From 28602e0f0c08bca8d18e8f689bc0e96c5f30a74a Mon Sep 17 00:00:00 2001
From: mjanez <96422458+mjanez@users.noreply.github.com>
Date: Thu, 21 Mar 2024 16:59:24 +0100
Subject: [PATCH] Add Docker workflow for building and pushing ckan-docker
 image from master push

---
 .github/workflows/docker-master.yml | 76 +++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 .github/workflows/docker-master.yml

diff --git a/.github/workflows/docker-master.yml b/.github/workflows/docker-master.yml
new file mode 100644
index 00000000..b113aacb
--- /dev/null
+++ b/.github/workflows/docker-master.yml
@@ -0,0 +1,76 @@
+name: Build and push ckan-docker image from master push
+
+on:
+    push:
+      branches:
+        - master
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  CONTEXT: .
+  DOCKERFILE_PATH: /ckan
+  DOCKERFILE: Dockerfile
+
+jobs:
+  docker:
+    name: runner/build-docker-push:master
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Get highest ckan branch excluding -dev
+        id: getbranch
+        run: echo "::set-output name=VERSION::$(git branch | grep '^ckan-[0-9]*\.[0-9]*\.[0-9]*[^-dev]$' | sort -V | tail -n 1)"
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/master/README.md
+            org.opencontainers.image.version=${{ steps.getbranch.outputs.VERSION }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.getbranch.outputs.VERSION }}
+          labels: ${{ steps.meta.outputs.labels }}
+          context: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}
+          file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+
+      - name: Linting Dockerfile with hadolint in GH Actions
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+          no-fail: true
+
+      - name: Run Trivy container image vulnerability scanner
+        uses: aquasecurity/trivy-action@0.18.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.getbranch.outputs.VERSION }}
+          format: sarif
+          output: trivy-results.sarif
+  
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
\ No newline at end of file