.workflow-example.yaml

name: build
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  checkout:
    name: Checkout
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Login to DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Run Trivy vulnerability scanner in IaC mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          security-checks: 'vuln,config,secret'
          hide-progress: false
          format: 'table'
        env:
          AQUA_KEY: ${{ secrets.AQUA_KEY }}
          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
          TRIVY_RUN_AS_PLUGIN: 'aqua'
          TRIGGERED_BY: 'PUSH'
          GITHUB_TOKEN: ${{ github.token }}
      - name: Build and push
        uses: docker/build-push-action@v3
        with:
          push: true
          tags: saargondocker/graphql-vuln:latest
          
      - name: Manifest Generation
        run: |
          docker image ls
          curl -L ${{ secrets.BILLY_URL }}/v1/api/download/sh | sh
          billy generate \
              --access-token "${{ secrets.GITHUB_TOKEN }}" \
             --aqua-key "${{ secrets.AQUA_KEY }}" \
             --aqua-secret "${{ secrets.AQUA_SECRET }}" \
             --artifact-path "saargondocker/graphql-vuln:latest"