Publish Docker image to GitHub Package Registry #113

	name: Publish Docker image to GitHub Package Registry

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main
	workflow_dispatch: {}
	schedule:
	- cron: '30 22 * * 3'

	env:
	REGISTRY: ghcr.io

	jobs:
	build-and-push-image:

	runs-on: ubuntu-latest

	permissions:
	contents: read
	packages: write
	security-events: write

	steps:

	- name: "actions: Checkout repository"
	id: checkout
	uses: actions/checkout@v2

	- name: "docker: Login to Container Registry"
	id: docker-login
	uses: docker/login-action@v1
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: "docker: Extract metadata"
	id: docker-meta
	uses: docker/metadata-action@v3
	with:
	images: \|
	${{ env.REGISTRY }}/${{ github.repository }}

	- name: "docker: Build image"
	id: docker-build
	uses: docker/build-push-action@v2
	with:
	context: .
	push: false
	tags: ${{ steps.docker-meta.outputs.tags }}
	labels: ${{ steps.docker-meta.outputs.labels }}

	- name: "anchore: Scan the Docker Image"
	id: anchore-scan
	uses: anchore/scan-action@v3
	with:
	image: ${{ steps.docker-build.outputs.digest }}
	fail-build: false
	acs-report-enable: true
	severity-cutoff: "critical"

	- name: "anchore: Upload SARIF report"
	id: anchore-upload
	uses: github/codeql-action/upload-sarif@v1
	with:
	sarif_file: results.sarif

	- name: "docker: Push Docker image [main branch]"
	id: docker-publish
	if: github.ref_name == 'main'
	uses: docker/build-push-action@v2
	with:
	context: .
	push: true
	tags: ${{ steps.docker-meta.outputs.tags }}
	labels: ${{ steps.docker-meta.outputs.labels }}

Provide feedback