.github/workflows/api-build-and-push-ghcr.yml

name: api-build-and-push-ghcr

on:
  push:
    branches:
      - main
      - development
    paths:
      - 'api/**'
      - 'Dockerfiles/api.Dockerfile'
      - 'shared/bin/*'
      - '!shared/bin/agg-init.sh'
      - '!shared/bin/common-init.sh'
      - '!shared/bin/sensor-init.sh'
      - '!shared/bin/preseed_late_user_config.sh'
      - '!shared/bin/configure-interfaces.py'
      - '!shared/bin/configure-capture.py'
      - '!shared/bin/zeek*'
      - '.trigger_workflow_build'
  workflow_dispatch:
  repository_dispatch:

jobs:
  docker:
    runs-on: ubuntu-22.04
    permissions:
      actions: write
      packages: write
      contents: read
      security-events: write
    steps:
      -
        name: Cancel previous run in progress
        uses: styfle/cancel-workflow-action@0.11.0
        with:
          ignore_sha: true
          all_but_latest: true
          access_token: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Extract branch name
        shell: bash
        run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
        id: extract_branch
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          driver-opts: |
            image=moby/buildkit:master
      -
        name: Log in to registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Build and push
        uses: docker/build-push-action@v3
        with:
          context: .
          file: ./Dockerfiles/api.Dockerfile
          push: true
          tags: ghcr.io/${{ github.repository_owner }}/malcolm/api:${{ steps.extract_branch.outputs.branch }}
      -
        name: Run Trivy vulnerability scanner
        id: trivy-scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'image'
          scanners: 'vuln'
          image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/api:${{ steps.extract_branch.outputs.branch }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
          vuln-type: 'os,library'
          hide-progress: true
          ignore-unfixed: true
          exit-code: '0'
      -
        name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'