ci: refactor build workflows

.github/actions/build-docker-image/action.yml

@@ -0,0 +1,102 @@
+name: Build Docker image
+description: Builds a Docker image
+inputs:
+  context:
+    description: The directory containing the Dockerfile
+    required: true
+  file:
+    description: The Dockerfile to use
+    required: false
+  platforms:
+    description: The platforms to build for
+    required: false
+    default: linux/amd64,linux/arm64
+  push:
+    description: Whether to push the image to the registry
+    required: true
+  primaryTag:
+    description: The primary tag to use for the image
+    required: true
+  tags:
+    description: The tags to use for the image
+    required: false
+  args:
+    description: List of build-time variables
+    required: false
+  cache-from:
+    description: List of external cache sources for buildx
+    required: false
+  cache-to:
+    description: List of cache export destinations for buildx
+    required: false
+  no-cache:
+    description: Do not use cache when building the image
+    required: false
+    default: 'false'
+  registry:
+    description: The registry to use
+    required: false
+    default: https://ghcr.io
+  username:
+    description: The username to use for the registry
+    required: false
+  password:
+    description: The password to use for the registry
+    required: false
+    default: ${{ github.token }}
+runs:
+  using: composite
+  steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to Docker Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+      if: ${{ inputs.push }}
+
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        load: true
+        push: false
+        context: ${{ inputs.context }}
+        file: ${{ inputs.file }}
+        tags: |
+          ${{ inputs.primaryTag }}
+          ${{ inputs.tags }}
+        build-args: ${{ inputs.args }}
+        cache-from: ${{ inputs.cache-from }}
+        no-cache: ${{ inputs.no-cache }}
+
+    - name: Push container image
+      uses: docker/build-push-action@v5
+      with:
+        context: ${{ inputs.context }}
+        file: ${{ inputs.file }}
+        platforms: ${{ inputs.platforms }}
+        push: ${{ inputs.push }}
+        tags: |
+          ${{ inputs.primaryTag }}
+          ${{ inputs.tags }}
+        build-args: ${{ inputs.args }}
+        cache-from: ${{ inputs.cache-from }}
+        cache-to: ${{ inputs.cache-to }}
+        no-cache: ${{ inputs.no-cache }}
+      if: ${{ inputs.push }}
+
+    - name: Security Scan
+      uses: aquasecurity/trivy-action@master
+      id: scan
+      with:
+        image-ref: ${{ inputs.primaryTag }}
+        format: template
+        template: "@.github/actions/build-docker-image/markdown.tpl"
+        output: trivy.md
+

.github/actions/build-docker-image/markdown.tpl

@@ -0,0 +1,33 @@
+## Trivy Scan Report
+{{- if . }}
+{{- range . }}
+## {{ .Target }}
+### Vulnerabilities
+{{- if (eq (len .Vulnerabilities) 0) }}
+No vulnerabilities found.
+{{- else }}
+| Package | Vulnerability ID | Severity | Installed Version | Fixed Version | Links |
+| ------- | ---------------- | :------: | ----------------- | ------------- | ----- |
+{{- range .Vulnerabilities }}
+| {{ .PkgName }} | {{ .VulnerabilityID }} | {{ .Vulnerability.Severity }} | {{ .InstalledVersion }} | {{ .FixedVersion }} | {{ .PrimaryURL }} |
+{{- end }}
+
+{{- end }} <!-- Vulnerabilities -->
+
+### Misconfigurations
+{{- if (eq (len .Misconfigurations ) 0) }}
+No misconfigurations found.
+{{- else }}
+| Type | Misconfiguration ID | Check | Severity | Message |
+| ---- | ------------------- | ----- | -------- | ------- |
+{{- range .Misconfigurations }}
+| {{ .Type }} | {{ .ID }} | {{ .Title }} | {{ .Severity }} | {{ .Message }}<br>{{ .PrimaryURL }} |
+{{- end }}
+
+{{- end }} <!-- Misconfigurations -->
+
+{{- end }} <!-- Targets -->
+
+{{- else }}
+Trivy Returned Empty Report
+{{- end }}

.github/workflows/alpine.yml

@@ -30,31 +30,19 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Get image version
         id: getversion
         run: echo "version=$(head -n 1 alpine/Dockerfile | sed -e 's/FROM alpine:\(.*\)/\1/')" >> $GITHUB_OUTPUT
 
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
-          file: alpine/Dockerfile
-          platforms: linux/amd64,linux/arm64
+          context: alpine
           push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=alpine
           cache-to: type=gha,mode=max,scope=alpine
-          tags: |
-            ghcr.io/automattic/vip-container-images/alpine:latest
-            ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }}
+          primaryTag: ${{ steps.getversion.outputs.version }}
+          tags: ghcr.io/automattic/vip-container-images/alpine:latest
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}