Merge pull request #42 from thewriterben/copilot/integrate-wildcam-es… #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Build and Push | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| build-and-push: | |
| name: Build and Push Docker Images | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| target: [production, development] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| flavor: | | |
| suffix=-${{ matrix.target }},onlatest=true | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./deployment/docker/Dockerfile | |
| target: ${{ matrix.target }} | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| platforms: linux/amd64,linux/arm64 | |
| - name: Test Docker image | |
| if: matrix.target == 'production' | |
| run: | | |
| docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-production accelerapp --version || true | |
| docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-production accelerapp info | |
| build-compose: | |
| name: Test Docker Compose | |
| runs-on: ubuntu-latest | |
| needs: build-and-push | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker Compose services | |
| run: | | |
| cd deployment/docker | |
| docker-compose build --no-cache | |
| - name: Test Docker Compose services | |
| run: | | |
| cd deployment/docker | |
| docker-compose up -d accelerapp | |
| sleep 10 | |
| docker-compose ps | |
| docker-compose logs accelerapp | |
| docker-compose down | |
| - name: Clean up | |
| if: always() | |
| run: | | |
| cd deployment/docker | |
| docker-compose down -v | |
| scan-security: | |
| name: Security Scan Docker Images | |
| runs-on: ubuntu-latest | |
| needs: build-and-push | |
| if: github.event_name != 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-production | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Run Trivy vulnerability scanner (table format) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-production | |
| format: 'table' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| publish-manifest: | |
| name: Create Multi-arch Manifest | |
| runs-on: ubuntu-latest | |
| needs: build-and-push | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| steps: | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push manifest | |
| run: | | |
| VERSION=${GITHUB_REF#refs/tags/v} | |
| docker manifest create \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION} \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}-production | |
| docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION} | |
| docker manifest create \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \ | |
| ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-production | |
| docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest |