update: minor change to trigger cicd #43

Workflow file for this run

.github/workflows/build_and_push.yml at 6a3bd28


	# Source: https://github.com/Josep-Andreu/segur_cloud/blob/main/build-and-push.yaml

	name: Build and Push to Quay

	on:
	push:
	paths:
	- 'docker/**'

	jobs:
	build-scan-push:
	runs-on: ubuntu-latest
	strategy:
	matrix:
	image:
	- name: jboss_lab
	dockerfile: docker/jboss/Dockerfile_jboss_lab
	full_image: quay.io/mguzman98/jboss_lab:v1.0.0
	- name: shiftleft_basic
	dockerfile: docker/Dockerfilebasic
	full_image: quay.io/mguzman98/shiftleft:v1.0.0
	- name: shiftleft_vuln
	dockerfile: docker/Dockerfilevulnerable
	full_image: quay.io/mguzman98/shiftleft:v1.0.0
	steps:
	- name: 🧩 Checkout code
	uses: actions/checkout@v4

	- name: Conditional Build Trigger
	if: contains(github.event.head_commit.modified, matrix.image.dockerfile) \|\| contains(github.event.head_commit.added, matrix.image.dockerfile)
	run: echo "Triggered build for ${{ matrix.image.dockerfile }}"

	- name: 🔧 Build container image
	run: \|
	docker build -t ${{ matrix.image.full_image }} .

	- name: 🔍 Scan image with Trivy
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ matrix.image.full_image }}
	severity: HIGH,CRITICAL
	ignore-unfixed: true
	exit-code: 1


	# 🧾 Generate SBOM with Syft (syft-json format)
	- name: 🧾 Generate SBOM (Syft)
	run: \|
	docker run --rm \
	-v /var/run/docker.sock:/var/run/docker.sock \
	-v "$PWD":/work \
	anchore/syft:v1.38.0 "${{ matrix.image.full_image }}" -o syft-json > sbom.syft.json
	test -s sbom.syft.json && echo "SBOM created: sbom.syft.json"

	- name: 📤 Upload SBOM artifact
	uses: actions/upload-artifact@v4
	with:
	name: sbom-syft-json
	path: sbom.syft.json
	if-no-files-found: error
	retention-days: 14
	# 🛡 Evaluate SBOM with Grype (fail build on HIGH or CRITICAL vulns)
	- name: 🛡 Vulnerability scan (Grype on SBOM)
	run: \|
	docker run --rm \
	-v "$PWD":/work \
	anchore/grype:v0.104.1 /work/sbom.syft.json \
	--fail-on high \
	--only-fixed=true \
	--add-cpes-if-none \| grep -E "High\|Critical"

	- name: 🔑 Login to Quay.io
	run: \|
	docker login quay.io -u "${{ secrets.QUAY_USER }}" -p "${{ secrets.QUAY_PASSWORD }}"

	- name: 🚀 Push image to Quay.io
	run: \|
	docker push ${{ matrix.image.full_image }}

	- name: Install cosign
	run: \|
	curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
	chmod +x cosign-linux-amd64
	sudo mv cosign-linux-amd64 /usr/local/bin/cosign

	- name: Sign the image
	env:
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	run: \|
	printf '%s' "$COSIGN_PRIVATE_KEY" > cosign.key
	cosign sign --key cosign.key $FULL_IMAGE
	shred -u cosign.key \|\| rm -f cosign.key

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update: minor change to trigger cicd #43

Workflow file

update: minor change to trigger cicd #43

Uh oh!

Workflow file for this run