.github/workflows/build.yml

name: Build and push image📦

on:
  workflow_dispatch:
  # schedule:
  # - cron: "00 12 1 * *"
  # push:
  #   branches: ["main"]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
  APP_VERSION: 1.8.2

jobs:
  build:
    if: github.actor == 'ammnt'
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      packages: write
      id-token: write
      security-events: write
      attestations: write

    steps:
      - name: Checkout repository🧱
        uses: actions/checkout@v4.2.2

      - name: Install cosign🔒
        uses: sigstore/cosign-installer@v3.8.0
        with:
          cosign-release: "v2.4.2"

      - name: Setup Docker buildx🛠️
        uses: docker/setup-buildx-action@v3.9.0
        with:
          version: v0.20.1
          driver-opts: image=moby/buildkit:v0.19.0

      - name: Log into GHCR🔑
        uses: docker/login-action@v3.3.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log into Docker Hub🔑
        uses: docker/login-action@v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Extract Docker metadata🔬
        id: meta
        uses: docker/metadata-action@v5.6.1
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            description="Distroless Angie built with QUIC and HTTP/3 support🚀"
            maintainer="ammnt <admin@msftcnsi.com>"
            org.opencontainers.image.description="Distroless Angie built with QUIC and HTTP/3 support🚀"
            org.opencontainers.image.authors="ammnt, admin@msftcnsi.com"
            org.opencontainers.image.title="Distroless Angie built with QUIC and HTTP/3 support🚀"
            org.opencontainers.image.source="https://github.com/ammnt/angie/"

      - name: Build the Docker image⛓️
        id: build
        uses: docker/build-push-action@v6.13.0
        with:
          provenance: false
          context: .
          platforms: linux/amd64
          load: ${{ github.event_name != 'pull_request' }}
          tags: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Analyze image with Docker Scout💊
        uses: docker/scout-action@v1.16.3
        with:
          command: cves,sbom
          image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          sarif-file: scout.report.json
          summary: false

      - name: Upload Docker Scout report📊
        uses: actions/upload-artifact@v4.6.0
        with:
          name: Scout Report
          path: "${{ github.workspace }}/scout.report.json"

      - name: Analyze image with Trivy💊
        uses: aquasecurity/trivy-action@0.29.0
        with:
          image-ref: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          scan-type: image
          format: "github"
          output: "trivy.report.json"
          severity: "MEDIUM,HIGH,CRITICAL"
          scanners: "vuln"
          github-pat: ${{ secrets.GH_TOKEN }}

      - name: Upload Trivy report📊
        uses: actions/upload-artifact@v4.6.0
        with:
          name: Trivy Report
          path: "${{ github.workspace }}/trivy.report.json"

      - name: Analyze image with Grype💊
        id: anchore
        uses: anchore/scan-action@v6.1.0
        with:
          image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          fail-build: false
          severity-cutoff: critical
          grype-version: v0.87.0
          output-file: "${{ github.workspace }}/grype.report.json"

      - name: Upload Grype report📊
        uses: actions/upload-artifact@v4.6.0
        with:
          name: Grype Report
          path: "${{ github.workspace }}/grype.report.json"

      - name: Analyze image with Snyk💊
        continue-on-error: true
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          args: --file=Dockerfile

      - name: Upload Snyk report📊
        uses: actions/upload-artifact@v4.6.0
        with:
          name: Snyk Report
          path: "${{ github.workspace }}/snyk.sarif"

      - name: Analyze image with Clair💊
        run: |
          docker run -d --name db arminc/clair-db
          sleep 15
          docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
          sleep 1
          DOCKER_GATEWAY=$(docker network inspect bridge --format "{{range .IPAM.Config}}{{.Gateway}}{{end}}")
          wget -qO clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 && chmod +x clair-scanner
          ./clair-scanner --ip="$DOCKER_GATEWAY" ghcr.io/ammnt/angie:${{ env.APP_VERSION }} || exit 0

      - name: Analyze image with Dockle💊
        uses: goodwithtech/dockle-action@main
        with:
          image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          format: "json"
          output: "dockle.report.json"
          exit-code: "1"
          exit-level: "warn"
          ignore: "CIS-DI-0010"

      - name: Upload Dockle report📊
        uses: actions/upload-artifact@v4.6.0
        if: always()
        with:
          name: Dockle Report
          path: "${{ github.workspace }}/dockle.report.json"

