name: build from source on: push: branches: [master] paths: - .github/workflows/build.yaml - build/* - VERSION pull_request: paths: - .github/workflows/build.yaml - build/* workflow_dispatch: env: GHCR_REPO: ghcr.io/${{ github.repository_owner }}/protonmail-bridge jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write security-events: write steps: - name: Checkout uses: actions/checkout@v4 - name: Set version run: echo "version=$(cat VERSION)" >> $GITHUB_ENV - name: Login to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: ${{ env.GHCR_REPO }} tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} type=raw,value=${{ env.version }} - name: Build and push uses: docker/build-push-action@v6 with: context: ./build file: ./build/Dockerfile push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | version=${{ env.version }} cache-from: type=gha cache-to: type=gha,mode=max - name: Run Trivy vulnerability scan if: github.event_name != 'pull_request' uses: aquasecurity/trivy-action@0.30.0 with: image-ref: "${{ env.GHCR_REPO }}:${{ env.version }}" format: sarif exit-code: 0 severity: CRITICAL,HIGH output: trivy-results.sarif - name: Upload Trivy scan SARIF report if: github.event_name != 'pull_request' uses: github/codeql-action/upload-sarif@v3 with: sarif_file: trivy-results.sarif