Update package.json #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push Zadanie2 Docker Image | |
| on: | |
| push: | |
| paths: | |
| - 'zadanie2/**' | |
| workflow_dispatch: | |
| jobs: | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write # for GHCR | |
| id-token: write # for registry logins if using OIDC | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU for multi‑arch emulation | |
| uses: docker/setup-qemu-action@v2 | |
| with: | |
| platforms: linux/amd64, linux/arm64 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| buildkitd-flags: --debug | |
| - name: Log in to Docker Hub (for cache) | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: docker.io | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ vars.GH_USERNAME }} | |
| password: ${{ secrets.GH_TOKEN }} | |
| - name: Build image with cache | |
| id: build | |
| uses: docker/build-push-action@v4 | |
| with: | |
| context: ./zadanie2 | |
| file: ./zadanie2/dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: false | |
| tags: ghcr.io/${{ github.repository_owner }}/zadanie2:${{ github.sha }} | |
| cache-from: | | |
| type=registry,ref=${{ vars.DOCKERHUB_USERNAME }}/zadanie2-cache:cache | |
| cache-to: | | |
| type=registry,mode=max,ref=${{ vars.DOCKERHUB_USERNAME }}/zadanie2-cache:cache | |
| - name: Scan for vulnerabilities (Docker Scout) | |
| uses: docker/scout-action@v1 # lub najnowsza stabilna wersja | |
| with: | |
| command: cves # obowiązkowy parametr „command” :contentReference[oaicite:0]{index=0} | |
| # image: ghcr.io/${{ github.repository_owner }}/zadanie2:${{ github.sha }} | |
| only-severities: critical,high # filtr na CVE o statusie critical lub high :contentReference[oaicite:1]{index=1} | |
| exit-code: true # w razie wykrycia CVE o wysokim statusie akcja zwróci kod błędu | |
| github-token: ${{ secrets.GH_TOKEN }} # zamiast „token” należy użyć „github-token” :contentReference[oaicite:2]{index=2} | |
| format: json | |
| output: scout-report.json | |
| - name: Check scan results | |
| id: scout-check | |
| run: | | |
| high=$(jq '[.vulnerabilities[] | select(.severity=="high" or .severity=="critical")] | length' scout-report.json) | |
| echo "count=$high" >> $GITHUB_OUTPUT | |
| - name: Push image if secure | |
| if: steps.scout-check.outputs.count == '0' | |
| uses: docker/build-push-action@v4 | |
| with: | |
| context: ./zadanie2 | |
| file: ./zadanie2/dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: | | |
| ghcr.io/${{ github.repository_owner }}/zadanie2:latest | |
| ghcr.io/${{ github.repository_owner }}/zadanie2:${{ github.sha }} |