name: ci-build run-name: Building ${{ github.ref_name }} env: version: 1.12.0 permissions: contents: read packages: write on: push: branches: - "**" pull_request: jobs: lint: runs-on: ubuntu-24.04 name: Run Hadolint steps: - uses: actions/checkout@v4 - uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: Dockerfile docker: runs-on: ubuntu-24.04 name: Build, Scan, and Push Docker Image needs: - lint steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) id: meta uses: docker/metadata-action@v5 with: images: ghcr.io/${{ github.repository }} tags: | type=raw,value=latest,enable={{is_default_branch}} type=raw,value=${{ env.version }} type=sha labels: | org.opencontainers.image.title=${{ github.repository }} org.opencontainers.image.version=${{ env.version }} org.opencontainers.image.source=${{ github.repositoryUrl }} org.opencontainers.image.created=${{ github.event.head_commit.timestamp }} - name: Build Docker image (no push) uses: docker/build-push-action@v5 with: context: . push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | MEDIAMTX_VERSION=${{ env.version }} load: true # for Trivy cache-from: type=gha cache-to: type=gha,mode=max - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.28.0 with: image-ref: ghcr.io/${{ github.repository }}:${{ env.version }} format: table exit-code: '1' severity: CRITICAL,HIGH - name: Push Docker image (if scan passed) if: success() uses: docker/build-push-action@v5 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} provenance: true cache-from: type=gha cache-to: type=gha,mode=max