name: Build and Publish Docker Image on: push: branches: [main] tags: ["v*"] pull_request: branches: [main] env: CARGO_TERM_COLOR: always RUSTFLAGS: '-Dwarnings' REGISTRY: ${{ forgejo.server_url }} IMAGE_NAME: ${{ forgejo.repository }} jobs: test: runs-on: docker steps: - uses: actions/checkout@v4 - name: Cache Rust dependencies uses: actions/cache@v4 with: path: | ~/.cargo/bin/ ~/.cargo/registry/index/ ~/.cargo/registry/cache/ ~/.cargo/git/db/ target/ key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} restore-keys: | ${{ runner.os }}-cargo- - name: Install Rust toolchain run: | curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \ | sh -s -- -y --default-toolchain stable --profile default echo "$HOME/.cargo/bin" >> "$GITHUB_PATH" - name: Run tests run: cargo test --verbose - name: Run clippy run: cargo clippy -- -D warnings - name: Check formatting run: cargo fmt -- --check build-and-push: needs: test runs-on: docker steps: - uses: actions/checkout@v4 - name: Build and publish image uses: http://forgejo:3000/andras/ci-actions/docker-publish@main with: context: . push: ${{ github.event_name != 'pull_request' }} token: ${{ secrets.FORGEJO_PACKAGE_TOKEN }} security-scan: needs: build-and-push runs-on: docker if: github.event_name != 'pull_request' steps: - name: Resolve registry host id: registry run: | host="$(echo '${{ github.server_url }}' | sed -E 's|https?://||; s|/$||')" [ "$host" = "forgejo:3000" ] && host="127.0.0.1:13000" echo "image=${host}/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - name: Run Trivy vulnerability scanner # Pinned to the commit behind trivy-action v0.36.0 for a reproducible, # supply-chain-safe reference instead of the moving @master branch. uses: https://github.com/aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 with: image-ref: ${{ steps.registry.outputs.image }}:latest format: "table" exit-code: "1" severity: "CRITICAL,HIGH"