Skip to content

ci: add PR checks, CodeQL, Trivy, Renovate, changesets release, and c… #128

ci: add PR checks, CodeQL, Trivy, Renovate, changesets release, and c…

ci: add PR checks, CodeQL, Trivy, Renovate, changesets release, and c… #128

Workflow file for this run

name: Build & Push Docker Images
on:
push:
branches: [main]
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_PREFIX: ghcr.io/medformatik/openmapx
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
strategy:
fail-fast: false
matrix:
include:
- app: api
context: .
dockerfile: apps/api/Dockerfile
- app: web
context: .
dockerfile: apps/web/Dockerfile
- app: data-manager
context: .
dockerfile: services/data-manager/Dockerfile
- app: transitous-tools
context: services/motis/tools/transitous
dockerfile: services/motis/tools/transitous/Dockerfile
steps:
- uses: actions/checkout@v6
- uses: docker/setup-qemu-action@v4
- uses: docker/setup-buildx-action@v4
- uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/metadata-action@v6
id: meta
with:
images: ${{ env.IMAGE_PREFIX }}-${{ matrix.app }}
tags: |
type=sha,prefix=
type=raw,value=latest
- uses: docker/build-push-action@v7
id: build
with:
context: ${{ matrix.context }}
file: ${{ matrix.dockerfile }}
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: mode=max
sbom: true
- name: Scan image with Trivy
uses: aquasecurity/trivy-action@0.36.0
with:
image-ref: ${{ env.IMAGE_PREFIX }}-${{ matrix.app }}@${{ steps.build.outputs.digest }}
format: sarif
output: trivy-${{ matrix.app }}.sarif
severity: CRITICAL,HIGH
ignore-unfixed: true
exit-code: "0"
- name: Upload Trivy results
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-${{ matrix.app }}.sarif
category: trivy-${{ matrix.app }}