vault-agent.yml

---

name: vault-agent
run-name: Build vault-agent container

on:
  pull_request:
    paths:
      - pipelines/dockerfiles/vault-agent/**
      - '!pipelines/dockerfiles/vault-agent/Jenkinsfile'
      - '!pipelines/dockerfiles/vault-agent/config.yml'
      - '!pipelines/dockerfiles/vault-agent/Makefile'
      - .github/workflows/vault-agent.yml
    branches: [ master ]

  push:
    paths:
      - pipelines/dockerfiles/vault-agent/**
      - '!pipelines/dockerfiles/vault-agent/Jenkinsfile'
      - '!pipelines/dockerfiles/vault-agent/config.yml'
      - '!pipelines/dockerfiles/vault-agent/Makefile'
      - .github/workflows/vault-agent.yml
    branches: [ master ]

  workflow_dispatch:

env:
  REPOSITORY: constantin07/vault-agent

jobs:
  build:
    runs-on: ubuntu-22.04
    permissions:
      security-events: write
    defaults:
      run:
        working-directory: pipelines/dockerfiles/vault-agent
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3.5.0
        with:
          driver-opts: image=moby/buildkit:master

      - name: Login to Docker Hub
        uses: docker/login-action@v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Get version
        run: |
          VAULT_VERSION=$(grep -E "^VAULT_VERSION" Makefile | awk '{print $3}')
          echo "VAULT_VERSION=$VAULT_VERSION" >> $GITHUB_ENV
          echo $VAULT_VERSION

      - name: Build image and export to docker
        uses: docker/build-push-action@v6.5.0
        with:
          context: pipelines/dockerfiles/vault
          platforms: linux/amd64,linux/arm64
          push: false
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: VAULT_VERSION=${{ env.VAULT_VERSION }}
          tags: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}
          provenance: true
          load: false

      - name: Load amd64 platform image
        run: |
          docker buildx build --load --platform 'linux/amd64' \
          --build-arg VAULT_VERSION=${{ env.VAULT_VERSION }} \
          -t ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} .

      - name: Load arm64 platform image
        run: |
          docker buildx build --load --platform 'linux/arm64' \
          --build-arg VAULT_VERSION=${{ env.VAULT_VERSION }} \
          -t ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}-arm64 .

      - name: Run trivy scan
        uses: aquasecurity/trivy-action@0.24.0
        with:
          image-ref: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}
          format: sarif
          output: trivy-results.sarif

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

      - name: Test image
        run: docker run --rm -t --cap-add IPC_LOCK ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }} vault --version

      - name: Push amd64 & arm64 platform images
        uses: docker/build-push-action@v6.5.0
        with:
          context: pipelines/dockerfiles/vault
          platforms: linux/amd64,linux/arm64
          push: true
          build-args: VAULT_VERSION=${{ env.VAULT_VERSION }}
          tags: ${{ env.REPOSITORY }}:${{ env.VAULT_VERSION }}