diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 64590cf..4b53c16 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -38,6 +38,23 @@ jobs: uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 + - uses: docker/build-push-action@v2 + with: + context: ./build + file: ./build/Dockerfile + platforms: linux/amd64,linux/arm64/v8,linux/arm/v7 + load: true + labels: protonmail-bridge:latest + - name: Scan image + uses: anchore/scan-action@v2 + with: + image: protonmail-bridge:latest + fail-build: true + severity-cutoff: critical + - name: Upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} - name: Login to DockerHub uses: docker/login-action@v1 if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/deb.yaml b/.github/workflows/deb.yaml index 89c2014..5410e8e 100644 --- a/.github/workflows/deb.yaml +++ b/.github/workflows/deb.yaml @@ -36,12 +36,6 @@ jobs: images: ${{ steps.repo.outputs.repo }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 - - name: Login to DockerHub - uses: docker/login-action@v1 - if: ${{ github.event_name != 'pull_request' }} - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} - name: Build image without push uses: docker/build-push-action@v2 with: @@ -59,6 +53,12 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Login to DockerHub + uses: docker/login-action@v1 + if: ${{ github.event_name != 'pull_request' }} + with: + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_PASSWORD }} - name: Push image uses: docker/build-push-action@v2 with: