1.6.0 #78
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Docker Image | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: read # checkout only; Docker Hub auth uses secrets, not GITHUB_TOKEN | |
| jobs: | |
| scan_image: | |
| name: Scan Docker image for vulnerabilities | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # checkout only | |
| security-events: write # for Trivy SARIF upload to GitHub Security tab | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 | |
| with: | |
| images: isokoliuk/mcp-searxng | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=raw,value=latest | |
| - name: Extract base image digest from Dockerfile | |
| id: base | |
| run: | | |
| DIGEST=$(grep -m1 -oE 'sha256:[a-f0-9]{64}' Dockerfile) | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Build image for vulnerability scan | |
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 | |
| with: | |
| context: . | |
| load: true | |
| tags: isokoliuk/mcp-searxng:release-scan | |
| labels: | | |
| ${{ steps.meta.outputs.labels }} | |
| org.opencontainers.image.base.name=docker.io/library/node:lts-alpine | |
| org.opencontainers.image.base.digest=${{ steps.base.outputs.digest }} | |
| - name: Scan Docker image for vulnerabilities | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| image-ref: 'isokoliuk/mcp-searxng:release-scan' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| ignore-unfixed: true | |
| exit-code: '1' | |
| - name: Upload Trivy scan results to Security tab | |
| uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| push_to_registry: | |
| name: Push Docker image to Docker Hub | |
| needs: scan_image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # checkout only; Docker Hub auth uses secrets, not GITHUB_TOKEN | |
| id-token: write # for Cosign keyless signing | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 | |
| with: | |
| images: isokoliuk/mcp-searxng | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=raw,value=latest | |
| - name: Extract base image digest from Dockerfile | |
| id: base | |
| run: | | |
| DIGEST=$(grep -m1 -oE 'sha256:[a-f0-9]{64}' Dockerfile) | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| - name: Build and push multi-arch image | |
| id: publish | |
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: | | |
| ${{ steps.meta.outputs.labels }} | |
| org.opencontainers.image.base.name=docker.io/library/node:lts-alpine | |
| org.opencontainers.image.base.digest=${{ steps.base.outputs.digest }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| with: | |
| cosign-release: 'v3.1.1' | |
| - name: Sign image (keyless OIDC) | |
| env: | |
| DIGEST: ${{ steps.publish.outputs.digest }} | |
| run: cosign sign --yes "docker.io/isokoliuk/mcp-searxng@${DIGEST}" |