docker.yml

name: Docker CI

on:
  schedule:
    - cron: '0 10 * * *'
  push:
    branches:
      - master
    paths-ignore:
      - '.github/**'
      - 'test/**'
      - '!.github/workflows/docker.yml'
    tags:
      - '*.*.*'
  pull_request:
    branches:
      - master
    paths-ignore:
      - '.github/**'
      - 'test/**'
      - '!.github/workflows/docker.yml'
  workflow_dispatch:

jobs:
  docker:
    if: github.event_name != 'push' || !contains(github.event.head_commit.message, '[ci skip]')
    name: Build Docker image
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          submodules: true

      - name: Prepare
        id: prep
        run: |
          DOCKER_IMAGE=myrotvorets/psb-api-identigraf-decoder
          VERSION=noop
          if [ "${{ github.event_name }}" = "schedule" ]; then
            VERSION=nightly
          elif [[ $GITHUB_REF == refs/tags/* ]]; then
            VERSION=${GITHUB_REF#refs/tags/}
          elif [[ $GITHUB_REF == refs/heads/* ]]; then
            VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
            if [ "${{ github.event.repository.default_branch }}" = "$VERSION" ]; then
              VERSION=edge
            fi
          elif [[ $GITHUB_REF == refs/pull/* ]]; then
            VERSION=pr-${{ github.event.number }}
          fi
          TAGS="${DOCKER_IMAGE}:${VERSION}"
          if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
            MINOR=${VERSION%.*}
            MAJOR=${MINOR%.*}
            TAGS="$TAGS,${DOCKER_IMAGE}:${MINOR},${DOCKER_IMAGE}:${MAJOR},${DOCKER_IMAGE}:latest"
          elif [ "${{ github.event_name }}" = "push" ]; then
            TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
          fi
          echo ::set-output name=image::${DOCKER_IMAGE}
          echo ::set-output name=primaryTag::${DOCKER_IMAGE}:${VERSION}
          echo ::set-output name=version::${VERSION}
          echo ::set-output name=tags::${TAGS}
          echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
          if \
            [ "${{ github.event_name }}" != "pull_request" ] || \
            ([ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.event.pull_request.base.repo.full_name }}" ] && [ "${{ github.event.sender.login }}" != "dependabot[bot]" ]) \
          then
            echo ::set-output name=secrets::yes
          else
            echo ::set-output name=secrets::
          fi

      - name: Update .npmrc
        run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > .npmrc.local

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0

      - name: Build and push
        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
        with:
          load: true
          pull: true
          push: false
          tags: ${{ steps.prep.outputs.tags }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
          file: ./Dockerfile
          labels: |
            org.opencontainers.image.title=${{ github.event.repository.name }}
            org.opencontainers.image.description=${{ github.event.repository.description }}
            org.opencontainers.image.url=${{ github.event.repository.html_url }}
            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
            org.opencontainers.image.version=${{ steps.prep.outputs.version }}
            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}

      - name: Determine security scan parameters
        id: scanparams
        run: |
          if [ "${{ steps.prep.outputs.secrets }}" == "yes" ]; then
            echo ::set-output name=format::template
            echo ::set-output name=template::@/contrib/sarif.tpl
            echo ::set-output name=output::trivy-results.sarif
          else
            echo ::set-output name=format::table
            echo ::set-output name=template::
            echo ::set-output name=output::
          fi

      - name: Security Scan
        uses: aquasecurity/trivy-action@master
        id: scan
        with:
          image-ref: ${{ steps.prep.outputs.primaryTag }}
          format: ${{ steps.scanparams.outputs.format }}
          template: ${{ steps.scanparams.outputs.template }}
          output: ${{ steps.scanparams.outputs.output }}

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
        with:
          sarif_file: trivy-results.sarif
        if: steps.scanparams.outputs.output != ''

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKER_LOGIN }}
          password: ${{ secrets.DOCKER_PASSWORD }}
        if: github.event_name != 'pull_request'

      - name: Push the image
        run: docker push --all-tags "${{ steps.prep.outputs.image }}"
        if: github.event_name != 'pull_request'