Separated tasks (again) and separate builds (#8)

.github/workflows/docker-build.yml

@@ -0,0 +1,86 @@
+name: Docker Build and Push
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      trigger-build:
+        description: 'Trigger a manual build and push'
+        required: true
+        default: 'true'
+
+env:
+  DOCKER_HUB_PREFIX: docker.io
+  GHCR_PREFIX: ghcr.io
+  DOCKER_IMAGE: donaldzou/wgdashboard
+
+jobs:
+  docker_build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.DOCKER_HUB_PREFIX }}
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.GHCR_PREFIX }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_HUB_PREFIX }}/${{ env.DOCKER_IMAGE }}
+            ${{ env.GHCR_PREFIX }}/${{ env.DOCKER_IMAGE }}
+
+      - name: Build and export (multi-arch)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./docker/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+
+      - name: Docker Scout CVEs
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ steps.meta.outputs.tags }}
+          only-severities: critical,high
+          only-fixed: true
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exit-code: true
+
+      - name: Docker Scout Compare
+        uses: docker/scout-action@v1
+        with:
+          command: compare
+          image: ${{ env.DOCKER_HUB_PREFIX }}/${{ env.DOCKER_IMAGE }}:nightly
+          to: ${{ env.DOCKER_HUB_PREFIX }}/${{ env.DOCKER_IMAGE }}:latest
+          only-severities: critical,high
+          ignore-unchanged: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/docker-scan.yml

@@ -0,0 +1,37 @@
+name: Docker Scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      trigger-scan:
+        description: 'Trigger a manual scan'
+        required: true
+        default: 'true'
+
+env:
+  DOCKER_IMAGE: donaldzou/wgdashboard
+
+jobs:
+  docker_scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Docker Scout CVEs
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ env.DOCKER_IMAGE }}:nightly
+          only-severities: critical,high
+          only-fixed: true
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          exit-code: true

.github/workflows/docker.yaml

@@ -1,56 +0,0 @@
-name: Docker Scan and Build
-
-on:
-  push:
-    branches: [ main ]
-  schedule:
-    - cron: "0 0 * * *"  # Daily at midnight UTC
-  workflow_dispatch:
-    inputs:
-      trigger-build:
-        description: 'Trigger a manual build and push'
-        default: 'true'
-
-env:
-  DOCKER_IMAGE: donaldzou/wgdashboard
-
-jobs:
-  docker_build_analyze:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-        with:
-          platforms: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build and export (multi-arch)
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./docker/Dockerfile
-          push: true
-          tags: ${{ env.DOCKER_IMAGE }}:latest
-          platforms: linux/amd64,linux/arm64,linux/arm/v7 #ARM v6 no longer support by go image.
-
-      - name: Docker Scout
-        id: docker-scout
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          image: ${{ env.DOCKER_IMAGE }}:latest
-          only-severities: critical,high,medium,low,unspecified
-          github-token: ${{ secrets.GITHUB_TOKEN }}