Skip to content

Docker Publish (Security Updates) #4

Docker Publish (Security Updates)

Docker Publish (Security Updates) #4

name: Docker Publish (Security Updates)
on:
workflow_dispatch:
inputs:
force_build:
description: 'Force build even if no vulnerabilities found'
type: boolean
default: false
skip_scan:
description: 'Skip vulnerability scanning (for testing)'
type: boolean
default: false
schedule:
- cron: '0 0 * * *' # Daily at midnight UTC
jobs:
scan-vulnerabilities:
runs-on: ubuntu-24.04
outputs:
has_vulnerabilities: ${{ steps.scan.outputs.has_vulnerabilities || inputs.force_build }}
steps:
- id: scan
if: inputs.skip_scan != true
uses: aquasecurity/[email protected]
with:
image-ref: 'ghcr.io/serversideup/docker-ssh'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
scanners: 'vuln'
hide-progress: true
# Set default output if scanning is skipped
- if: inputs.skip_scan
run: echo "has_vulnerabilities=true" >> $GITHUB_OUTPUT
get-latest-release:
runs-on: ubuntu-24.04
outputs:
release_version: ${{ steps.get-version.outputs.release_version }}
steps:
- name: Get Latest Release
id: get-version
run: |
LATEST_RELEASE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
echo "release_version=${LATEST_RELEASE}" >> "$GITHUB_OUTPUT"
build-security-updates:
needs: [scan-vulnerabilities, get-latest-release]
if: needs.scan-vulnerabilities.outputs.has_vulnerabilities == 'true'
uses: ./.github/workflows/service_docker-build-and-publish.yml
secrets: inherit
with:
release_type: 'security'
ref_type: 'tag'
version: "${{ needs.get-latest-release.outputs.release_version }}"
notify:
needs: [build-security-updates]
runs-on: ubuntu-24.04
if: always()
steps:
- name: Notify on success
if: needs.build-security-updates.result == 'success'
uses: actions/github-script@v7
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.name,
title: '🔒 Security updates applied',
body: 'Security updates were automatically applied to the latest images.'
})