name: pack from deb on: push: branches: - master - dev paths: - .github/workflows/deb.yaml - deb/* pull_request: paths: - .github/workflows/deb.yaml - deb/* env: DOCKER_REPO: shenxn/protonmail-bridge DOCKER_REPO_DEV: shenxn/protonmail-bridge-dev jobs: deb: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@master - name: Set version id: version run: echo "::set-output name=version::`cat deb/VERSION`" - name: Set repo id: repo run: if [[ $GITHUB_REF == "refs/heads/master" ]]; then echo "::set-output name=repo::${DOCKER_REPO}"; else echo "::set-output name=repo::${DOCKER_REPO_DEV}"; fi - name: Docker meta id: docker_meta uses: crazy-max/ghaction-docker-meta@v1 with: images: ${{ steps.repo.outputs.repo }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 - name: Build image without push uses: docker/build-push-action@v2 with: context: ./deb file: ./deb/Dockerfile load: true tags: protonmail-bridge:latest - name: Scan image id: scan uses: anchore/scan-action@v2 with: image: protonmail-bridge:latest fail-build: true severity-cutoff: critical acs-report-enable: true - name: Upload Anchore scan SARIF report uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Login to DockerHub uses: docker/login-action@v1 if: ${{ github.event_name != 'pull_request' }} with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Push image uses: docker/build-push-action@v2 with: context: ./deb file: ./deb/Dockerfile tags: | ${{ steps.repo.outputs.repo }}:latest ${{ steps.repo.outputs.repo }}:${{ steps.version.outputs.version }} labels: ${{ steps.docker_meta.outputs.labels }} push: ${{ github.event_name != 'pull_request' }}