name: Docker on: push: branches: [main] tags: ["v*"] pull_request: jobs: container-scan: name: Container Scan runs-on: ubuntu-latest permissions: contents: read security-events: write steps: - uses: actions/checkout@v6 - name: Build image run: docker build -t myapp:ci . - name: Run Trivy uses: aquasecurity/trivy-action@v0.35.0 with: image-ref: myapp:ci format: sarif output: trivy-results.sarif severity: CRITICAL,HIGH exit-code: '1' - name: Upload Trivy results if: always() uses: github/codeql-action/upload-sarif@v4 with: sarif_file: trivy-results.sarif docker: name: Build & Push runs-on: ubuntu-latest needs: container-scan permissions: contents: read packages: write attestations: write id-token: write steps: - uses: actions/checkout@v6 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to Docker Hub if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: | ghcr.io/${{ github.repository }} docker.io/${{ github.repository }} tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=ref,event=branch type=sha - name: Build and push id: build uses: docker/build-push-action@v6 with: context: . provenance: mode=max sbom: true push: ${{ github.event_name != 'pull_request' }} platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }}