docker/setup-buildx-action@v3
4030
41- name : Verify npm package version matches tag
42- if : env.IS_TAG_TRIGGER == 'true'
43- uses : nick-y-ito/gha-npm-version-match@v1
31+ - name : Set up QEMU
32+ uses : docker/setup-qemu-action@v3
4433
45- - name : Checkout Repository
46- uses : actions/checkout@v4
34+ - name : Build Docker Image
35+ uses : docker/build-push-action@v6
36+ with :
37+ context : .
38+ file : ${{ inputs.dockerfile }}
39+ platforms : linux/amd64,linux/arm64
40+ push : false
41+ tags : ${{ inputs.image-name }}:${{ github.sha }}
4742
48- # Determine Docker Image Tags
49- - name : Determine Docker Image Tags
50- run : |
51- IMAGE_NAME="${{ inputs.image-name }}"
52- # Initialize IMAGE_TAG variable
53- IMAGE_TAG=""
43+ - name : Run Trivy vulnerability scanner
44+ uses :
aquasecurity/[email protected] 45+ with :
46+ image-ref : ${{ inputs.image-name }}:${{ github.sha }}
47+ format : ' table'
48+ exit-code : ' 1'
49+ ignore-unfixed : true
50+ vuln-type : ' os,library'
51+ severity : ' CRITICAL,HIGH'
52+ hide-progress : true
53+ output : trivy.txt
5454
55- if [[ "$IS_TAG_TRIGGER" == "true" ]]; then
56- TAG_VERSION=${GITHUB_REF#refs/tags/v}
57- IMAGE_TAG="$IMAGE_NAME:$TAG_VERSION"
58- else
59- SHORT_COMMIT=$(git rev-parse --short HEAD)
60- IMAGE_TAG="$IMAGE_NAME:dev-$SHORT_COMMIT"
55+ - name : Publish Trivy Output to Summary
56+ run : |
57+ if [[ -s trivy.txt ]]; then
58+ {
59+ echo "### Security Output"
60+ echo "<details><summary>Click to expand</summary>"
61+ echo ""
62+ echo '```terraform'
63+ cat trivy.txt
64+ echo '```'
65+ echo "</details>"
66+ } >> $GITHUB_STEP_SUMMARY
6167 fi
6268
63- echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
64- echo "✅ Resolved IMAGE_TAG: $IMAGE_TAG"
69+ build-push :
70+ if : github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
71+ runs-on : ubuntu-latest
72+ steps :
73+ - name : Checkout Repository
74+ uses : actions/checkout@v4
6575
6676 - name : Login to Docker Hub
6777 uses : docker/login-action@v3
6878 with :
6979 username : ${{ secrets.dockerhub-username }}
7080 password : ${{ secrets.dockerhub-pat }}
7181
72- - name : Set up QEMU
73- uses : docker/setup-qemu-action@v3
74-
7582 - name : Set up Docker Buildx
7683 uses : docker/setup-buildx-action@v3
7784
78- - name : Build and Push Docker Image
85+ - name : Push Docker Image
7986 uses : docker/build-push-action@v6
8087 with :
88+ context : .
8189 file : ${{ inputs.dockerfile }}
82- push : true
8390 platforms : linux/amd64,linux/arm64
84- tags : ${{ env.IMAGE_TAG }}
91+ push : true
92+ tags : ${{ inputs.image-name }}:${{ github.ref_name }}
0 commit comments