diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 8ad932b..56e9b9c 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -5,8 +5,8 @@ on: types: [published] jobs: - prepare: - name: 🔧 Prepare Environment + build: + name: 🏗️ Build and Push runs-on: ubuntu-latest steps: - name: Checkout Code @@ -17,99 +17,64 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - with: - driver-opts: | - image=moby/buildkit:master - network=host - outputs: - date: ${{ steps.date.outputs.date }} - auth: - name: 🔐 Authentication - needs: prepare - runs-on: ubuntu-latest - steps: - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - metadata: - name: 📋 Extract Metadata - needs: auth - runs-on: ubuntu-latest - steps: - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: vndmtrx/dokuwiki - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=raw,value=latest - outputs: - tags: ${{ steps.meta.outputs.tags }} - - build: - name: 🏗️ Build and Push - needs: [auth, metadata] - runs-on: ubuntu-latest - steps: - name: Build and Push Image - id: build uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64,linux/arm64 push: true - tags: ${{ needs.metadata.outputs.tags }} - cache-from: type=registry,ref=vndmtrx/dokuwiki:buildcache - cache-to: type=registry,ref=vndmtrx/dokuwiki:buildcache,mode=max - outputs: - image: vndmtrx/dokuwiki:latest + tags: | + vndmtrx/dokuwiki:latest + vndmtrx/dokuwiki:${{ github.ref_name }} - security-scan: - name: 🔒 Trivy Security Scan + scan: + name: 🔒 Security Scan needs: build runs-on: ubuntu-latest steps: - - name: Run Trivy vulnerability scanner + - name: Run Trivy Scanner uses: aquasecurity/trivy-action@master with: - image-ref: ${{ needs.build.outputs.image }} + image-ref: vndmtrx/dokuwiki:latest format: 'table' exit-code: '1' ignore-unfixed: true severity: 'CRITICAL,HIGH' - - - name: Generate Trivy SARIF report + + - name: Generate Security Report uses: aquasecurity/trivy-action@master with: - image-ref: ${{ needs.build.outputs.image }} + image-ref: vndmtrx/dokuwiki:latest format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH,MEDIUM' - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Security Report uses: github/codeql-action/upload-sarif@v2 if: always() with: sarif_file: 'trivy-results.sarif' notify: - name: 📢 Notify - needs: [build, security-scan] + name: 📢 Status Notification + needs: [build, scan] runs-on: ubuntu-latest if: always() steps: - - name: Check Status - if: needs.build.result == 'success' && needs.security-scan.result == 'success' - run: echo "Build, publish and security scan completed successfully!" - - - name: Notify Failure - if: needs.build.result != 'success' || needs.security-scan.result != 'success' + - name: Check Pipeline Status run: | - echo "There was a failure in the build, publish or security scanning process" - exit 1 \ No newline at end of file + if [[ "${{ needs.build.result }}" == "success" && "${{ needs.scan.result }}" == "success" ]]; then + echo "✅ Pipeline completed successfully" + else + echo "❌ Pipeline failed" + echo "Build Status: ${{ needs.build.result }}" + echo "Scan Status: ${{ needs.scan.result }}" + exit 1 + fi \ No newline at end of file