@@ -2,13 +2,13 @@ name: Delivery
22
33on :
44 push :
5- branches : [main]
5+ branches : [ main ]
66 release :
77 # Note: a current limitation is that when a release is edited after publication, then the Docker tags are not automatically updated.
8- types : [published]
8+ types : [ published ]
99 schedule :
1010 # Run every monday on 9:00 in the morning (UTC).
11- - cron : ' 0 9 * * 0'
11+ - cron : ' 0 9 * * 0'
1212 workflow_dispatch :
1313
1414permissions :
@@ -20,67 +20,97 @@ jobs:
2020 publish-docker-image :
2121 runs-on : ubuntu-latest
2222 steps :
23- - name : Checkout
24- uses : actions/checkout@v4
23+ - name : Checkout
24+ uses : actions/checkout@v4
2525
26- - name : Check whether this event is the HEAD of main
27- continue-on-error : true
28- id : is-head-main
29- run : git rev-parse HEAD | grep -x ${{ github.sha }}
30- shell : bash
26+ - name : Check whether this event is the HEAD of main
27+ continue-on-error : true
28+ id : is-head-main
29+ run : git rev-parse HEAD | grep -x ${{ github.sha }}
30+ shell : bash
3131
32- - name : Docker meta
33- id : meta
34- uses : docker/metadata-action@v5
35- with :
36- images : ghcr.io/${{ github.repository }}
37- tags : |
38- type=semver,pattern={{major}}.{{minor}}.{{patch}}
39- type=edge,enable=${{ steps.is-head-main.outcome == 'success' }}
40- type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' }}
32+ - name : Docker meta
33+ id : meta
34+ uses : docker/metadata-action@v5
35+ with :
36+ images : ghcr.io/${{ github.repository }}
37+ tags : |
38+ type=semver,pattern={{major}}.{{minor}}.{{patch}}
39+ type=edge,enable=${{ steps.is-head-main.outcome == 'success' }}
40+ type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' }}
4141
42- name : Set up Docker Buildx
43- uses : docker/setup-buildx-action@v3
42+ name : Set up Docker Buildx
43+ uses : docker/setup-buildx-action@v3
4444
45- - name : Login to GitHub Container Registry
46- uses : docker/login-action@v3
47- with :
48- registry : ghcr.io
49- username : ${{ github.actor }}
50- password : ${{ secrets.GITHUB_TOKEN }}
45+ - name : Login to GitHub Container Registry
46+ uses : docker/login-action@v3
47+ with :
48+ registry : ghcr.io
49+ username : ${{ github.actor }}
50+ password : ${{ secrets.GITHUB_TOKEN }}
5151
52- - name : Build container and export to local Docker
53- uses : docker/build-push-action@v5
54- with :
55- context : .
56- file : backend.Dockerfile
57- load : true
58- tags : local/postguard-backend:scan
59- cache-from : type=gha
60- cache-to : type=gha,mode=max
52+ - name : Build Backend container and export to local Docker
53+ uses : docker/build-push-action@v5
54+ with :
55+ context : .
56+ file : backend.Dockerfile
57+ load : true
58+ tags : local/postguard-backend:scan
59+ cache-from : type=gha
60+ cache-to : type=gha,mode=max
6161
62- - name : Scan Image
63- uses : anchore/scan- action@v4
64- id : scan
65- with :
66- image : local/postguard-backend:scan
67- only-fixed : true
68- fail-build : true
69- severity-cutoff : critical
70- output-format : sarif
62+ - name : Build Frontend container and export to local Docker
63+ uses : docker/build-push- action@v5
64+ with :
65+ context : .
66+ file : frontend.Dockerfile
67+ load : true
68+ tags : local/postguard-frontend:scan
69+ cache-from : type=gha
70+ cache-to : type=gha,mode=max
7171
72- - name : Upload Anchore scan SARIF report
73- uses : github/codeql-action/upload-sarif@v4
74- if : ${{ !cancelled() }}
75- with :
76- sarif_file : ${{ steps.scan.outputs.sarif }}
72+ - name : Scan Backend Image
73+ uses : anchore/scan-action@v4
74+ id : scan
75+ with :
76+ image : local/postguard-backend:scan
77+ only-fixed : true
78+ fail-build : true
79+ severity-cutoff : critical
80+ output-format : sarif
7781
78- - name : Push image to GitHub Container Registry
79- uses : docker/build-push-action@v5
80- if : ${{ github.event_name == 'release' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
81- with :
82- context : .
83- file : backend.Dockerfile
84- push : true
85- tags : ${{ steps.meta.outputs.tags || 'edge' }}
86- labels : ${{ steps.meta.outputs.labels }}
82+ - name : Scan Frontend Image
83+ uses : anchore/scan-action@v4
84+ id : scan
85+ with :
86+ image : local/postguard-frontend:scan
87+ only-fixed : true
88+ fail-build : true
89+ severity-cutoff : critical
90+ output-format : sarif
91+
92+ - name : Upload Anchore scan SARIF report
93+ uses : github/codeql-action/upload-sarif@v4
94+ if : ${{ !cancelled() }}
95+ with :
96+ sarif_file : ${{ steps.scan.outputs.sarif }}
97+
98+ - name : Push backend image to GitHub Container Registry
99+ uses : docker/build-push-action@v5
100+ if : ${{ github.event_name == 'release' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
101+ with :
102+ context : .
103+ file : backend.Dockerfile
104+ push : true
105+ tags : ${{ steps.meta.outputs.tags || 'edge' }}
106+ labels : ${{ steps.meta.outputs.labels }}-backend
107+
108+ - name : Push frontend image to GitHub Container Registry
109+ uses : docker/build-push-action@v5
110+ if : ${{ github.event_name == 'release' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
111+ with :
112+ context : .
113+ file : frontend.Dockerfile
114+ push : true
115+ tags : ${{ steps.meta.outputs.tags || 'edge' }}
116+ labels : ${{ steps.meta.outputs.labels }}-frontend
0 commit comments