Skip to content
Docker Build and Push

fix(ci): resolve Docker workflow SBOM and Trivy upload failures #164

Sign in to view logs

fix(ci): resolve Docker workflow SBOM and Trivy upload failures

fix(ci): resolve Docker workflow SBOM and Trivy upload failures #164

Workflow file for this run

.github/workflows/docker.yaml at bd8b55e
name: Docker Build and Push
on:
push:
branches:
- main
tags:
- 'v*'
pull_request:
branches:
- main
workflow_dispatch:
inputs:
push:
description: 'Push image to registry'
required: false
default: false
type: boolean
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
docker:
name: Build Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
attestations: write
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Log in to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha,prefix=sha-
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }}
push: ${{ github.event_name != 'pull_request' || github.event.inputs.push == 'true' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
outputs: ${{ github.event_name == 'pull_request' && 'type=docker' || '' }}
build-args: |
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
VCS_REF=${{ github.sha }}
- name: Get first tag
id: first-tag
run: |
FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
echo "tag=${FIRST_TAG}" >> $GITHUB_OUTPUT
- name: Generate SBOM
if: github.event_name != 'pull_request' && steps.build.outcome == 'success'
uses: anchore/sbom-action@v0
with:
image: ${{ steps.first-tag.outputs.tag }}
format: spdx-json
output-file: sbom.spdx.json
- name: Scan image with Trivy
if: github.event_name != 'pull_request' && steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.first-tag.outputs.tag }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v4
if: github.event_name != 'pull_request' && steps.build.outcome == 'success'
with:
sarif_file: 'trivy-results.sarif'
- name: Test Docker image
if: github.event_name != 'pull_request' && steps.build.outcome == 'success'
run: |
docker run --rm -d \
--name echo-app-test \
-p 8080:8080 \
-p 3000:3000 \
${{ steps.first-tag.outputs.tag }}
# Wait for startup
sleep 5
# Test HTTP endpoint
curl -f http://localhost:8080/ || exit 1
# Test health check
curl -f http://localhost:3000/health || exit 1
# Test metrics
curl -f http://localhost:3000/metrics | grep -q echo_app_requests_total || exit 1
# Stop container
docker stop echo-app-test
- name: Upload SBOM
if: github.event_name != 'pull_request'
uses: actions/upload-artifact@v6
with:
name: sbom
path: sbom.spdx.json
retention-days: 30