name: Build and deploy on: push: branches: ['main', 'staging'] env: CONTEXT: Otchislator jobs: build-and-push-image: runs-on: ubuntu-latest name: Publish image container: catthehacker/ubuntu:act-latest permissions: contents: read packages: write steps: - name: Checkout repository uses: actions/checkout@v3 - name: Extract metadata (tags, labels) for Docker id: meta uses: https://github.com/docker/metadata-action@v4 with: images: ${{ vars.SERVER_DOMAIN }}/${{ gitea.repository }} - name: Build an image from Dockerfile run: | cd ${{ env.CONTEXT }} && docker build -t ${{ env.DOCKER_METADATA_OUTPUT_TAGS }} . # - name: Run Trivy vulnerability scanner # uses: aquasecurity/trivy-action@0.20.0 # with: # image-ref: '${{ env.DOCKER_METADATA_OUTPUT_TAGS }}' # format: 'table' # exit-code: '1' # ignore-unfixed: true # vuln-type: 'os,library' # severity: 'CRITICAL,HIGH' - name: Run dockle uses: goodwithtech/dockle-action@main with: image: '${{ env.DOCKER_METADATA_OUTPUT_TAGS }}' format: 'list' exit-code: '1' exit-level: 'warn' ignore: 'CIS-DI-0001,CIS-DI-0010,DKL-DI-0006' - name: Log in to the Container registry uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 with: registry: ${{ vars.SERVER_DOMAIN }} username: ${{ gitea.actor }} password: ${{ secrets.TOKEN }} - name: Push run: | docker push '${{ env.DOCKER_METADATA_OUTPUT_TAGS }}' # deploy: # needs: build-and-push-image # runs-on: ubuntu-latest # name: Deploy image # container: catthehacker/ubuntu:act-latest # steps: # - name: install ssh keys # # check this thread to understand why its needed: # # # run: | # install -m 600 -D /dev/null ~/.ssh/id_rsa # echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa # ssh-keyscan -H ${{ secrets.SSH_HOST }} > ~/.ssh/known_hosts # - name: connect and pull # run: ssh ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} "cd ${{ secrets.WORK_DIR }} && docker compose pull && docker compose up -d && docker image prune && exit" # - name: cleanup # run: rm -rf ~/.ssh