diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 0000000..d5d8c73 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,86 @@ +name: Docker Build and Push + +on: + push: + branches: [main] + workflow_dispatch: + inputs: + trigger-build: + description: 'Trigger a manual build and push' + required: true + default: 'true' + +env: + DOCKER_HUB_PREFIX: docker.io + GHCR_PREFIX: ghcr.io + DOCKER_IMAGE: donaldzou/wgdashboard + +jobs: + docker_build: + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + registry: ${{ env.DOCKER_HUB_PREFIX }} + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.GHCR_PREFIX }} + username: ${{ github.actor }} + password: ${{ secrets.GHCR_TOKEN }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: linux/amd64,linux/arm64,linux/arm/v7 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.DOCKER_HUB_PREFIX }}/${{ env.DOCKER_IMAGE }} + ${{ env.GHCR_PREFIX }}/${{ env.DOCKER_IMAGE }} + + - name: Build and export (multi-arch) + uses: docker/build-push-action@v6 + with: + context: . + file: ./docker/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64,linux/arm/v7 + + - name: Docker Scout CVEs + uses: docker/scout-action@v1 + with: + command: cves + image: ${{ steps.meta.outputs.tags }} + only-severities: critical,high + only-fixed: true + write-comment: true + github-token: ${{ secrets.GITHUB_TOKEN }} + exit-code: true + + - name: Docker Scout Compare + uses: docker/scout-action@v1 + with: + command: compare + image: ${{ env.DOCKER_HUB_PREFIX }}/${{ env.DOCKER_IMAGE }}:nightly + to: ${{ env.DOCKER_HUB_PREFIX }}/${{ env.DOCKER_IMAGE }}:latest + only-severities: critical,high + ignore-unchanged: true + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml new file mode 100644 index 0000000..33a5ae3 --- /dev/null +++ b/.github/workflows/docker-scan.yml @@ -0,0 +1,37 @@ +name: Docker Scan + +on: + workflow_dispatch: + inputs: + trigger-scan: + description: 'Trigger a manual scan' + required: true + default: 'true' + +env: + DOCKER_IMAGE: donaldzou/wgdashboard + +jobs: + docker_scan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + - name: Docker Scout CVEs + uses: docker/scout-action@v1 + with: + command: cves + image: ${{ env.DOCKER_IMAGE }}:nightly + only-severities: critical,high + only-fixed: true + write-comment: true + github-token: ${{ secrets.GITHUB_TOKEN }} + exit-code: true