name: Build images on: push: branches: - main env: # Set this to the public IP or hostname of your registry, # whichever you use to reach it from your desktop/laptop FORGEJO_HOST: code.zeidler.dev HELM_EXPERIMENTAL_OCI: 1 TRIVY_IMAGE: aquasec/trivy:0.69.3 jobs: check-docker: runs-on: docker-cli services: docker: image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest options: --privileged container: image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest steps: - name: Wait for Docker daemon run: | timeout=300 # Set a timeout value in seconds until docker info; do echo "Waiting for Docker daemon to start..." sleep 5 timeout=$((timeout-5)) if [ $timeout -le 0 ]; then echo "Timeout waiting for Docker daemon to start." exit 1 fi done scan: needs: check-docker runs-on: docker-cli services: docker: image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest options: --privileged container: image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest steps: - name: Checkout the repo uses: actions/checkout@v4 - name: Build proxy image for scanning run: docker build -t scan/proxy:latest ./proxy - name: Generate proxy SBOM run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$PWD":/output \ ${{ env.TRIVY_IMAGE }} \ image --exit-code 0 --vuln-type os,library \ --format cyclonedx --output /output/sbom-proxy.cdx.json \ scan/proxy:latest - name: Scan proxy image run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ ${{ env.TRIVY_IMAGE }} \ image --exit-code 1 --severity HIGH,CRITICAL \ --ignore-unfixed --vuln-type os,library \ --format table \ scan/proxy:latest - name: Build claude image for scanning run: docker build -t scan/claude:latest ./claude - name: Generate claude SBOM run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$PWD":/output \ ${{ env.TRIVY_IMAGE }} \ image --exit-code 0 --vuln-type os,library \ --format cyclonedx --output /output/sbom-claude.cdx.json \ scan/claude:latest - name: Scan claude image run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ ${{ env.TRIVY_IMAGE }} \ image --exit-code 1 --severity HIGH,CRITICAL \ --ignore-unfixed --vuln-type os,library \ --format table \ scan/claude:latest - name: Upload SBOMs if: always() uses: actions/upload-artifact@v4 with: name: sboms-${{ env.GITHUB_RUN_NUMBER }} path: | sbom-proxy.cdx.json sbom-claude.cdx.json retention-days: 90 build-and-push: needs: scan runs-on: docker-cli services: docker: image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest options: --privileged environment: deploy container: image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest steps: - name: Checkout the repo uses: actions/checkout@v4 - name: Login to the registry uses: docker/login-action@v3 with: registry: ${{ vars.REGISTRY_URL }} username: ${{ vars.REGISTRY_USER }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver: docker-container - name: Docker publish proxy uses: docker/build-push-action@v6 with: context: proxy push: true sbom: true provenance: true platforms: linux/amd64, linux/arm64 tags: | ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }} ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:latest - name: Docker publish claude uses: docker/build-push-action@v6 with: context: claude push: true sbom: true provenance: true platforms: linux/amd64, linux/arm64 tags: | ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }} ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:latest