docker-php-nginx/.github/workflows/build.yaml

name: Test & build Docker image

on:
  push:
    branches: [ master ]
    tags: ['*']
  pull_request:

env:
  IMAGE_NAME: trafex/php-nginx
  IMAGE_TAG: ${{ github.sha }}

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1

      - name: Build image
        run: |-
          docker build -t $IMAGE_NAME:$IMAGE_TAG .          

      - name: Smoke test image
        run: |-
          docker-compose -f docker-compose.test.yml up -d app
          sleep 2
          docker-compose -f docker-compose.test.yml run sut          

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build multi-arch image and push latest tag
        if: github.ref == 'refs/heads/master' && github.event_name == 'push'
        run: |-
          docker buildx build \
            --cache-from=$IMAGE_NAME:latest \
            --push \
            -t $IMAGE_NAME:latest \
            --platform linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6 \
            .          

      - name: Set tag in environment
        if: contains(github.ref, 'refs/tags/')
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

      - name: Build multi-arch image and push release tag
        if: contains(github.ref, 'refs/tags/')
        run: |-
          docker buildx build \
            --cache-from=$IMAGE_NAME:latest \
            --push \
            -t $IMAGE_NAME:$RELEASE_VERSION \
            --platform linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6 \
            .