docker-compose-updater/.forgejo/workflows/docker-publish.yml
Andras Schmelczer d4d0657555
Some checks failed
Build and Publish Docker Image / test (push) Successful in 40s
Build and Publish Docker Image / build-and-push (push) Successful in 19s
Build and Publish Docker Image / security-scan (push) Failing after 33s
Fix token
2026-06-06 20:42:49 +01:00

83 lines
2.4 KiB
YAML

name: Build and Publish Docker Image
on:
push:
branches: [main]
tags: ["v*"]
pull_request:
branches: [main]
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: '-Dwarnings'
REGISTRY: ${{ forgejo.server_url }}
IMAGE_NAME: ${{ forgejo.repository }}
jobs:
test:
runs-on: docker
steps:
- uses: actions/checkout@v4
- name: Cache Rust dependencies
uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-
- name: Install Rust toolchain
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
| sh -s -- -y --default-toolchain stable --profile default
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Run tests
run: cargo test --verbose
- name: Run clippy
run: cargo clippy -- -D warnings
- name: Check formatting
run: cargo fmt -- --check
build-and-push:
needs: test
runs-on: docker
steps:
- uses: actions/checkout@v4
- name: Build and publish image
uses: http://forgejo:3000/andras/ci-actions/docker-publish@main
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
token: ${{ secrets.FORGEJO_PACKAGE_TOKEN }}
security-scan:
needs: build-and-push
runs-on: docker
if: github.event_name != 'pull_request'
steps:
- name: Resolve registry host
id: registry
run: |
host="$(echo '${{ github.server_url }}' | sed -E 's|https?://||; s|/$||')"
[ "$host" = "forgejo:3000" ] && host="127.0.0.1:13000"
echo "image=${host}/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
- name: Run Trivy vulnerability scanner
# Pinned to the commit behind trivy-action v0.36.0 for a reproducible,
# supply-chain-safe reference instead of the moving @master branch.
uses: https://github.com/aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
with:
image-ref: ${{ steps.registry.outputs.image }}:latest
format: "table"
exit-code: "1"
severity: "CRITICAL,HIGH"