|
12 | 12 | NODE_VERSION: '22' |
13 | 13 |
|
14 | 14 | jobs: |
15 | | - test-and-lint: |
| 15 | + lint-and-test: |
16 | 16 | runs-on: ubuntu-latest |
17 | 17 | steps: |
18 | 18 | - name: Checkout code |
|
42 | 42 | severity: 'CRITICAL,HIGH' |
43 | 43 |
|
44 | 44 | build-and-publish: |
45 | | - needs: test-and-lint |
| 45 | + needs: lint-and-test |
46 | 46 | if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' |
47 | 47 | runs-on: ubuntu-latest |
48 | 48 | permissions: |
@@ -84,44 +84,38 @@ jobs: |
84 | 84 | username: ${{ github.actor }} |
85 | 85 | password: ${{ secrets.GITHUB_TOKEN }} |
86 | 86 |
|
87 | | - # Build image locally without pushing |
88 | | - - name: Build multi-arch image locally |
| 87 | + # Build and push to a temporary tag for scanning |
| 88 | + - name: Build and push multi-arch image (temp) |
89 | 89 | uses: docker/build-push-action@v5 |
90 | 90 | with: |
91 | 91 | context: . |
92 | 92 | file: package/docker/Dockerfile |
93 | 93 | platforms: linux/amd64,linux/arm64 |
94 | | - push: false |
95 | | - load: true |
| 94 | + push: true |
96 | 95 | tags: | |
97 | | - ${{ env.IMAGE_NAME }}:local-scan |
| 96 | + ${{ env.IMAGE_NAME }}:scan-${{ github.sha }} |
98 | 97 | cache-from: type=gha |
99 | 98 | cache-to: type=gha,mode=max |
100 | 99 |
|
101 | | - # Scan the local image before pushing |
| 100 | + # Scan the pushed image |
102 | 101 | - name: Scan Docker image for vulnerabilities |
103 | 102 | uses: aquasecurity/trivy-action@0.30.0 |
104 | 103 | with: |
105 | | - image-ref: '${{ env.IMAGE_NAME }}:local-scan' |
| 104 | + image-ref: '${{ env.IMAGE_NAME }}:scan-${{ github.sha }}' |
106 | 105 | format: 'table' |
107 | 106 | exit-code: '1' |
108 | 107 | severity: 'CRITICAL,HIGH' |
109 | 108 |
|
110 | | - # Only push if security scan passes |
111 | | - - name: Push multi-arch image |
| 109 | + # If scan passes, tag the image with final tags |
| 110 | + - name: Tag image with final tags |
112 | 111 | if: success() |
113 | | - uses: docker/build-push-action@v5 |
114 | | - with: |
115 | | - context: . |
116 | | - file: package/docker/Dockerfile |
117 | | - platforms: linux/amd64,linux/arm64 |
118 | | - push: true |
119 | | - tags: | |
120 | | - ${{ env.IMAGE_NAME }}:latest |
121 | | - ${{ env.IMAGE_NAME }}:${{ github.sha }} |
122 | | - ${{ env.IMAGE_NAME }}:v${{ steps.package-version.outputs.version }} |
123 | | - cache-from: type=gha |
124 | | - cache-to: type=gha,mode=max |
| 112 | + run: | |
| 113 | + # Tag the scanned image with final tags |
| 114 | + docker buildx imagetools create \ |
| 115 | + --tag ${{ env.IMAGE_NAME }}:latest \ |
| 116 | + --tag ${{ env.IMAGE_NAME }}:${{ github.sha }} \ |
| 117 | + --tag ${{ env.IMAGE_NAME }}:v${{ steps.package-version.outputs.version }} \ |
| 118 | + ${{ env.IMAGE_NAME }}:scan-${{ github.sha }} |
125 | 119 | |
126 | 120 | # This step dispatches an event to the utils repo to trigger downstream deployments |
127 | 121 | - name: Repository Dispatch |
|
0 commit comments