docker-image-ci.yml

name: Docker Image CI

on:
  push:
    branches:
      - master
    paths:
      - "kubernetes/**"
      - "!kubernetes/bin/**"
      - "!kubernetes/**/*.md"
      - ".github/workflows/docker-image-ci.yml"
  pull_request:
    paths:
      - "kubernetes/**"
      - "!kubernetes/bin/**"
      - "!kubernetes/**/*.md"
      - ".github/workflows/docker-image-ci.yml"

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Check out Git repository
        uses: actions/checkout@v4.1.7

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2.10.0

      - name: Cache Docker layers
        uses: actions/cache@v4.0.2
        with:
          path: /tmp/.buildx-cache
          key: ${{ github.ref }}-${{ github.sha }}
          restore-keys: |
            ${{ github.ref }}-${{ github.sha }}
            ${{ github.ref }}
            refs/head/main

      - name: setup docker args
        env:
          TZ: "Asia/Tokyo"
        run: |
          echo "BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_ENV
          echo "VCS_REF=$(echo ${GITHUB_SHA} | cut -c1-8)" >> $GITHUB_ENV

      - name: setup docker push actions
        run: |
          if [[ github.event_name == 'push' ]]; then
            echo "PUSH=true" >> $GITHUB_ENV
          else
            echo "PUSH=false" >> $GITHUB_ENV
          fi

      - name: docker login
        if: github.event_name == 'push'
        env:
          DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
          DOCKERHUB_PASS: ${{ secrets.DOCKERHUB_PASS }}
        run: docker login -u $DOCKERHUB_USER -p $DOCKERHUB_PASS

      - name: Build and push - nginx
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/nginx
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/nginx:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run Snyk to check Docker image for vulnerabilities - nginx
        continue-on-error: true
        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ secrets.DOCKERHUB_USER }}/nginx
          args: --severity-threshold=critical --file=kubernetes/nginx/Dockerfile
      - name: rename sarif file
        run: mv snyk.sarif nginx.sarif

      - name: Build and push - mysql
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/mysql
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/mysql:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run Snyk to check Docker image for vulnerabilities - mysql
        continue-on-error: true
        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ secrets.DOCKERHUB_USER }}/mysql
          args: --severity-threshold=critical --file=kubernetes/mysql/Dockerfile
      - name: rename sarif file
        run: mv snyk.sarif mysql.sarif

      - name: Build and push - postgres
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/postgres
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/postgres:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run Snyk to check Docker image for vulnerabilities - postgres
        continue-on-error: true
        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ secrets.DOCKERHUB_USER }}/postgres
          args: --severity-threshold=critical --file=kubernetes/postgres/Dockerfile
      - name: rename sarif file
        run: mv snyk.sarif postgres.sarif

      - name: Build and push - mongodb
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/mongodb
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/mongodb:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run Snyk to check Docker image for vulnerabilities - mongodb
        continue-on-error: true
        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ secrets.DOCKERHUB_USER }}/mongodb
          args: --severity-threshold=critical --file=kubernetes/mongodb/Dockerfile
      - name: rename sarif file
        run: mv snyk.sarif mongodb.sarif

      - name: Build and push - cassandra
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/cassandra
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/cassandra:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run Snyk to check Docker image for vulnerabilities - cassandra
        continue-on-error: true
        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ secrets.DOCKERHUB_USER }}/cassandra
          args: --severity-threshold=critical --file=kubernetes/cassandra/Dockerfile
      - name: rename sarif file
        run: mv snyk.sarif cassandra.sarif

      - name: Build and push - rabbitmq
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/rabbitmq
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/rabbitmq:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run Snyk to check Docker image for vulnerabilities - rabbitmq
        continue-on-error: true
        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ secrets.DOCKERHUB_USER }}/rabbitmq
          args: --severity-threshold=critical --file=kubernetes/rabbitmq/Dockerfile
      - name: rename sarif file
        run: mv snyk.sarif rabbitmq.sarif

      - name: Build and push - jenkins
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/monitoring/jenkins
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/jenkins:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Build and push - ab
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/monitoring/test/ab
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/ab:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run Snyk to check Docker image for vulnerabilities - ab
        continue-on-error: true
        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ secrets.DOCKERHUB_USER }}/ab
          args: --severity-threshold=critical --file=kubernetes/monitoring/test/ab/Dockerfile
      - name: rename sarif file
        run: mv snyk.sarif ab.sarif

      - name: Build and push - postmannewman-quarkus
        uses: docker/build-push-action@v4.2.1
        with:
          context: ./kubernetes/monitoring/test/postmannewman/quarkus
          push: ${{ env.PUSH }}
          tags: ${{ secrets.DOCKERHUB_USER }}/postmannewman-quarkus:latest
          build-args: |
            VCS_REF=${VCS_REF}
            BUILD_DATE=${BUILD_DATE}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run Snyk to check Docker image for vulnerabilities - postmannewman-quarkus
        continue-on-error: true
        uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ secrets.DOCKERHUB_USER }}/postmannewman-quarkus
          args: --severity-threshold=critical --file=kubernetes/monitoring/test/postmannewman/quarkus/Dockerfile
      - name: rename sarif file
        run: mv snyk.sarif postmannewman-quarkus.sarif

      - name: Upload result to GitHub Code Scanning - postmannewman-quarkus
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ./