name: Build and Push Docker Images on: push: tags: - "v*" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false jobs: build-frontend: name: Build Frontend runs-on: ubuntu-latest environment: production permissions: contents: read packages: write security-events: write steps: - name: Checkout repository uses: actions/checkout@v6 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: | ${{ github.repository_owner }}/flowsint-app ghcr.io/${{ github.repository_owner }}/flowsint-app tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest - name: Build and push uses: docker/build-push-action@v6 with: context: ./flowsint-app file: ./flowsint-app/Dockerfile platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max provenance: true sbom: true - name: Run Trivy vulnerability scanner id: trivy uses: aquasecurity/trivy-action@v0.35.0 with: image-ref: ghcr.io/${{ github.repository_owner }}/flowsint-app:${{ steps.meta.outputs.version }} format: "sarif" output: "trivy-frontend.sarif" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v4 if: always() && steps.trivy.outcome == 'success' with: sarif_file: "trivy-frontend.sarif" build-backend: name: Build Backend runs-on: ubuntu-latest environment: production permissions: contents: read packages: write security-events: write steps: - name: Checkout repository uses: actions/checkout@v6 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: | ${{ github.repository_owner }}/flowsint-api ghcr.io/${{ github.repository_owner }}/flowsint-api tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest - name: Build and push uses: docker/build-push-action@v6 with: context: . file: ./flowsint-api/Dockerfile target: production platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max provenance: true sbom: true - name: Run Trivy vulnerability scanner id: trivy uses: aquasecurity/trivy-action@v0.35.0 with: image-ref: ghcr.io/${{ github.repository_owner }}/flowsint-api:${{ steps.meta.outputs.version }} format: "sarif" output: "trivy-backend.sarif" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v4 if: always() && steps.trivy.outcome == 'success' with: sarif_file: "trivy-backend.sarif" security-summary: name: Security Summary runs-on: ubuntu-latest needs: [build-frontend, build-backend] if: always() steps: - name: Summary run: | echo "## Build Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "| Image | Status |" >> $GITHUB_STEP_SUMMARY echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY echo "| Frontend | ${{ needs.build-frontend.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Backend | ${{ needs.build-backend.result }} |" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "Security scans uploaded to GitHub Security tab." >> $GITHUB_STEP_SUMMARY