99permissions :
1010 contents : read
1111 packages : write
12+ security-events : write # Required if you want to upload scan results to GitHub Security tab
1213
1314jobs :
1415 build-test :
5253 BRANCH_NAME=${GITHUB_REF#refs/heads/}
5354 echo "name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
5455
56+ # --- NEW STEP: Required for advanced Docker caching and building ---
57+ - name : Set up Docker Buildx
58+ uses : docker/setup-buildx-action@v3
59+
5560 - name : Docker meta
5661 id : meta
5762 uses : docker/metadata-action@v5
@@ -61,13 +66,33 @@ jobs:
6166 type=raw,value=${{ steps.branch.outputs.name }}-{{sha}},enable=true
6267 type=raw,value=latest,enable={{is_default_branch}}
6368
69+ # --- NEW STEP: Build locally for scanning (Don't push yet) ---
70+ - name : Build and export to Docker
71+ uses : docker/build-push-action@v5
72+ with :
73+ context : .
74+ load : true # This loads the image into the local Docker daemon
75+ tags : local-image-scan:latest # A temporary tag just for scanning
76+
77+ # --- NEW STEP: Run the Security Scan ---
78+ - name : Run Trivy vulnerability scanner
79+ uses : aquasecurity/trivy-action@0.20.0
80+ with :
81+ image-ref : ' local-image-scan:latest'
82+ format : ' table'
83+ exit-code : ' 1' # Fail the build if vulnerabilities are found
84+ ignore-unfixed : true # Don't fail on bugs that have no patch yet
85+ vuln-type : ' os,library'
86+ severity : ' CRITICAL,HIGH' # Only fail on Critical and High issues
87+
6488 - name : Log in to GHCR
6589 uses : docker/login-action@v3
6690 with :
6791 registry : ghcr.io
6892 username : ${{ github.actor }}
6993 password : ${{ secrets.GITHUB_TOKEN }}
7094
95+ # Actual Push Step (Uses cache from previous build step)
7196 - name : Build and push Docker image
7297 uses : docker/build-push-action@v5
7398 with :
0 commit comments