env mode deferred #124

Workflow file for this run

	name: Dev Build

	on:
	push:
	branches:
	- 'dev_*'
	paths-ignore:
	- '.github/**'
	- 'README.md'
	- 'LICENSE'
	workflow_dispatch:

	concurrency:
	group: dev-${{ github.ref }}
	cancel-in-progress: true

	permissions:
	contents: read
	actions: read
	security-events: write

	jobs:
	build-dev:
	name: Build & Push dev_latest
	runs-on: ubuntu-latest
	env:
	DOCKER_USER: ${{ secrets.DOCKER_USER }}
	DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
	steps:
	- name: Log workflow context
	run: \|
	set -euo pipefail
	echo "::notice::INFO: workflow=dev repo=${GITHUB_REPOSITORY} ref=${GITHUB_REF_NAME} actor=${GITHUB_ACTOR}"

	- name: Validate Docker secrets
	run: \|
	set -euo pipefail
	if [ -z "${DOCKER_USER:-}" ]; then
	echo "::error::FATAL: DOCKER_USER secret is missing."
	exit 1
	fi
	if [ -z "${DOCKER_TOKEN:-}" ]; then
	echo "::error::FATAL: DOCKER_TOKEN secret is missing."
	exit 1
	fi
	echo "::notice::SUCCESS: Docker secrets are present."

	- name: Checkout
	uses: actions/checkout@v4

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Docker Hub login
	uses: docker/login-action@v3
	with:
	username: ${{ env.DOCKER_USER }}
	password: ${{ env.DOCKER_TOKEN }}

	- name: Derive branch slug
	id: vars
	run: \|
	set -euo pipefail
	slug=${GITHUB_REF_NAME//\//-}
	echo "branch_slug=$slug" >> "$GITHUB_OUTPUT"
	echo "::notice::INFO: branch_slug=$slug"

	- name: Prepare build context
	run: \|
	set -euo pipefail
	echo "::notice::INFO: Preparing Docker build context."
	rm -rf ./image_context
	mkdir -p ./image_context
	cp -a Dockerfile ./image_context/Dockerfile
	cp -a server_manager ./image_context/
	echo "::notice::SUCCESS: Build context prepared."

	- name: Build and load dev image (scan first)
	uses: docker/build-push-action@v6
	with:
	context: ./image_context
	file: ./image_context/Dockerfile
	platforms: linux/amd64
	push: false
	load: true
	provenance: false
	sbom: false
	tags: \|
	${{ env.DOCKER_USER }}/enshrouded_server_docker:dev_latest
	${{ env.DOCKER_USER }}/enshrouded_server_docker:${{ steps.vars.outputs.branch_slug }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Docker Scout run (CRITICAL/HIGH, non-blocking)
	uses: docker/scout-action@v1
	with:
	command: quickview,cves
	image: ${{ env.DOCKER_USER }}/enshrouded_server_docker:dev_latest
	write-comment: false
	summary: true
	only-severities: critical,high
	exit-code: false

	- name: Docker Scout SARIF (all severities)
	uses: docker/scout-action@v1
	with:
	command: quickview,cves
	image: ${{ env.DOCKER_USER }}/enshrouded_server_docker:dev_latest
	sarif-file: scout.sarif
	write-comment: false
	summary: true
	only-severities: critical,high,medium

	- name: Trim Scout SARIF (limit locations)
	run: \|
	jq '
	.runs[0].results \|= map(
	if (.locations \| length) > 1000
	then .locations = (.locations[:1000]) \| .
	else .
	end
	)
	' scout.sarif > scout.limited.sarif

	- name: Upload Scout SARIF
	uses: github/codeql-action/upload-sarif@v4
	if: github.event_name != 'pull_request' \|\| github.event.pull_request.head.repo.fork == false
	with:
	sarif_file: scout.limited.sarif
	category: docker-scout

	- name: Trivy scan (non-blocking)
	uses: aquasecurity/trivy-action@0.33.1
	with:
	image-ref: ${{ env.DOCKER_USER }}/enshrouded_server_docker:dev_latest
	format: table
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	exit-code: 0

	- name: Trivy SARIF (all severities)
	uses: aquasecurity/trivy-action@0.33.1
	with:
	image-ref: ${{ env.DOCKER_USER }}/enshrouded_server_docker:dev_latest
	format: sarif
	output: trivy.sarif
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH,MEDIUM'
	exit-code: 0

	- name: Trim Trivy SARIF (limit locations)
	run: \|
	jq '
	.runs[0].results \|= map(
	if (.locations \| length) > 1000
	then .locations = (.locations[:1000]) \| .
	else .
	end
	)
	' trivy.sarif > trivy.limited.sarif

	- name: Upload Trivy SARIF
	uses: github/codeql-action/upload-sarif@v4
	if: github.event_name != 'pull_request' \|\| github.event.pull_request.head.repo.fork == false
	with:
	sarif_file: trivy.limited.sarif
	category: trivy

	- name: Push dev tags (after successful scans)
	run: \|
	set -euo pipefail
	echo "::notice::INFO: Pushing dev tags to Docker Hub."
	docker push ${{ env.DOCKER_USER }}/enshrouded_server_docker:dev_latest
	docker push ${{ env.DOCKER_USER }}/enshrouded_server_docker:${{ steps.vars.outputs.branch_slug }}
	echo "::notice::SUCCESS: Push complete."

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

env mode deferred #124

Workflow file

env mode deferred #124

Uh oh!

Workflow file for this run