action.yml

name: docker-build-plus
description: Build, push and scan Docker images
branding:
  icon: upload-cloud
  color: purple

inputs:
  build-args:
    default: ""
    description: Build arguments
    required: false
  context:
    default: .
    description: Context of the Dockerfile
    required: false
  cosign:
    default: "false"
    description: Whether or not to sign the image with Cosign
    required: false
  dockerhub-password:
    default: ""
    description: Docker Hub password
    required: false
  dockerhub-username:
    default: ""
    description: Docker Hub username
    required: false
  github-token:
    default: ${{ github.token }}
    description: GitHub token
    required: true
  image-extra-tags:
    default: ""
    description: Image tags
    required: false
  image-name:
    description: Image name
    required: true
  image-target:
    default: ""
    description: Target stage of the Dockerfile
    required: false
  kubescape:
    default: "false"
    description: Whether or not to run Kubescape
    required: false
  kubescape-upload-sarif:
    default: "false"
    description: Whether or not to upload Kubescape SARIF results
    required: false
  kubescape-version:
    default: v3.0.18
    description: Kubescape version
    required: false
  platforms:
    default: linux/amd64,linux/arm64
    description: Platforms to build for
    required: false
  pre-build-commands:
    default: ''
    description: A set of bash commands to run before building the docker image
    required: false
  push:
    default: "true"
    description: Whether or not to push image to registry
    required: false
  ref:
    default: ${{ github.ref }}
    description: Ref to checkout
    required: false
  registry-password:
    default: ""
    description: The password to use when scanning the image with Kubescape
    required: false
  registry-username:
    default: ""
    description: The username to use when scanning the image with Kubescape
    required: false
  runner:
    default: ubuntu-latest
    description: Runner to use
    required: false
  scout-comment-pr:
    default: "false"
    description: Whether or not to comment on PR
    required: false
  scout-compare:
    default: "false"
    description: Whether or not to run scout compare
    required: false
  scout-cves:
    default: "false"
    description: Whether or not to run scout CVEs
    required: false

outputs:
  digest:
    description: Image digest
    value: ${{ steps.build-push.outputs.digest }}
  imageid:
    description: Image ID
    value: ${{ steps.build-push.outputs.image-id }}
  metadata:
    description: Build result metadata
    value: ${{ steps.build-push.outputs.metadata }}

runs:
  using: "composite"
  steps:
    - name: Checkout
      uses: actions/checkout@v4
      with:
        ref: ${{ inputs.ref }}

    - if: inputs.cosign == 'true'
      name: Setup Cosign CLI
      uses: sigstore/cosign-installer@v3

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Login to GitHub Container Registry
      uses: docker/login-action@v3
      with:
        password: ${{ inputs.github-token }}
        registry: ghcr.io
        username: ${{ github.actor }}

    - if: |
        inputs.dockerhub-username != '' &&
        inputs.dockerhub-password != ''
      name: Login to Docker hub
      uses: docker/login-action@v3
      with:
        password: ${{ inputs.dockerhub-password }}
        username: ${{ inputs.dockerhub-username }}

    - name: Docker metadata
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: |
          ${{ inputs.image-name }}

    - name: Run pre-build commands
      if: inputs.pre-build-commands != ''
      run: ${{ inputs.pre-build-commands }}
      shell: bash

    - name: Build and push
      id: build-push
      uses: docker/build-push-action@v6
      with:
        build-args: ${{ inputs.build-args }}
        cache-from: type=gha
        cache-to: type=gha,mode=max
        context: ${{ inputs.context }}
        labels: ${{ steps.meta.outputs.labels }}
        platforms: ${{ inputs.platforms }}
        push: ${{ inputs.push }}
        tags: |
          ${{ steps.meta.outputs.tags }}
          ${{ inputs.image-extra-tags }}
        target: ${{ inputs.image-target }}

    - name: Docker Scout - compare
      if: inputs.scout-compare == 'true'
      uses: docker/scout-action@v1
      with:
        command: compare
        github-token: ${{ inputs.github-token }}
        ignore-unchanged: true
        image: ${{ steps.meta.outputs.tags }}
        only-severities: critical,high,medium
        to: ${{ inputs.image-name }}:latest
        write-comment: ${{ inputs.scout-comment-pr }}

    - name: Docker Scout - cves
      if: inputs.scout-cves == 'true'
      uses: docker/scout-action@v1
      with:
        command: cves
        ignore-unchanged: true
        image: ${{ steps.meta.outputs.tags }}
        only-fixed: true
        only-severities: medium,high,critical
        sarif-file: sarif.output.json
        summary: true

    - id: job-id
      if: inputs.scout-cves == 'true'
      name: Create unique job identifier
      shell: bash
      run: |
        four_character_timestamp=$(date +%s | sha256sum | base64 | head -c 4)
        run_id=$(echo ${{ github.run_id }} | sha256sum | base64 | head -c 4)
        job_id="${four_character_timestamp}${run_id}"
        echo "job-id=$job_id" >> $GITHUB_OUTPUT

    - name: Pick the first image name if multiple are provided
      id: image-name
      shell: bash
      run: |
        image_name=$(echo "${{ inputs.image-name }}" | awk 'NR==1 {gsub(/^ +| +$/, ""); print}')
        echo "image-name=$image_name" >> $GITHUB_OUTPUT

    - name: Upload artifact
      if: inputs.scout-cves == 'true'
      uses: actions/upload-artifact@v4
      with:
        if-no-files-found: warn
        name: scout-results-${{ steps.job-id.outputs.job-id }}
        path: sarif.output.json

    - continue-on-error: true
      if: inputs.kubescape == 'true'
      uses: kubescape/github-action@main
      with:
        format: sarif
        image: ${{ steps.image-name.outputs.image-name }}@${{ steps.build-push.outputs.digest }}
        outputFile: results.sarif
        severityThreshold: Medium
        registryUsername: ${{ inputs.registry-username }}
        registryPassword: ${{ inputs.registry-password }}

    - continue-on-error: true
      if: inputs.kubescape-upload-sarif == 'true'
      name: Upload Kubescape scan results to Github Code Scanning
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: results.sarif

    - if: inputs.cosign == 'true'
      name: Sign image with cosign
      run: |
        cosign sign --yes ${{ steps.image-name.outputs.image-name }}@${{ steps.build-push.outputs.digest }}
      shell: bash