Skip to content

1.6.0

1.6.0 #78

Workflow file for this run

name: Publish Docker Image
on:
push:
tags:
- 'v*'
permissions:
contents: read # checkout only; Docker Hub auth uses secrets, not GITHUB_TOKEN
jobs:
scan_image:
name: Scan Docker image for vulnerabilities
runs-on: ubuntu-latest
permissions:
contents: read # checkout only
security-events: write # for Trivy SARIF upload to GitHub Security tab
steps:
- name: Check out the repo
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
with:
images: isokoliuk/mcp-searxng
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest
- name: Extract base image digest from Dockerfile
id: base
run: |
DIGEST=$(grep -m1 -oE 'sha256:[a-f0-9]{64}' Dockerfile)
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Build image for vulnerability scan
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
load: true
tags: isokoliuk/mcp-searxng:release-scan
labels: |
${{ steps.meta.outputs.labels }}
org.opencontainers.image.base.name=docker.io/library/node:lts-alpine
org.opencontainers.image.base.digest=${{ steps.base.outputs.digest }}
- name: Scan Docker image for vulnerabilities
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: 'isokoliuk/mcp-searxng:release-scan'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
exit-code: '1'
- name: Upload Trivy scan results to Security tab
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
if: always()
with:
sarif_file: 'trivy-results.sarif'
push_to_registry:
name: Push Docker image to Docker Hub
needs: scan_image
runs-on: ubuntu-latest
permissions:
contents: read # checkout only; Docker Hub auth uses secrets, not GITHUB_TOKEN
id-token: write # for Cosign keyless signing
steps:
- name: Check out the repo
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Set up QEMU
uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: Log in to Docker Hub
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
with:
images: isokoliuk/mcp-searxng
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest
- name: Extract base image digest from Dockerfile
id: base
run: |
DIGEST=$(grep -m1 -oE 'sha256:[a-f0-9]{64}' Dockerfile)
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Build and push multi-arch image
id: publish
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: |
${{ steps.meta.outputs.labels }}
org.opencontainers.image.base.name=docker.io/library/node:lts-alpine
org.opencontainers.image.base.digest=${{ steps.base.outputs.digest }}
- name: Install Cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
with:
cosign-release: 'v3.1.1'
- name: Sign image (keyless OIDC)
env:
DIGEST: ${{ steps.publish.outputs.digest }}
run: cosign sign --yes "docker.io/isokoliuk/mcp-searxng@${DIGEST}"