Skip to content

Build images, scan, push to GHCR #21

Build images, scan, push to GHCR

Build images, scan, push to GHCR #21

---
name: Build images, scan, push to GHCR
on:
workflow_dispatch:
schedule:
- cron: '0 5 * * 0'
jobs:
build-and-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
env:
GH_REPO: gsa-tts/cg-supabase
strategy:
fail-fast: false
matrix:
image:
# - name: ghcr.io/supabase/postgres-meta:v0.83.2
# short-name: meta
# - name: postgrest/postgrest:latest
# short-name: rest
# - name: ghcr.io/supabase/storage-api:v1.7.0
# short-name: storage
- name: ghcr.io/supabase/studio:v1.24.05
short-name: studio
name: Publish ${{ matrix.image.short-name }}
steps:
- name: Build and load Docker image
id: build
uses: docker/build-push-action@v6
with:
context: '{{defaultContext}}'
file: .docker/${{ matrix.image.short-name }}.Dockerfile
load: true
tags: ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}
# - name: Scan Image
# uses: aquasecurity/[email protected]
# with:
# scan-type: 'image'
# image-ref: ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}
# format: 'sarif'
# output: 'trivy-results.sarif'
# severity: 'CRITICAL,HIGH'
# exit-code: 1
# scanners: 'vuln'
# # Upload results to GH Code Scanning even if the scan exited with 1 due to CRITICAL/HIGH findings
# # Just don't carry on and push the image to GHCR!
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# if: ${{ !cancelled() }}
# with:
# sarif_file: 'trivy-results.sarif'
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set current date as env variable
run: echo "DATESTAMP=$(date +'%Y%m%d')" >> $GITHUB_ENV
- name: Push Image
uses: docker/build-push-action@v6
with:
context: '{{defaultContext}}'
file: .docker/${{ matrix.image.short-name }}.Dockerfile
push: true
tags: >
ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest ,
ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:scanned ,
ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:${{ env.DATESTAMP }}