name: Build and Push Docker Image on: push: branches: - "**" jobs: build: runs-on: ubuntu-latest permissions: contents: read # Required to checkout and read repo files security-events: write # Required to upload SARIF files to Security tab steps: - name: Checkout uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@v0.36.0 with: scan-type: 'fs' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 with: sarif_file: 'trivy-results.sarif' - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Compute image tag id: tag run: | BRANCH="${{ gitea.ref_name }}" if [ "$BRANCH" = "main" ]; then TAG="latest" elif [[ "$BRANCH" == v* ]]; then TAG="$BRANCH" else TAG="test" fi echo "tag=$TAG" >> $GITHUB_OUTPUT - name: Build and push uses: docker/build-push-action@v6 with: context: . push: true tags: blinkfink182/qbt-gluetun-portmgr:${{ steps.tag.outputs.tag }} - name: Notify Apprise (success) if: success() run: | curl -X POST \ -H "Content-Type: application/json" \ -d "{ \"tags\": \"all\", \"title\": \"Gitea Build Succeeded\", \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ gitea.ref_name }}\\nImage tag built successfully\" }" \ http://10.47.0.213:4444/notify/926263506803e21d72e382edd0caf3fb510a9629d860601dfb79506b5758c133 - name: Notify Apprise (failure) if: failure() run: | curl -X POST \ -H "Content-Type: application/json" \ -d "{ \"tags\": \"all\", \"title\": \"Gitea Build Failed\", \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ gitea.ref_name }}\\nCheck logs in Gitea\" }" \ http://10.47.0.213:4444/notify/926263506803e21d72e382edd0caf3fb510a9629d860601dfb79506b5758c133