.github/workflows/build-and-publish-ansible.yaml

name: Build and publish docker image for Ansible

on:
  push:
    branches:
      - "*"
  schedule:
    - cron: "0 2 1 * *"

jobs:
  build:
    name: Build & push docker image
    runs-on: ubuntu-latest
    permissions:
      packages: write
      security-events: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Log in to GitHub packages
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/xima-media/debian-ansible

      - name: Build and publish docker image for testing
        uses: docker/build-push-action@v5
        with:
          context: ./debian-ansible
          push: true
          tags: ghcr.io/xima-media/debian-ansible:test
          labels: ${{ steps.meta.outputs.labels }}

      - name: Test and get Ansible version
        run: |
          echo "ANSIBLE_VERSION=$(docker run --rm ghcr.io/xima-media/debian-ansible:test ansible-community --version | cut -d' ' -f4-)" >> $GITHUB_ENV
        id: test

      - name: Build and publish docker image
        uses: docker/build-push-action@v5
        with:
          context: ./debian-ansible
          push: true
          tags: ghcr.io/xima-media/debian-ansible:${{ steps.test.outputs.ANSIBLE_VERSION }}
          labels: ${{ steps.meta.outputs.labels }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ghcr.io/xima-media/debian-ansible:${{ steps.test.outputs.ANSIBLE_VERSION }}
          format: 'sarif'
          output: 'debian-ansible.sarif'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          skip-files: '/root/.ansible/collections/ansible_collections/community/general/plugins/modules/java_keystore.py'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'debian-ansible.sarif'