optimized pipeline to only build the docker image once

.gitea/workflows/security.yaml

@@ -23,6 +23,21 @@ jobs:
         run: |
           mkdir -p security-results
 
+      - name: Compute image tag
+        id: tag
+        run: |
+          BRANCH="${{ gitea.ref_name }}"
+
+          if [ "$BRANCH" = "main" ]; then
+            TAG="latest"
+          elif [[ "$BRANCH" == v* ]]; then
+            TAG="$BRANCH"
+          else
+            TAG="test"
+          fi
+
+          echo "tag=$TAG" >> "$GITEA_OUTPUT"
+
       ###########################################################
       # GITLEAKS
       ###########################################################
@@ -97,7 +112,10 @@ jobs:
       - name: Build Image for scan
         run: |
           set +e
-          docker build -t app:${{ gitea.sha }} .
+          docker build \
+            -t app:${{ gitea.sha }} \
+            -t blinkfink182/donetick-notifier:${{ steps.tag.outputs.tag }} \
+            .
           echo "$?" > security-results/docker-build.exit
 
       ###########################################################
@@ -343,67 +361,40 @@ jobs:
             }" \
             ${{ secrets.APPRISE_URL }}
 
-  build:
-    needs: security
-    if: ${{ gitea.event_name == 'push' }}
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        id: docker-login
-        with:
+        if: ${{ gitea.event_name == 'push' }}
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Compute image tag
-        id: tag
         run: |
-          BRANCH="${{ gitea.ref_name }}"
+          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login \
+            --username "${{ secrets.DOCKER_USERNAME }}" \
+            --password-stdin
 
-          if [ "$BRANCH" = "main" ]; then
+      - name: Push scanned image
-            TAG="latest"
+        id: push
-          elif [[ "$BRANCH" == v* ]]; then
+        if: ${{ gitea.event_name == 'push' }}
-            TAG="$BRANCH"
+        run: |
-          else
+          docker push blinkfink182/donetick-notifier:${{ steps.tag.outputs.tag }}
-            TAG="test"
-          fi
-
-          echo "tag=$TAG" >> "$GITEA_OUTPUT"
-          echo "branch=$BRANCH" >> "$GITEA_OUTPUT"
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: blinkfink182/donetick-notifier:${{ steps.tag.outputs.tag }}
 
       - name: Notify Apprise (success)
-        if: success()
+        if: ${{ success() && gitea.event_name == 'push' }}
         run: |
           curl -X POST \
             -H "Content-Type: application/json" \
             -d "{
               \"tags\": \"all\",
               \"title\": \"Gitea Build Succeeded\",
-              \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ steps.tag.outputs.branch }}\\nImage tag built successfully\"
+              \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ gitea.ref_name }}\\nImage tag ${{ steps.tag.outputs.tag }} pushed successfully\"
             }" \
             ${{ secrets.APPRISE_URL }}
 
       - name: Notify Apprise (failure)
-        if: failure()
+        if: ${{ failure() && (steps.docker-login.outcome == 'failure' || steps.push.outcome == 'failure') }}
         run: |
           curl -X POST \
             -H "Content-Type: application/json" \
             -d "{
               \"tags\": \"all\",
               \"title\": \"Gitea Build Failed\",
-              \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ steps.tag.outputs.branch }}\\nCheck logs in Gitea\"
+              \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ gitea.ref_name }}\\nCheck logs in Gitea\"
             }" \
             ${{ secrets.APPRISE_URL }}