Hotfix: Apply Assignment Assistant data (#301) #429
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and publish container image | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| tags: | |
| - '*' | |
| pull_request: | |
| branches: | |
| - 'main' | |
| jobs: | |
| build: | |
| name: Build and publish container images | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up bun | |
| uses: oven-sh/setup-bun@v2 | |
| - name: Install dependencies | |
| run: bun i --frozen-lockfile | |
| - name: Run Trivy scanner on fs | |
| uses: aquasecurity/[email protected] | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| exit-code: 1 | |
| format: 'table' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| trivyignores: .trivyignore | |
| # don't scan for secrets in PRs | |
| scanners: ${{ github.event_name == 'pull_request' && 'vuln,license' || 'vuln,secret,misconfig,license'}} | |
| # TODO: enable if we also plan on building for ARM natively | |
| # - name: Set up QEMU | |
| # uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository }} | |
| deutschemodelunitednations/delegator | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| id: build | |
| with: | |
| load: true | |
| push: false | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| VERSION=${{ github.ref_name }} | |
| SHA=${{ github.sha }} | |
| - name: Get first built image ref | |
| id: split-tags | |
| run: echo "fragment=$(echo "${DOCKER_METADATA_OUTPUT_TAGS}" | head -n 1)" >> $GITHUB_OUTPUT | |
| - name: Run Trivy vulnerability scanner on the built image | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: ${{ steps.split-tags.outputs.fragment }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| skip-setup-trivy: true | |
| trivyignores: .trivyignore | |
| scanners: ${{ github.event_name == 'pull_request' && 'vuln' || 'vuln,secret,misconfig'}} | |
| - name: Publish docker image | |
| if: github.event_name != 'pull_request' | |
| uses: docker/build-push-action@v5 | |
| with: | |
| push: true | |
| # TODO: enable if we also plan on building for ARM natively | |
| # platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| build-args: | | |
| VERSION=${{ github.ref_name }} | |
| SHA=${{ github.sha }} | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| if: github.ref_type == 'tag' | |
| with: | |
| generate_release_notes: true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |