pull-containers-and-push-to-ghcr.yml

---
name: Pull Third Party Containers, Scan, and Publish to GHCR
on:
  workflow_dispatch:
  schedule:
    - cron: '0 5 * * 0'

jobs:
  pull-and-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    env:
      GH_REPO: gsa-tts/fac
    strategy:
      fail-fast: false
      matrix:
        image:
          - name: postgrest/postgrest:latest
            short-name: postgrest
          - name: ghcr.io/gsa-tts/clamav-rest/clamav:latest
            short-name: clamav

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3

      - name: Pull Docker Image
        run: docker pull ${{ matrix.image.name }}

      - name: Scan Image
        run: docker run aquasec/trivy:latest  image --timeout 5m --scanners vuln --exit-code 1 --severity CRITICAL,HIGH  ${{ matrix.image.name }}

      - name: Tag Image
        run: |
          date=$(date +%Y%m%d)
          docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest
          docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:$date

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push Image
        run: docker push --all-tags ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}