name: Build on: workflow_dispatch: push: branches: - main # Ignore Markdown files paths-ignore: - '**.md' schedule: # Build the image daily - cron: '0 0 * * *' env: REGISTRY: ghcr.io IMAGE_NAME: tommytran732/synapse jobs: build: name: Build & push new image runs-on: "ubuntu-24.04" permissions: contents: read packages: write id-token: write steps: - name: Checkout code uses: actions/checkout@v4 - name: Extract version for tags run: | echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile)" >> $GITHUB_ENV echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c5)" >> $GITHUB_ENV - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to registry if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set Docker metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | latest ${{ env.FULL_VERSION }} ${{ env.MAJOR_VERSION }} - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@v6 with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} run: cosign sign ${TAGS} -y env: TAGS: ${{ steps.meta.outputs.tags }} trivy: name: Scan current image with Trivy needs: build permissions: security-events: write runs-on: "ubuntu-24.04" steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: 'ghcr.io/tommytran732/synapse' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' vuln-type: "os,library" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' category: 'trivy' grype: name: Scan current image with Grype needs: build permissions: security-events: write runs-on: "uubuntu-24.04" steps: - name: Run Grype vulnerability scanner uses: anchore/scan-action@v4 id: grype with: image: "ghcr.io/tommytran732/synapse" fail-build: false - name: Upload Grype scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.grype.outputs.sarif }} category: grype