.github/workflows/pipeline.yml

name: pipeline

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  build-and-push:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout    
        uses: actions/checkout@v3
      
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Login to Docker Hub
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      
      - name: Build and push Docker image
        uses: docker/build-push-action@v4
        with:
          platforms: linux/amd64,linux/arm64
          push: true
          tags: |
            "${{ vars.REGISTRY }}/${{ vars.IMAGE }}:${{ github.sha}}"
            "${{ vars.REGISTRY }}/${{ vars.IMAGE }}:latest"
            
  scan-vuln-with-trivy:
    runs-on: ubuntu-latest
    needs: ["build-and-push"]
    steps:
      - name: Scan vulnerabilities with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ vars.REGISTRY }}/${{ vars.IMAGE }}:${{ github.sha }}'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true
          template: '@/contrib/html.tpl'
          exit-code: '1'
          format: 'template'
          output: report.html
        env:
          TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
      
      - name: Upload Trivy Report
        uses: actions/upload-artifact@v2
        with:
          name: trivy-report
          path: report.html