name: Build and Push GHCR Images on: push: branches: - main - develop tags: - 'v*.*.*' pull_request: branches: - main - develop workflow_dispatch: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} permissions: contents: read packages: write id-token: write jobs: build-and-push: name: Build and Push Docker Images runs-on: ubuntu-latest strategy: matrix: include: - image: nextjs-app context: . dockerfile: ./frontends/nextjs/Dockerfile platforms: linux/amd64,linux/arm64 - image: dbal-daemon context: ./dbal/production dockerfile: ./dbal/production/build-config/Dockerfile platforms: linux/amd64,linux/arm64 steps: - name: Checkout repository uses: actions/checkout@v6 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/${{ matrix.image }} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha,prefix={{branch}}- type=raw,value=latest,enable={{is_default_branch}} - name: Build and push Docker image id: build uses: docker/build-push-action@v6 with: context: ${{ matrix.context }} file: ${{ matrix.dockerfile }} platforms: ${{ matrix.platforms }} push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max build-args: | BUILD_DATE=${{ github.event.head_commit.timestamp }} VCS_REF=${{ github.sha }} VERSION=${{ steps.meta.outputs.version }} - name: Generate artifact attestation if: github.event_name != 'pull_request' uses: actions/attest-build-provenance@v2 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/${{ matrix.image }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true security-scan: name: Security Scan Images runs-on: ubuntu-latest needs: build-and-push if: github.event_name != 'pull_request' strategy: matrix: image: [nextjs-app, dbal-daemon] steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/${{ matrix.image }}:${{ github.ref_name }} format: 'sarif' output: 'trivy-results-${{ matrix.image }}.sarif' - name: Upload Trivy results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results-${{ matrix.image }}.sarif' category: container-${{ matrix.image }} publish-manifest: name: Create Multi-Arch Manifest runs-on: ubuntu-latest needs: build-and-push if: github.event_name != 'pull_request' steps: - name: Log in to GitHub Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Create and push manifest for all images run: | for image in nextjs-app dbal-daemon; do docker manifest create \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/$image:${{ github.ref_name }} \ --amend ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/$image:${{ github.ref_name }}-amd64 \ --amend ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/$image:${{ github.ref_name }}-arm64 docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/$image:${{ github.ref_name }} done