docker-base-distro/.gitea/workflows/publish.yaml

name: Build and Push Base Distro Images

on:
  release:
    types: [published, prereleased]
  workflow_dispatch:

permissions:
  contents: read

env:
  IMAGE_NAME: base-distro

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - config: apko/base.yaml
            variant: base
          - config: apko/build.yaml
            variant: build
          - config: apko/dotnet-runtime.yaml
            variant: dotnet-runtime
          - config: apko/dotnet-sdk.yaml
            variant: dotnet-sdk
          - config: apko/flutter.yaml
            variant: flutter
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Determine tag
        id: tag
        run: |
          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
            echo "suffix=dev" >> $GITHUB_OUTPUT
          else
            echo "suffix=latest" >> $GITHUB_OUTPUT
          fi          

      - name: Install apko
        run: |
          curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_$(uname -s)_$(uname -m).tar.gz" | tar xz -C /usr/local/bin apko          

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Build and push image
        run: |
          apko publish ${{ matrix.config }} \
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}          

      - name: Install Docker Scout
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh          

      - name: Docker Scout CVE Scan
        run: |
          docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }} --only-severity critical,high