diff --git a/.github/workflows/dbca_build.yml b/.github/workflows/dbca_build.yml index aa2ebd31..d645d20d 100644 --- a/.github/workflows/dbca_build.yml +++ b/.github/workflows/dbca_build.yml @@ -7,15 +7,15 @@ on: - master - develop tags: - - '*' + - "*" # Trigger the workflow manually workflow_dispatch: env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} -jobs: +jobs: build-and-push-image: runs-on: ubuntu-latest permissions: @@ -23,84 +23,56 @@ jobs: packages: write security-events: write steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Log in to the Container registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout + uses: actions/checkout@v4 - - name: Extract metadata (tags, labels) for Docker nginx image - id: meta_nginx - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract metadata (tags, labels) for Docker postgres image - id: meta_postgres - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-postgres + - name: Extract metadata (tags, labels) for Docker ckan image + id: meta_ckan + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ckan - - name: Extract metadata (tags, labels) for Docker ckan image - id: meta_ckan - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ckan + - name: Extract metadata (tags, labels) for Docker ckan worker image + id: meta_ckan_worker + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ckan-worker - - name: Extract metadata (tags, labels) for Docker ckan worker image - id: meta_ckan_worker - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ckan-worker + - name: CKAN Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: ./ckan + file: ./ckan/Dockerfile + push: true + tags: ${{ steps.meta_ckan.outputs.tags }} - - name: NGINX Build and push Docker image - uses: docker/build-push-action@v5 - with: - context: ./nginx - file: ./nginx/Dockerfile - push: true - tags: ${{ steps.meta_nginx.outputs.tags }} + - name: CKAN Worker Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: ./ckan + file: ./ckan/Dockerfile.worker + push: true + tags: ${{ steps.meta_ckan_worker.outputs.tags }} + build-args: CKAN_IMAGE=${{ steps.meta_ckan.outputs.tags }} - - name: PostgreSQL Build and push Docker image - uses: docker/build-push-action@v5 - with: - context: ./postgresql - file: ./postgresql/Dockerfile - push: true - tags: ${{ steps.meta_postgres.outputs.tags }} + - name: Run Trivy vuln scanner on CKAN image + uses: aquasecurity/trivy-action@0.26.0 + with: + scan-type: "image" + image-ref: ${{ steps.meta_ckan.outputs.tags }} + vuln-type: "os,library" + severity: "HIGH,CRITICAL" + format: "sarif" + output: "trivy-results.sarif" - - name: CKAN Build and push Docker image - uses: docker/build-push-action@v5 - with: - context: ./ckan - file: ./ckan/Dockerfile - push: true - tags: ${{ steps.meta_ckan.outputs.tags }} - - - name: CKAN Worker Build and push Docker image - uses: docker/build-push-action@v5 - with: - context: ./ckan - file: ./ckan/Dockerfile.worker - push: true - tags: ${{ steps.meta_ckan_worker.outputs.tags }} - build-args: CKAN_IMAGE=${{ steps.meta_ckan.outputs.tags }} - - - name: Run Trivy vuln scanner on CKAN image - uses: aquasecurity/trivy-action@0.26.0 - with: - scan-type: 'image' - image-ref: ${{ steps.meta_ckan.outputs.tags }} - vuln-type: 'os,library' - severity: 'HIGH,CRITICAL' - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif"