name: Docker Build & Push on: push: branches: [main, develop] tags: - 'v*.*.*' pull_request: branches: [main] workflow_dispatch: inputs: push_image: description: 'Push image to registry' required: false default: 'false' type: boolean env: # --- Configure your registry and image name --- REGISTRY: ghcr.io # or docker.io, 123456789.dkr.ecr.us-east-1.amazonaws.com, etc. IMAGE_NAME: ${{ github.repository }} # e.g. org/my-app PLATFORMS: linux/amd64,linux/arm64 permissions: contents: read packages: write # push to GHCR id-token: write # for OIDC-based cloud registry auth (AWS ECR, GCP AR) security-events: write # upload Trivy SARIF jobs: build-and-push: name: Build & Push — ${{ matrix.dockerfile }} runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: - dockerfile: Dockerfile image_suffix: '' # Add more Dockerfiles here, e.g.: # - dockerfile: Dockerfile.worker # image_suffix: -worker steps: - name: Checkout uses: actions/checkout@v4 - name: Set up QEMU (multi-platform builds) uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to registry if: github.event_name != 'pull_request' || github.event.inputs.push_image == 'true' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # For Docker Hub: # username: ${{ secrets.DOCKERHUB_USERNAME }} # password: ${{ secrets.DOCKERHUB_TOKEN }} # For AWS ECR (use OIDC instead of long-lived keys): # See aws-actions/amazon-ecr-login step below # --- AWS ECR (uncomment to use) --- # - name: Configure AWS credentials (OIDC) # uses: aws-actions/configure-aws-credentials@v4 # with: # role-to-assume: ${{ secrets.AWS_ROLE_ARN }} # aws-region: us-east-1 # # - name: Log in to Amazon ECR # id: ecr-login # uses: aws-actions/amazon-ecr-login@v2 - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ matrix.image_suffix }} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha,prefix=sha-,format=short type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - name: Build and push id: build uses: docker/build-push-action@v6 with: context: . file: ${{ matrix.dockerfile }} platforms: ${{ env.PLATFORMS }} push: ${{ github.event_name != 'pull_request' || github.event.inputs.push_image == 'true' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max provenance: true # SBOM provenance attestation sbom: true - name: Image digest run: echo "Pushed image digest ${{ steps.build.outputs.digest }}" scan: name: Trivy — image vulnerability scan runs-on: ubuntu-latest needs: build-and-push if: github.event_name != 'pull_request' steps: - name: Log in to registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run Trivy on pushed image uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest format: sarif output: trivy-image.sarif severity: HIGH,CRITICAL exit-code: '0' - name: Upload Trivy results uses: github/codeql-action/upload-sarif@v3 with: sarif_file: trivy-image.sarif