build.yml

name: Build fresh image

on:
    push:
    schedule:
      - cron: "42 03 * * *"

jobs:
    buildandpush:
        runs-on: ubuntu-latest
        permissions:
            packages: write
        name: Build images and push to registry
        steps:
            - name: Checkout repo
              uses: actions/checkout@v4

            # https://github.com/marketplace/actions/docker-setup-buildx
            - name: Set up Docker Buildx
              uses: docker/setup-buildx-action@v3

            # https://github.com/docker/login-action#docker-hub
            - name: Login to registry
              uses: docker/login-action@v3
              with:
                registry: ghcr.io
                username: ${{github.actor}}
                password: ${{ secrets.GITHUB_TOKEN }}

            - name: Build latest and push to registry
              uses: docker/build-push-action@v5
              with:
                context: .
                cache-from: type=gha
                cache-to: type=gha,mode=max
                platforms: linux/amd64
                push: true
                tags: ghcr.io/deltablot/php-prod:8.3, ghcr.io/deltablot/php-prod:latest, ghcr.io/deltablot/php-prod:8

            # VULN SCAN
            - name: Run Trivy vulnerability scanner
              uses: aquasecurity/trivy-action@master
              with:
                image-ref: deltablot/php-prod:latest
                format: 'table'
                # uncomment to ignore: exit-code: '0'
                ignore-unfixed: true
                vuln-type: 'os,library'
                severity: 'CRITICAL'