1+ name : Manual Release
2+
3+ on :
4+ workflow_dispatch :
5+ inputs :
6+ tag :
7+ description : ' Tag to build (leave empty to build latest)'
8+ required : false
9+ default : ' '
10+
11+ env :
12+ REGISTRY : ghcr.io
13+ IMAGE_NAME : ${{ github.repository }}
14+
15+ jobs :
16+ build-and-push-image :
17+ runs-on : ubuntu-latest
18+ permissions :
19+ contents : read
20+ packages : write
21+
22+ steps :
23+ - name : Checkout repository
24+ uses : actions/checkout@v3
25+
26+ - name : Set up QEMU
27+ uses : docker/setup-qemu-action@v2
28+
29+ - name : Set up Docker Buildx
30+ uses : docker/setup-buildx-action@v2
31+
32+ - name : Log in to the Container registry
33+ uses : docker/login-action@v2
34+ with :
35+ registry : ${{ env.REGISTRY }}
36+ username : ${{ github.actor }}
37+ password : ${{ secrets.GITHUB_TOKEN }}
38+
39+ - name : Extract metadata (tags, labels) for Docker
40+ id : meta
41+ uses : docker/metadata-action@v4
42+ with :
43+ images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
44+ tags : |
45+ # set latest tag for default branch
46+ type=raw,value=latest,enable={{is_default_branch}}
47+ type=ref,event=tag
48+ type=ref,event=branch
49+
50+ name : Build and push Docker image
51+ uses : docker/build-push-action@v3
52+ with :
53+ context : .
54+ platforms : linux/amd64,linux/arm64
55+ file : Dockerfile
56+ push : true
57+ tags : ${{ steps.meta.outputs.tags }}
58+ labels : ${{ steps.meta.outputs.labels }}
59+ build-args : VERSION=${{ steps.meta.outputs.version }}
60+
61+ - name : Run Trivy vulnerability scanner
62+ run : |
63+ for i in {1..3}; do
64+ if docker run --rm aquasec/trivy:latest image --exit-code 0 --severity CRITICAL,HIGH --ignore-unfixed ${{ fromJSON(steps.meta.outputs.json).tags[0] }}; then
65+ break
66+ elif [ $i -lt 3 ]; then
67+ echo "Retrying in 60 seconds..."
68+ sleep 60
69+ else
70+ exit 1
71+ fi
72+ done
0 commit comments