docker-publish.yml

name: Build and Publish CLI Docker Image

# on push to main or manual trigger
on:
  push:
    branches:
      - main
    paths:
      - 'Dockerfile'
      - '.dockerignore'
      - '.github/workflows/docker-publish.yml'
      - 'packages/**/src/**'
      - 'packages/**/package.json'
      - 'packages/**/tsconfig.json'
      - 'package.json'
      - 'bun.build.js'
      - 'bun.lock'
    
  workflow_dispatch:
 
permissions:
  contents: read
  packages: write

env:
  VERSION: "0.0.0"

jobs:
  publish:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Get CLI version
        run: |
          echo "VERSION=$(jq -r .version package.json)" >> $GITHUB_ENV

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and push image
        uses: docker/build-push-action@v6
        id: publish
        with:
          context: .
          file: Dockerfile
          push: true
          tags: |
            ghcr.io/${{ github.repository_owner }}/cryptit-cli:latest
            ghcr.io/${{ github.repository_owner }}/cryptit-cli:${{ env.VERSION }}


      - name: Confirm pushed image
        run: echo "ghcr.io/${{ github.repository_owner }}/cryptit-cli@sha256:${{ steps.publish.outputs.digest }}"

      - name: Install Trivy
        uses: aquasecurity/setup-trivy@v0.2.3
        with:
          version: 'latest'
          cache: true
          
      - name: Scan Docker image with Trivy
        run: |
          trivy image \
            --exit-code 1 \
            --severity HIGH,CRITICAL \
            --ignore-unfixed \
            ghcr.io/${{ github.repository_owner }}/cryptit-cli:latest