name: Check for new upstream release on: schedule: - cron: '0 6 * * *' permissions: contents: read packages: write security-events: write env: IMAGE: ghcr.io/${{ github.repository_owner }}/protonmail-bridge jobs: check: runs-on: ubuntu-latest outputs: version: ${{ steps.check.outputs.version }} needed: ${{ steps.check.outputs.needed }} steps: - name: Compare upstream to registry id: check run: | version=$(curl -s https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest | jq -r '.tag_name') echo "version=$version" >> $GITHUB_OUTPUT token=$(curl -s "https://ghcr.io/token?scope=repository:${{ github.repository_owner }}/protonmail-bridge:pull" | jq -r '.token') exists=$(curl -s -o /dev/null -w '%{http_code}' \ -H "Authorization: Bearer $token" \ "https://ghcr.io/v2/${{ github.repository_owner }}/protonmail-bridge/manifests/$version") if [ "$exists" = "200" ]; then echo "needed=false" >> $GITHUB_OUTPUT echo "$version already exists in registry" else echo "needed=true" >> $GITHUB_OUTPUT echo "New version $version — building" fi build: needs: check if: needs.check.outputs.needed == 'true' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: docker/setup-buildx-action@v3 - uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push uses: docker/build-push-action@v6 with: context: ./build push: true tags: | ${{ env.IMAGE }}:latest ${{ env.IMAGE }}:${{ needs.check.outputs.version }} build-args: | version=${{ needs.check.outputs.version }} - name: Trivy scan uses: aquasecurity/trivy-action@0.30.0 with: image-ref: ${{ env.IMAGE }}:${{ needs.check.outputs.version }} format: sarif output: trivy-results.sarif severity: CRITICAL,HIGH - name: Upload Trivy results uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: trivy-results.sarif