monkeyplug-build-push-ghcr.yml

---
name: monkeyplug-build-push-ghcr

on:
  push:
    branches:
      - 'main'
  pull_request:
  workflow_dispatch:
  repository_dispatch:
  schedule:
    - cron: '0 12 15 * *'

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/monkeyplug
  IMAGE_ARCH: amd64
  REPO_CONTEXT: .
  REPO_CONTAINERFILE: ./docker/Dockerfile

jobs:
  buildah:
    runs-on: ubuntu-latest
    permissions:
      actions: write
      packages: write
      contents: read
      security-events: write
    steps:
      -
        name: Cancel previous run in progress
        id: cancel-previous-runs
        uses: styfle/cancel-workflow-action@0.11.0
        with:
          ignore_sha: true
          all_but_latest: true
          access_token: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Checkout
        id: repo-checkout
        uses: actions/checkout@v3
      -
        name: Set up QEMU
        id: setup-qemu
        uses: docker/setup-qemu-action@v2
      -
        name: Log in to registry
        id: registry-login
        uses: redhat-actions/podman-login@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Build Small
        id: build-small-image
        uses: redhat-actions/buildah-build@v2
        with:
          image: ${{ env.IMAGE_NAME }}
          tags: small
          context: ${{ env.REPO_CONTEXT }}
          containerfiles: ${{ env.REPO_CONTAINERFILE }}
          archs: ${{ env.IMAGE_ARCH }}
      -
        name: Build Large
        id: build-large-image
        uses: redhat-actions/buildah-build@v2
        with:
          image: ${{ env.IMAGE_NAME }}
          tags: large
          context: ${{ env.REPO_CONTEXT }}
          containerfiles: ${{ env.REPO_CONTAINERFILE }}
          archs: ${{ env.IMAGE_ARCH }}
          build-args: |
            VOSK_MODEL_URL=http://alphacephei.com/vosk/models/vosk-model-en-us-0.22.zip
      -
        name: Run Trivy vulnerability scanner
        id: trivy-scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'image'
          image-ref: ${{ env.IMAGE_NAME }}:small
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
          vuln-type: 'os,library'
          hide-progress: true
          ignore-unfixed: true
          exit-code: '0'
      -
        name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
      -
        name: Push Small
        id: push-small-to-ghcr
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ${{ steps.build-small-image.outputs.image }}
          tags: ${{ steps.build-small-image.outputs.tags }}
          registry: ${{ env.REGISTRY }}
      -
        name: Push Large
        id: push-large-to-ghcr
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ${{ steps.build-large-image.outputs.image }}
          tags: ${{ steps.build-large-image.outputs.tags }}
          registry: ${{ env.REGISTRY }}