.github/workflows/bats.yml

---
name: Build bats docker image
run-name: ${{ github.actor }} is building bats

on:
  push:
    branches: ["main"]
    paths:
      - "bats/**"
  pull_request:
    branches: ["main"]
    paths:
      - "bats/**"

env:
  REGISTRY: ghcr.io
  IMAGE_TAG: ${{ github.repository }}/bats:v1.10.0-curl

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3.3.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: bats
          push: true
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_TAG }}

  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read
    needs: build
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_TAG }}
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4.1.7
      - uses: docker/login-action@v3.3.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Dockerfile linting
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: bats/Dockerfile
          ignore: DL3018