name: Test & build Docker image on: push: branches: [ master ] tags: ['*'] pull_request: env: IMAGE_NAME: trafex/php-nginx jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Build image run: |- docker build -t $IMAGE_NAME . docker tag $IMAGE_NAME:latest $IMAGE_NAME:${{ github.sha }} - name: Smoke test image run: |- docker-compose -f docker-compose.test.yml up -d app sleep 2 docker-compose -f docker-compose.test.yml run sut - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: sarif_file: 'trivy-results.sarif' - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Push latest image if: github.ref == 'refs/heads/master' && github.event_name == 'push' run: |- docker push $IMAGE_NAME:latest - name: Set tag in environment if: contains(github.ref, 'refs/tags/') run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - name: Push tagged image if: contains(github.ref, 'refs/tags/') run: |- docker tag $IMAGE_NAME:${{ github.sha }} $IMAGE_NAME:$RELEASE_VERSION docker push $IMAGE_NAME:$RELEASE_VERSION