Docker #908

	name: Docker

	on:
	push:
	branches:
	- main
	tags:
	- "v..*"
	schedule:
	- cron: "0 21 * * 6"

	permissions:
	contents: read

	jobs:
	build:
	runs-on: ubuntu-latest

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: biow0lf/evemonk-pg-extras

	- name: Login to Docker Hub
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	username: ${{ secrets.DOCKER_HUB_USERNAME }}
	password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

	- name: Set up QEMU
	uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0

	- name: Build and push
	id: docker_build
	uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
	with:
	pull: true
	push: true
	no-cache: true
	# platforms: linux/amd64,linux/arm64
	platforms: linux/amd64
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}

	- name: Image digest
	run: echo ${{ steps.docker_build.outputs.digest }}

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
	with:
	image-ref: "docker.io/biow0lf/evemonk-pg-extras:main"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"

Provide feedback