name: Docker Image CI # on: [push] on: push: branches: - main pull_request: branches: - main env: DOCKER_REGISTRY: ${{ vars.docker_repo2_registry }} REPO: ${{ github.repository }} jobs: image-vulnerability-scan: runs-on: ubuntu-22.04 #ubuntu-latest steps: - id: get-id name: Get a unique tag for this build run: | SHA=${{github.sha}}; ID=${SHA:0:8}; echo "ID=$ID" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=$DOCKER_REGISTRY/$REPO:temp-$ID" >> "$GITHUB_OUTPUT"; - name: Print build id and image name run: | echo "${{ steps.get-id.outputs.ID }}"; echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - uses: actions/checkout@v4 - name: Login to Docker Container Registry # if: ${{ github.event_name == 'push' }} uses: docker/login-action@v3 with: registry: ${{ vars.docker_repo2_registry }} username: ${{ vars.docker_repo2_username }} password: ${{ vars.docker_repo2_password }} - name: Build the Docker image # Commenting this from docker build for speed: --build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.ID }} \ run: | docker build \ --file fab/d/actions-build.Dockerfile \ --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ .; - name: Scan Docker Image for vulnerabilities with Grype uses: anchore/scan-action@v6 with: image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} cache-db: true #Cache Grype DB in Github Actions output-format: table only-fixed: true severity-cutoff: critical fail-build: true npm-push: runs-on: ubuntu-22.04 #ubuntu-latest if: ${{ github.event_name == 'push' }} permissions: # Give the default GITHUB_TOKEN write permission to commit and push the # added or changed files to the repository. contents: write steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: 22 registry-url: ${{ vars.NPM_REGISTRY }} token: ${{ secrets.NPM_TOKEN }} - name: Install NPM Dependencies run: | npm install -g pnpm pnpm install - name: Lint & Check run: | pnpm lint pnpm check - run: pnpm build #If this is a merge of a pull request, GITHUB_BASE_REF will contain main. #But if this is a direct commit on the main branch, then GITHUB_REF_NAME will contain main - name: Increment package version and push env: GITHUB_TOKEN: ${{ github.token }} # BRANCH_NAME: ${{ github.base_ref || github.ref_name }} run: | git config --global user.name 'bot-build' git config --global user.email 'techbots+build@gmetri.com' export N=`node -p require\(\'./package.json\'\).name` && echo $N pnpm version patch --message "v%s: $N [CI SKIP]" git push origin git push --tags origin docker-build-and-push: runs-on: ubuntu-22.04 #ubuntu-latest # if: ${{ github.event_name == 'push' }} steps: - id: get-id name: Get a unique tag for this build run: | SHA=${{github.sha}}; ID=${SHA:0:8}; echo "ID=$ID" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=$DOCKER_REGISTRY/$REPO:$ID" >> "$GITHUB_OUTPUT"; - name: Print build id and image name run: | echo "${{ steps.get-id.outputs.ID }}"; echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}"; - uses: actions/checkout@v4 - name: Login to Docker Container Registry # if: ${{ github.event_name == 'push' }} uses: docker/login-action@v3 with: registry: ${{ vars.docker_repo2_registry }} username: ${{ vars.docker_repo2_username }} password: ${{ vars.docker_repo2_password }} - name: Build the Docker image run: | docker build \ --build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.ID }} \ --file fab/d/actions-build.Dockerfile \ --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \ .; IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; echo "Image size $IMAGE_SIZE"; - name: Push the Docker image if: ${{ github.event_name == 'push' }} run: | docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}; IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; echo "Pushed $IMAGE_SIZE image ${{ steps.get-id.outputs.DOCKER_IMAGE }}";