.github/workflows/docker-build-push-read2burn.yml

name: docker build publish read2burn
concurrency:
  group: "read2burn"
  cancel-in-progress: true

env:
  BUILD_CONTEXT: .
  IMAGE_AUTHORS: Jürrens, Eike Hinderk <e.h.juerrens@52north.org>
  IMAGE_DESCRIPTION: transport passwords more secure by email
  IMAGE_LICENSES: Apache-2.0
  IMAGE_TAG: 52north/read2burn
  IMAGE_TITLE: read2burn by wemove forked by 52n
  IMAGE_VENDOR: 52°North Spatial Information Research GmbH
  IMAGE_URL: https://github.com/52north/read2burn
  METADATA_TAG_PATTERN: v(.*)

on:
  workflow_dispatch:
    inputs:
      tags:
        description: "Please provide a git tag value, e.g. v1.0b3. It should be the same version as the read2burn app with added build id."
        required: true
        type: string
        default: "v1.0b3"
  push:
    tags:
      - "v*"

jobs:
  build_and_publish:
    name: docker build publish image
    runs-on: ubuntu-latest
    strategy:
      matrix:
        language: [ 'javascript' ]
    steps:
    -
      name: Declare some variables
      id: vars
      shell: bash
      run: |
        echo "build_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT
        echo "build_id=$(echo ${{ github.event.inputs.tags }} | awk -F 'b' '{print $(NF)}')" >> $GITHUB_OUTPUT
    -
      name: Checkout Repository
      uses: actions/checkout@v4
    -
      name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
    -
      name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"
    -
      name: Set up Docker Buildkit env
      uses: docker/setup-buildx-action@v3
    -
      name: Extract metadata (tags, labels) for tagging Docker Image
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: "${{ env.IMAGE_TAG }}"
        labels: |
          "org.opencontainers.image.authors=${{ env.IMAGE_AUTHORS }}"
          "org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}"
          "org.opencontainers.image.licenses=${{ env.IMAGE_LICENSES }}"
          "org.opencontainers.image.title=${{ env.IMAGE_TITLE }}"
          "org.opencontainers.image.url=${{ env.IMAGE_URL }}"
          "org.opencontainers.image.vendor=${{ env.IMAGE_VENDOR }}"
        tags: |
          type=match,pattern=${{ env.METADATA_TAG_PATTERN }},group=1,value=${{ github.event.inputs.tags }}
    -
      name: Log in to Docker Hub
      if: github.event_name != 'pull_request'
      uses: docker/login-action@v3
      with:
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_TOKEN }}
    -
      name: Build and push Docker image
      uses: docker/build-push-action@v6
      with:
        context: "${{ env.BUILD_CONTEXT }}"
        cache-from: type=gha
        cache-to: type=gha
        push: ${{ github.event_name != 'pull_request' }}
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        build-args: |
          GIT_COMMIT=${{ github.sha }}
          BUILD_DATE=${{ steps.vars.outputs.build_date }}
          BUILD_ID=${{ steps.vars.outputs.build_id }}
    -
      name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      env:
        #
        # Using AWS repository to circumvent TOOMANYREQUEST error from github repository
        #
        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
        #
        # Original GitHub repository
        #
        # TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2
        # TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db:1
        #
        #
        # Disable VEX notice
        #
        TRIVY_DISABLE_VEX_NOTICE: disable_vex_notice
      with:
        image-ref: "${{ env.IMAGE_TAG }}"
        format: 'table'
        output: 'trivy-results.txt'
        exit-code: '0'
        ignore-unfixed: true
        vuln-type: 'os,library'
        severity: 'CRITICAL,HIGH'