name: Create and publish a Docker image on: push: branches: ['main'] env: CONTEXT: HackathonPreparing/HackathonPreparing.ApiService jobs: build-and-push-image: runs-on: ubuntu-latest name: Publish image container: catthehacker/ubuntu:act-latest permissions: contents: read packages: write steps: - name: Checkout repository uses: https://gitea.com/ScMi1/checkout@v1 - name: Extract metadata (tags, labels) for Docker id: meta uses: https://github.com/docker/metadata-action@v4 with: images: ${{ env.GITHUB_SERVER_URL }}/${{ gitea.repository }} - name: Build an image from Dockerfile run: | cd ${{ env.CONTEXT }} && docker build -t ${{ env.DOCKER_METADATA_OUTPUT_TAGS }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.20.0 with: image-ref: '${{ env.DOCKER_METADATA_OUTPUT_TAGS }}' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - name: Log in to the Container registry uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 with: registry: ${{ env.GITHUB_SERVER_URL }} username: ${{ gitea.actor }} password: ${{ secrets.TOKEN }} - name: Push run: | docker push '${{ env.DOCKER_METADATA_OUTPUT_TAGS }}' deploy: needs: build-and-push-image runs-on: ubuntu-latest name: Deploy image container: catthehacker/ubuntu:act-latest steps: - name: install ssh keys # check this thread to understand why its needed: # run: | install -m 600 -D /dev/null ~/.ssh/id_rsa echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa ssh-keyscan -H ${{ secrets.SSH_HOST }} > ~/.ssh/known_hosts - name: connect and pull run: ssh ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} "cd ${{ secrets.WORK_DIR }} && docker compose pull && docker compose up -d && docker image prune && exit" - name: cleanup run: rm -rf ~/.ssh