      - name: Slim the Docker image🚀
        id: slim
        uses: kitabisa/docker-slim-action@v1.2.0
        env:
          DSLIM_HTTP_PROBE: false
        with:
          target: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          tag: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          overwrite: true
          version: 1.40.11

      - name: Dump the Slim report📊
        run: |
          echo "${REPORT}" > slim.report.json
          ls -lash
        env:
          REPORT: ${{ steps.slim.outputs.report }}

      - name: Upload the Slim report📊
        uses: actions/upload-artifact@v4.6.0
        with:
          name: Slim Report
          path: "${{ github.workspace }}/slim.report.json"

      - name: Explore the Docker image with Dive🔍
        timeout-minutes: 2
        env:
          CI: true
        run: |
          wget -q https://github.com/wagoodman/dive/releases/download/v0.12.0/dive_0.12.0_linux_amd64.tar.gz
          tar xvzf dive_0.12.0_linux_amd64.tar.gz -C /usr/local/bin
          dive --ci-config "${{ github.workspace }}/.dive-ci/" ghcr.io/ammnt/angie:${{ env.APP_VERSION }}

      - name: Test the Docker image🧪
        run: |
          docker run -d --name angie --rm -p 127.0.0.1:8080:8080/tcp ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          docker logs angie
          curl -v http://127.0.0.1:8080 || exit 1

      - name: Analyze image with Syft💊
        uses: anchore/sbom-action@v0.18.0
        with:
          syft-version: v1.19.0
          image: ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
          format: spdx-json
          output-file: syft.report.json
          upload-artifact: false

      - name: Upload the Syft report (SBOM)📊
        uses: actions/upload-artifact@v4.6.0
        with:
          name: Syft Report (SBOM)
          path: syft.report.json

      # - name: Push the Docker images to registries💾
      #   run: |
      #     docker tag ghcr.io/ammnt/angie:${{ env.APP_VERSION }} ghcr.io/ammnt/angie:latest
      #     docker tag ghcr.io/ammnt/angie:${{ env.APP_VERSION }} ammnt/angie:${{ env.APP_VERSION }}
      #     docker tag ghcr.io/ammnt/angie:${{ env.APP_VERSION }} ammnt/angie:latest
      #     docker push ghcr.io/ammnt/angie --all-tags
      #     docker push ammnt/angie --all-tags
      #     DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/ammnt/angie:${{ env.APP_VERSION }} | sed -e "s|ghcr.io/ammnt/angie@||g" | sed -e "s|ammnt/angie@||g")
      #     echo "DIGEST=$DIGEST" >> $GITHUB_ENV

      # - name: Attestation the Docker image📍
      #   uses: actions/attest-build-provenance@v2.2.0
      #   with:
      #     subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      #     subject-digest: ${{ env.DIGEST }}
      #     push-to-registry: true
      #     show-summary: true
      #     github-token: ${{ secrets.GITHUB_TOKEN }}

      # - name: Sign the published Docker image🔐
      #   env:
      #     COSIGN_EXPERIMENTAL: "true"
      #     COSIGN_KEY: ${{secrets.COSIGN_KEY}}
      #     COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
      #   run: |
      #     cosign sign -y --recursive --key env://COSIGN_KEY ghcr.io/ammnt/angie@${{ env.DIGEST }}
      #     cosign sign -y --recursive --key env://COSIGN_KEY ammnt/angie@${{ env.DIGEST }}
      #   shell: bash

      # - name: Check the published Docker image👌
      #   run: |
      #     docker buildx imagetools inspect ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
      #     docker buildx imagetools inspect ammnt/angie:${{ env.APP_VERSION }}
      #     docker pull ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
      #     docker pull ammnt/angie:${{ env.APP_VERSION }}
      #     cosign verify --key cosign.pub ghcr.io/ammnt/angie:${{ env.APP_VERSION }}
      #     cosign verify --key cosign.pub ammnt/angie:${{ env.APP_VERSION }}

      # - name: Run deploy update on the server✅
      #   uses: appleboy/ssh-action@v1.2.0
      #   with:
      #     host: ${{ secrets.SERVER_HOST }}
      #     username: ${{ secrets.SERVER_USERNAME }}
      #     key: ${{ secrets.SERVER_KEY }}
      #     port: ${{ secrets.SERVER_PORT }}
      #     script: |
      #       cd /home/${{ secrets.SERVER_USERNAME }}/agh
      #       /home/${{ secrets.SERVER_USERNAME }}/bin/docker compose pull web dns
      #       /home/${{ secrets.SERVER_USERNAME }}/bin/docker compose up -d web dns