.github/workflows/docker-build-test.yaml

#This action test builds EMHASS Docker images, in each architecture.
name: "Test Building Docker Image"

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]
  workflow_dispatch:

permissions:
  actions: read
  security-events: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        platform:
          [
            { target_arch: amd64, os_version: debian },
            { target_arch: armv7, os_version: debian },
            { target_arch: armhf, os_version: raspbian },
            { target_arch: aarch64, os_version: debian },
          ]
    steps:
      - name: Checkout the repository
        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: ${{ matrix.platform.buildx }}
          build-args: |
            TARGETARCH=${{ matrix.platform.target_arch }}
            os_version=${{ matrix.platform.os_version }}
          load: true
      - name: Test Image #Assume Docker fail with FileNotFound secrets_emhass.yaml error
        run: docker run --rm -it ${{ steps.build.outputs.imageid }} | grep -q secrets_emhass.yaml && echo 0 || echo 1
      # Google OSV-Scanner
      # Extract Debian and Python packadge list stored in Image
      - name: Export Debian package list
        run: mkdir OSV && docker run --rm --entrypoint '/bin/cat' ${{ steps.build.outputs.imageid }} /var/lib/dpkg/status >> ./OSV/${{ matrix.platform.target_arch }}.status
      - name: Export Python package list
        run: docker run --rm --entrypoint '/usr/bin/pip3' ${{ steps.build.outputs.imageid }} freeze >> ./OSV/${{ matrix.platform.target_arch }}-requirements.txt
      - name: Upload package list as digest
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.platform.target_arch }}-packages
          path: ./OSV/*
          if-no-files-found: error
          retention-days: 1

  osv-scan:
    needs:
      - build
    strategy:
      fail-fast: false
      matrix:
        platform:
          [
            { target_arch: amd64 },
            { target_arch: armv7 },
            { target_arch: armhf },
            { target_arch: aarch64 }
          ]
    # Check Docker image debian and python packages list for known vulnerabilities
    uses: "geoderp/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v0.0.1"
    with:
      download-artifact: "${{ matrix.platform.target_arch }}-packages"
      matrix-property: "${{ matrix.platform.target_arch }}-"
      scan-args: |-
        --lockfile=dpkg-status:./${{ matrix.platform.target_arch }}.status
        --lockfile=requirements.txt:./${{matrix.platform.target_arch }}-requirements.txt
        --fail-on-vuln: false
    permissions:
      security-events: write
      contents: read
      actions: read