diff --git a/.github/workflows/manual-release.yaml b/.github/workflows/manual-release.yaml new file mode 100644 index 00000000..5dd825f2 --- /dev/null +++ b/.github/workflows/manual-release.yaml @@ -0,0 +1,72 @@ +name: Manual Release + +on: + workflow_dispatch: + inputs: + tag: + description: 'Tag to build (leave empty to build latest)' + required: false + default: '' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Log in to the Container registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + # set latest tag for default branch + type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=tag + type=ref,event=branch + + - name: Build and push Docker image + uses: docker/build-push-action@v3 + with: + context: . + platforms: linux/amd64,linux/arm64 + file: Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: VERSION=${{ steps.meta.outputs.version }} + + - name: Run Trivy vulnerability scanner + run: | + for i in {1..3}; do + if docker run --rm aquasec/trivy:latest image --exit-code 0 --severity CRITICAL,HIGH --ignore-unfixed ${{ fromJSON(steps.meta.outputs.json).tags[0] }}; then + break + elif [ $i -lt 3 ]; then + echo "Retrying in 60 seconds..." + sleep 60 + else + exit 1 + fi + done \ No newline at end of file