name: build

on:
  workflow_dispatch:
  push:
    branches: [ master ]
  schedule:
    # Build the image regularly (each Friday)
    - cron: '13 22 * * 5'

jobs:
  build:
    name: Build, scan & push
    runs-on: "ubuntu-20.04"
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Build an image from Dockerfile
        run: |
          docker build \
              -t ghcr.io/wonderfall/mastodon \
              -t ghcr.io/wonderfall/mastodon:$(grep -oP '(?<=MASTODON_VERSION=).*' Dockerfile | head -c8) \
              -t ghcr.io/wonderfall/mastodon:$(grep -oP '(?<=MASTODON_VERSION=).*' Dockerfile | head -c3) \
              .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'ghcr.io/wonderfall/mastodon'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          vuln-type: "os"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Docker login
        run: >-
          echo "${{ secrets.GHCR_TOKEN }}"
          | docker login -u "${{ github.actor }}" --password-stdin ghcr.io
          
      - name: Push image to GitHub
        run: |
          docker push ghcr.io/wonderfall/mastodon
          docker push ghcr.io/wonderfall/mastodon:$(grep -oP '(?<=MASTODON_VERSION=).*' Dockerfile | head -c8)
          docker push ghcr.io/wonderfall/mastodon:$(grep -oP '(?<=MASTODON_VERSION=).*' Dockerfile | head -c3)