diff --git a/.github/workflows/docker-build-publish.yml b/.github/workflows/docker-build-publish.yml index f84cbde..a8d181e 100644 --- a/.github/workflows/docker-build-publish.yml +++ b/.github/workflows/docker-build-publish.yml @@ -56,6 +56,11 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin + trivy --version + - name: Login to registry uses: docker/login-action@v3 with: @@ -79,12 +84,13 @@ jobs: CONTEXT=$(echo "$img" | jq -r '.context') DOCKERFILE=$(echo "$img" | jq -r '.dockerfile') TARGET=$(echo "$img" | jq -r '.target') - CACHE_REF=$(echo "$img" | jq -r '.cache_ref') + RAW_REF_NAME="${{ github.ref_name }}" + SAFE_REF_NAME=$(echo "$RAW_REF_NAME" | sed -E 's#[^A-Za-z0-9_.-]#-#g') + + echo "==== Building $FULL_IMAGE ====" - echo "==== Building $NAME ====" - TAGS=() - TAGS+=("$FULL_IMAGE:${{ github.ref_name }}") + TAGS+=("$FULL_IMAGE:$SAFE_REF_NAME") TAGS+=("$FULL_IMAGE:${{ github.sha }}") if [ "${{ steps.branch.outputs.is_default }}" = "true" ]; then @@ -92,24 +98,28 @@ jobs: fi TAG_ARGS=$(printf -- "--tag %s " "${TAGS[@]}") + BUILD_ARG_FLAGS="" + if [ -n "$BUILD_ARGS" ]; then + BUILD_ARG_FLAGS=$(printf -- "--build-arg %s " $BUILD_ARGS) + fi docker buildx build \ --file "$DOCKERFILE" \ --target "$TARGET" \ - --cache-from "type=registry,ref=$CACHE_REF" - --cache-to "type=registry,ref=$CACHE_REF,mode=max" + --cache-from "type=registry,ref=$CACHE_REF" \ + --cache-to "type=registry,ref=$CACHE_REF,mode=max" \ --load \ $TAG_ARGS \ - $(printf -- "--build-arg %s " $BUILD_ARGS) \ + $BUILD_ARG_FLAGS \ "$CONTEXT" - echo "==== Trivy scan for $NAME ====" + echo "==== Trivy scan for $FULL_IMAGE ====" trivy image \ --severity "$TRIVY_SEVERITY" \ --exit-code 1 \ "${TAGS[0]}" - echo "==== Pushing $NAME ====" + echo "==== Pushing $FULL_IMAGE ====" for tag in "${TAGS[@]}"; do docker push "$tag" done