From b7f75dd7bc5bf61a65894a99b7b7374ffed695f2 Mon Sep 17 00:00:00 2001 From: Jose Carlos Date: Sun, 22 Feb 2026 09:31:53 +0100 Subject: [PATCH] feat: push to GHCR as secondary registry + Trivy CVE scanning in PR checks release.yaml: - Add 'Login to GHCR' step (docker/login-action@v3, GITHUB_TOKEN) - After Docker Hub push, mirror all tags to ghcr.io/jorge07/alpine-php via 'docker buildx imagetools create' (zero-rebuild, copies the manifest) - Add packages: write permission for GITHUB_TOKEN pr.yaml: - Add Trivy vulnerability scan step after image build - Uses aquasecurity/trivy-action@0.29.0 - Scans jorge07/alpine-php:${VERSION} (main image, not dev) - Fails CI on CRITICAL severity with a fix available (ignore-unfixed: true) - Scans os and library vuln types Dependabot (already configured) will keep trivy-action pinned up to date. Closes #103 (GHCR + Trivy items) --- .github/workflows/pr.yaml | 9 +++++++++ .github/workflows/release.yaml | 19 ++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index b573e9a..0cdf0a9 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -31,6 +31,15 @@ jobs: password: ${{ secrets.REGISTRY_PASSWORD }} - name: Build run: ARCHS="linux/amd64" make build + - name: Trivy vulnerability scan (main image) + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: jorge07/alpine-php:${{ matrix.version }} + format: table + exit-code: "1" + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL - name: Test Main run: make test-main - name: Test Dev diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 99e0bb3..02a1451 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -23,6 +23,9 @@ jobs: REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} name: release-${{ matrix.version }} runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v6 - name: Set up QEMU @@ -38,9 +41,23 @@ jobs: with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - - name: Build and push + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push (Docker Hub) if: env.REGISTRY_USERNAME != '' run: make release - name: Build only (no push credentials) if: env.REGISTRY_USERNAME == '' run: make build + - name: Push to GHCR + if: env.REGISTRY_USERNAME != '' + run: | + SEMVER=$(docker run --rm -v $(pwd):/app jorge07/alpine-php:${VERSION} php -r "echo phpversion();") + docker buildx imagetools create --tag ghcr.io/jorge07/alpine-php:${VERSION} jorge07/alpine-php:${VERSION} + docker buildx imagetools create --tag ghcr.io/jorge07/alpine-php:${VERSION}-dev jorge07/alpine-php:${VERSION}-dev + docker buildx imagetools create --tag ghcr.io/jorge07/alpine-php:${SEMVER} jorge07/alpine-php:${SEMVER} + docker buildx imagetools create --tag ghcr.io/jorge07/alpine-php:${SEMVER}-dev jorge07/alpine-php:${SEMVER}-dev