name: Test & build Docker image on: push: branches: [ master-no ] tags: ['*'] pull_request: env: IMAGE_NAME: trafex/php-nginx IMAGE_TAG: ${{ github.sha }} jobs: build: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v1 - name: Build image run: |- docker build -t $IMAGE_NAME:$IMAGE_TAG . - name: Smoke test image run: |- docker-compose -f docker-compose.test.yml up -d app sleep 2 docker-compose -f docker-compose.test.yml run sut - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: sarif_file: 'trivy-results.sarif' - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build multi-arch image and push latest tag if: github.ref == 'refs/heads/master' && github.event_name == 'push' run: |- docker buildx build \ --cache-from=$IMAGE_NAME:latest \ --push \ -t $IMAGE_NAME:latest \ --platform linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6 \ . - name: Set tag in environment if: contains(github.ref, 'refs/tags/') run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - name: Build multi-arch image and push release tag if: contains(github.ref, 'refs/tags/') run: |- docker buildx build \ --cache-from=$IMAGE_NAME:latest \ --push \ -t $IMAGE_NAME:$RELEASE_VERSION \ --platform linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6 \ .