.github/workflows/docker-build-and-push.yml

name: ci-build

on:
  schedule:
    - cron: '0 7 * * 6'
  push:
    branches:
      - 'master'

jobs:
  base-debian:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          context: debian/bullseye
          tags: jammsen/base:debian-bullseye

  scan-base-debian:
    runs-on: ubuntu-latest
    needs: [ base-debian ]
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Run Snyk to check Docker image for vulnerabilities
        uses: snyk/actions/docker@master
        continue-on-error: true
        with:
          image: jammsen/base:debian-bullseye
          args: --file=debian/bullseye/Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload Snyk report as sarif
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif

  base-debian-wine:
    runs-on: ubuntu-latest
    needs: [ base-debian, scan-base-debian ]
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          context: debian/bullseye/wine/
          tags: jammsen/base:wine-stable-debian-bullseye

  scan-base-debian-wine:
    runs-on: ubuntu-latest
    needs: [ base-debian-wine ]
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Run Snyk to check Docker image for vulnerabilities
        uses: snyk/actions/docker@master
        continue-on-error: true
        with:
          image: jammsen/base:wine-stable-debian-bullseye
          args: --file=debian/bullseye/wine/Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload Snyk report as sarif
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif