.github/workflows/image.yaml

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Create and publish a Docker image

on:
  push:
    tags:
    - '*'

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      contents: read # for trivy scan upload
      packages: write
      id-token: write
      security-events: write

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Log in to the Container registry
      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Extract metadata (tags, labels) for Docker
      id: meta
      uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
      with:
        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ env.RELEASE_VERSION }}

    - name: Setup Go ${{ matrix.go-version }}
      uses: actions/setup-go@v5
      with:
        go-version: 1.22
    # You can test your matrix by printing the current Go version
    - name: Display Go version
      run: go version
    - name: Build it
      id: go_build
      run: make V=1

    - name: Build and push Docker image
      uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
      id: docker_build
      with:
        context: .
        push: true
        visibility: public
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}

    - name: Set up Cosign
      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

    - name: Sign image with GitHub OIDC Token
      run: |
        cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ env.RELEASE_VERSION }}@${{ steps.docker_build.outputs.digest }}

    - name: Attest
      uses: actions/attest-build-provenance@v2
      id: attest
      with:
        subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
        subject-digest: ${{ steps.docker_build.outputs.digest }}
        push-to-registry: true

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ env.RELEASE_VERSION }}'
        format: 'sarif'
        output: 'trivy-results.sarif'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'
      #env:
      #  GITHUB_TOKEN: ${{ secrets.TOKEN }}