name: Test & build Docker image

on:
  push:
    branches: [ master ]
    tags: ['*']
  pull_request:

env:
  IMAGE_NAME: trafex/php-nginx

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Build image
        run: |-
          docker build -t $IMAGE_NAME .
          docker tag $IMAGE_NAME:latest $IMAGE_NAME:${{ github.sha }}

      - name: Smoke test image
        run: |-
          docker-compose -f docker-compose.test.yml up -d app
          sleep 2
          docker-compose -f docker-compose.test.yml run sut

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Push latest image
        if: github.ref == 'refs/heads/master' && github.event_name == 'push'
        run: |-
          docker push $IMAGE_NAME:latest

      - name: Set tag in environment
        if: contains(github.ref, 'refs/tags/')
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

      - name: Push tagged image
        if: contains(github.ref, 'refs/tags/')
        run: |-
          docker tag $IMAGE_NAME:${{ github.sha }} $IMAGE_NAME:$RELEASE_VERSION
          docker push $IMAGE_NAME:$RELEASE_VERSION