name: Docker Build & Publish on: push: branches: - main - development tags: - 'v*.*.*' pull_request: branches: - main - development workflow_call: # Allow this workflow to be called by other workflows env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository_owner }}/${{ github.event.repository.name }} jobs: build-and-push: runs-on: ubuntu-latest permissions: contents: read packages: write security-events: write steps: - name: Checkout repository uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Normalize image name run: | raw="${{ github.repository_owner }}/${{ github.event.repository.name }}" echo "IMAGE_NAME=$(echo "$raw" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV - name: Determine skip condition id: skip run: | should_skip=false actor='${{ github.actor }}' event='${{ github.event_name }}' head_msg='${{ github.event.head_commit.message }}' pr_title="" if [ "$event" = "pull_request" ]; then pr_title=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH" 2>/dev/null || echo '') fi if [ "$actor" = "renovate[bot]" ]; then should_skip=true; fi if echo "$head_msg" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi if echo "$head_msg" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi if echo "$pr_title" | grep -Ei '^chore\(deps' >/dev/null 2>&1; then should_skip=true; fi if echo "$pr_title" | grep -Ei '^chore:' >/dev/null 2>&1; then should_skip=true; fi echo "skip_build=$should_skip" >> $GITHUB_OUTPUT if [ "$should_skip" = true ]; then echo "Skipping heavy docker publish for actor=$actor event=$event (message/title matched)" else echo "Proceeding with docker publish" fi - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Resolve Caddy base digest id: caddy run: | docker pull caddy:2-alpine DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' caddy:2-alpine) echo "image=$DIGEST" >> $GITHUB_OUTPUT - name: Log in to Container Registry if: github.event_name != 'pull_request' uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) if: steps.skip.outputs.skip_build != 'true' id: meta uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | # Tag 'latest' for main branch type=raw,value=latest,enable={{is_default_branch}} # Tag 'dev' for development branch type=raw,value=dev,enable=${{ github.ref == 'refs/heads/development' }} # Semver tags for version releases (v1.0.0 -> 1.0.0, 1.0, 1) type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - name: Build and push Docker image if: steps.skip.outputs.skip_build != 'true' id: build-and-push uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max build-args: | VERSION=${{ steps.meta.outputs.version }} BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} VCS_REF=${{ github.sha }} CADDY_IMAGE=${{ steps.caddy.outputs.image }} - name: Image digest if: steps.skip.outputs.skip_build != 'true' run: echo ${{ steps.build-and-push.outputs.digest }} - name: Run Trivy scan (table output first for visibility) if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' id: trivy_table continue-on-error: true uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} format: 'table' severity: 'CRITICAL,HIGH' exit-code: '0' - name: Run Trivy vulnerability scanner if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' id: trivy continue-on-error: true uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} format: 'sarif' output: 'trivy-results.sarif' exit-code: '0' severity: 'CRITICAL,HIGH' - name: Upload Trivy results to GitHub Security if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && (steps.trivy.outcome == 'success' || steps.trivy.outcome == 'failure') uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' - name: Check for vulnerabilities if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.trivy_table.outcome == 'failure' run: | echo "::error::CRITICAL or HIGH vulnerabilities found in image" exit 1 - name: Skip summary if: steps.skip.outputs.skip_build == 'true' run: | echo "## 🚫 Docker Publish Skipped" >> $GITHUB_STEP_SUMMARY echo "Reason: renovate bot or chore(deps)/chore commit/PR title." >> $GITHUB_STEP_SUMMARY echo "Actor: ${{ github.actor }}" >> $GITHUB_STEP_SUMMARY echo "Event: ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY