BuildContainerForProduction #688
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: BuildContainerForProduction | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- master | |
schedule: | |
- cron: 00 4 * * * | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
name: Build Docker image | |
strategy: | |
matrix: | |
php: | |
- php7 | |
- php8 | |
steps: | |
- name: GitHub Environment Variables Action | |
uses: FranzDiebold/github-env-vars-action@v2 | |
- name: Shallow clone code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Login to Container Registry ghcr.io | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ env.CI_REPOSITORY_OWNER_SLUG }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build the container image | |
run: docker build . --tag php-docker-base:trivytemp --file Dockerfile.${{ matrix.php }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: php-docker-base:trivytemp | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
- name: Retag new image with latest tag so we can push the scanned version | |
run: docker image tag php-docker-base:trivytemp ghcr.io/${{ env.CI_REPOSITORY_OWNER_SLUG }}/${{ env.CI_REPOSITORY_NAME }}:${{ matrix.php }} | |
- name: Push with commit ${{ matrix.php }} tag | |
run: docker push ghcr.io/${{ env.CI_REPOSITORY_OWNER_SLUG }}/${{ env.CI_REPOSITORY_NAME }}:${{ matrix.php }} | |
#review containers | |
- name: Build the review container image | |
run: docker build . --tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:${{ matrix.php }}-review --file Dockerfile.${{ matrix.php }}-review | |
- name: Push with commit *-review tag | |
run: docker push ghcr.io/${{ env.CI_REPOSITORY_OWNER_SLUG }}/${{ env.CI_REPOSITORY_NAME }}:${{ matrix.php }}-review | |
cleanup: | |
needs: [build] | |
runs-on: ubuntu-latest | |
steps: | |
- name: GitHub Environment Variables Action | |
uses: FranzDiebold/github-env-vars-action@v2 | |
- name: Login to Container Registry ghcr.io | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ env.CI_REPOSITORY_OWNER_SLUG }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Delete old versions of the package, keeping a few of the newest | |
uses: actions/delete-package-versions@v5 | |
with: | |
package-name: ${{ env.CI_REPOSITORY_NAME }} | |
package-type: container | |
min-versions-to-keep: 8 |