name: Build and Publish Docker Image on: push: branches: [main] tags: ["v*"] pull_request: branches: [main] env: REGISTRY: ${{ forgejo.server_url }} IMAGE_NAME: ${{ forgejo.repository }} jobs: test: runs-on: docker container: image: rust:1.88 steps: - name: Checkout repository uses: https://code.forgejo.org/actions/checkout@v4 - name: Install components run: rustup component add rustfmt clippy - name: Cache cargo registry uses: https://code.forgejo.org/actions/cache@v4 with: path: | ~/.cargo/registry ~/.cargo/git target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - name: Run tests run: cargo test --verbose - name: Run clippy run: cargo clippy -- -D warnings - name: Check formatting run: cargo fmt -- --check build-and-push: needs: test runs-on: docker steps: - name: Checkout repository uses: https://code.forgejo.org/actions/checkout@v4 - name: Build and publish image uses: http://forgejo:3000/andras/ci-actions/docker-publish@main with: context: . push: ${{ github.event_name != 'pull_request' }} token: ${{ secrets.FORGEJO_TOKEN }} security-scan: needs: build-and-push runs-on: docker if: github.event_name != 'pull_request' steps: - name: Resolve registry host id: registry run: | host="$(echo '${{ github.server_url }}' | sed -E 's|https?://||; s|/$||')" [ "$host" = "forgejo:3000" ] && host="127.0.0.1:13000" echo "image=${host}/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - name: Run Trivy vulnerability scanner # Pinned to the commit behind trivy-action v0.36.0 for a reproducible, # supply-chain-safe reference instead of the moving @master branch. uses: https://github.com/aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 with: image-ref: ${{ steps.registry.outputs.image }}:latest format: "table" exit-code: "1" severity: "CRITICAL,HIGH"