Scan, Build and Push to Docker Hub #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Scan, Build and Push to Docker Hub" | |
| # Controls when the workflow will run | |
| on: | |
| push: | |
| branches: ['main'] | |
| tags: | |
| - 'v*.*.*' | |
| pull_request: | |
| branches: ['main'] | |
| schedule: | |
| - cron: '18 6 */2 * *' | |
| # Run builds at 06:18 on every 2nd day-of-month. | |
| env: | |
| TEST_TAG: ministryofjustice/wordpress-base-fpm:test | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| snyk: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build a Docker image | |
| run: docker build -t justice/wordpress-base-fpm . | |
| - name: Run Snyk to check Docker image for vulnerabilities | |
| uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| image: justice/wordpress-base-fpm | |
| args: --file=Dockerfile | |
| build: | |
| needs: snyk | |
| runs-on: ubuntu-latest | |
| steps: | |
| # First, checkout | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # QEMU; multi-arch stuff | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| # get buildx - build multi-arch stuff | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # Access Docker Hub | |
| - name: Login to Docker Hub | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # Setup test build for PRs | |
| - name: Test - build and export to Docker | |
| if: github.event_name == 'pull_request' | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| load: true | |
| tags: ${{ env.TEST_TAG }} | |
| # Gather meta for the builds | |
| - name: Docker meta | |
| if: github.event_name != 'pull_request' | |
| id: wordpress-base-meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ministryofjustice/wordpress-base-fpm | |
| tags: | | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| flavor: | | |
| latest=true | |
| # perform the builds | |
| - name: Build and push | |
| if: github.event_name != 'pull_request' | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64/v8 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.wordpress-base-meta.outputs.tags }} | |
| labels: ${{ steps.wordpress-base-meta.outputs.labels }} |