iExecBlockchainComputing · TartanLeGrand · Mar 5, 2025 · Mar 5, 2025 · Mar 5, 2025
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -1,4 +1,4 @@
-name: Build and Push Docker Image
+name: Build, Test and Push Docker Image
 
 on:
   workflow_call:
@@ -18,67 +18,75 @@ on:
         required: true
 
 jobs:
-  build-and-push:
+  build-test:
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
-    env:
-      IS_TAG_TRIGGER: ${{ startsWith(github.ref, 'refs/tags/v') }}
     steps:
-      - name: Get branch names
-        id: branch-names
-        uses: tj-actions/branch-names@v8
+      - name: Checkout Repository
+        uses: actions/checkout@v4
 
-      # Verify tag is on main or release branch
-      - name: Verify tag is on main or release branch
-        if: env.IS_TAG_TRIGGER == 'true'
-        run: |
-          if [[ "${{ steps.branch-names.outputs.base_ref_branch }}" == "main" || "${{ steps.branch-names.outputs.base_ref_branch }}" =~ ^release/ ]]; then
-            echo "✅ Tag ${{ steps.branch-names.outputs.tag }} is on an allowed branch: ${{ steps.branch-names.outputs.base_ref_branch }}"
-          else
-            echo "Current base branch: ${{ steps.branch-names.outputs.base_ref_branch }}"
-            echo "Tags must be created on main or release/* branches."
-            exit 1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Verify npm package version matches tag
-        if: env.IS_TAG_TRIGGER == 'true'
-        uses: nick-y-ito/gha-npm-version-match@v1
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
-      - name: Checkout Repository
-        uses: actions/checkout@v4
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ inputs.dockerfile }}
+          platforms: linux/amd64,linux/arm64
+          push: false
+          tags: ${{ inputs.image-name }}:${{ github.sha }}
 
-      # Determine Docker Image Tags
-      - name: Determine Docker Image Tags
-        run: |
-          IMAGE_NAME="${{ inputs.image-name }}"
-          # Initialize IMAGE_TAG variable
-          IMAGE_TAG=""
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.29.0
+        with:
+          image-ref: ${{ inputs.image-name }}:${{ github.sha }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          hide-progress: true
+          output: trivy.txt
 
-          if [[ "$IS_TAG_TRIGGER" == "true" ]]; then
-            TAG_VERSION=${GITHUB_REF#refs/tags/v}
-            IMAGE_TAG="$IMAGE_NAME:$TAG_VERSION"
-          else
-            SHORT_COMMIT=$(git rev-parse --short HEAD)
-            IMAGE_TAG="$IMAGE_NAME:dev-$SHORT_COMMIT"
+      - name: Publish Trivy Output to Summary
+        run: |
+          if [[ -s trivy.txt ]]; then
+            {
+              echo "### Security Output"
+              echo "<details><summary>Click to expand</summary>"
+              echo ""
+              echo '```terraform'
+              cat trivy.txt
+              echo '```'
+              echo "</details>"
+            } >> $GITHUB_STEP_SUMMARY
           fi
 
-          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
-          echo "✅ Resolved IMAGE_TAG: $IMAGE_TAG"
+  build-push:
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
 
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.dockerhub-username }}
           password: ${{ secrets.dockerhub-pat }}
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build and Push Docker Image
+      - name: Push Docker Image
         uses: docker/build-push-action@v6
         with:
+          context: .
           file: ${{ inputs.dockerfile }}
-          push: true
           platforms: linux/amd64,linux/arm64
-          tags: ${{ env.IMAGE_TAG }}
+          push: true
+          tags: ${{ inputs.image-name }}:${{ github.ref_name }}