-
Notifications
You must be signed in to change notification settings - Fork 0
87 lines (74 loc) · 2 KB
/
ci-cd.yaml
File metadata and controls
87 lines (74 loc) · 2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Docker Bake Build
on:
push:
tags: ["v*"]
pull_request:
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: nimendra/fastapi-demo
jobs:
lint:
name: Lint with Ruff
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: astral-sh/ruff-action@v3
docker:
name: Build and Push Docker Image
runs-on: ubuntu-latest
needs: lint
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker Meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/nmdra/fastapi-demo
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha
- name: Docker Bake (build and push)
uses: docker/bake-action@v6
with:
push: true
files: |
./docker-bake.hcl
cwd://${{ steps.meta.outputs.bake-file }}
targets: prod
set: |
*.cache-from=type=gha
*.cache-to=type=gha,mode=max
trivy:
name: Scan Docker Image with Trivy
runs-on: ubuntu-latest
needs: docker
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: ghcr.io/nmdra/fastapi-demo:latest
format: table
exit-code: 1
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'