MeshChatX/.gitea/workflows/docker.yml

name: Build and Publish Docker Image

on:
    workflow_dispatch:
    push:
        tags:
            - "*"
    pull_request:

env:
    REGISTRY: git.quad4.io
    IMAGE_NAME: rns-things/meshchatx
    DEV_IMAGE_NAME: rns-things/meshchatx-dev

jobs:
    build:
        if: github.event_name != 'pull_request'
        runs-on: ubuntu-latest
        permissions:
            contents: read
            packages: write
        outputs:
            image_digest: ${{ steps.build.outputs.digest }}
            image_tags: ${{ steps.meta.outputs.tags }}

        steps:
            - name: Checkout repository
              uses: https://git.quad4.io/actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
              with:
                  fetch-depth: 0

            - name: Set up QEMU
              uses: https://git.quad4.io/actions/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
              with:
                  platforms: amd64,arm64

            - name: Set up Docker Buildx
              uses: https://git.quad4.io/actions/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

            - name: Log in to the Container registry
              uses: https://git.quad4.io/actions/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
              with:
                  registry: ${{ env.REGISTRY }}
                  username: ${{ secrets.REGISTRY_USERNAME }}
                  password: ${{ secrets.REGISTRY_PASSWORD }}

            - name: Extract metadata (tags, labels) for Docker
              id: meta
              uses: https://git.quad4.io/actions/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
              with:
                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
                  tags: |
                      type=raw,value=latest,enable={{is_default_branch}}
                      type=ref,event=branch,prefix=,suffix=,enable={{is_default_branch}}
                      type=semver,pattern={{version}}
                      type=semver,pattern={{major}}.{{minor}}
                      type=sha,format=short

            - name: Build and push Docker image
              id: build
              uses: https://git.quad4.io/actions/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
              with:
                  context: .
                  file: ./Dockerfile
                  platforms: linux/amd64,linux/arm64
                  push: true
                  tags: ${{ steps.meta.outputs.tags }}
                  labels: ${{ steps.meta.outputs.labels }}

            - name: Download Trivy
              run: |
                  curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Extra/assets/raw/commit/90fdcea1bb71d91df2de6ff2e3897f278413f300/bin/trivy_0.68.2_Linux-64bit.deb
                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y

            - name: Scan Docker image
              run: |
                  # Extract the first tag from the multi-line tags output
                  IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
                  trivy image --exit-code 1 "$IMAGE_TAG"

    build-dev:
        if: github.event_name == 'pull_request'
        runs-on: ubuntu-latest
        permissions:
            contents: read
            packages: write

        steps:
            - name: Checkout repository
              uses: https://git.quad4.io/actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
              with:
                  fetch-depth: 0

            - name: Set up QEMU
              uses: https://git.quad4.io/actions/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
              with:
                  platforms: amd64,arm64

            - name: Set up Docker Buildx
              uses: https://git.quad4.io/actions/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

            - name: Log in to the Container registry
              uses: https://git.quad4.io/actions/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
              with:
                  registry: ${{ env.REGISTRY }}
                  username: ${{ secrets.REGISTRY_USERNAME }}
                  password: ${{ secrets.REGISTRY_PASSWORD }}

            - name: Extract DEV metadata (tags, labels) for Docker
              id: meta-dev
              uses: https://git.quad4.io/actions/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
              with:
                  images: ${{ env.REGISTRY }}/${{ env.DEV_IMAGE_NAME }}
                  tags: |
                      type=raw,value=dev
                      type=sha,format=short

            - name: Build and push dev Docker image
              id: build-dev
              uses: https://git.quad4.io/actions/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
              with:
                  context: .
                  file: ./Dockerfile
                  platforms: linux/amd64,linux/arm64
                  push: true
                  tags: ${{ steps.meta-dev.outputs.tags }}
                  labels: ${{ steps.meta-dev.outputs.labels }}

            - name: Download Trivy
              run: |
                  curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Extra/assets/raw/commit/90fdcea1bb71d91df2de6ff2e3897f278413f300/bin/trivy_0.68.2_Linux-64bit.deb
                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y

            - name: Scan Docker image (dev)
              run: |
                  # Extract the first tag from the multi-line tags output
                  IMAGE_TAG=$(echo "${{ steps.meta-dev.outputs.tags }}" | head -n 1)
                  trivy image --exit-code 1 "$IMAGE_TAG"