name: Build and Push Flutter SDK Image on: release: types: [published, prereleased] permissions: contents: read env: IMAGE_NAME: gpb-flutter-sdk-web jobs: build-and-push: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - name: Determine Tag Type id: tag_type run: | if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then echo "tag=dev" >> $GITHUB_OUTPUT else echo "tag=latest" >> $GITHUB_OUTPUT fi - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Registry uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_SVRNTY_USERNAME }} password: ${{ secrets.DOCKERHUB_SVRNTY_ACCESS_TOKEN }} - name: Build image for Scout analysis uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64 push: false load: true build-args: | FLUTTER_VERSION=${{ github.event.release.tag_name }} tags: ${{ vars.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} - name: Install Docker Scout run: | curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh sh install-scout.sh - name: Docker Scout CVE Scan run: | docker scout cves ${{ vars.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} --only-severity critical,high - name: Build and push with attestations uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64 push: true sbom: true provenance: mode=max build-args: | FLUTTER_VERSION=${{ github.event.release.tag_name }} tags: | ${{ vars.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} ${{ vars.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag_type.outputs.tag }} labels: | org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.description=Minimal Flutter SDK for Web/WASM CI builds org.opencontainers.image.version=${{ github.event.release.tag_name }} org.opencontainers.image.revision=${{ github.sha }}