docker-flutter-sdk/.gitea/workflows/publish.yaml

name: Build and Push Flutter SDK Image

on:
  release:
    types: [published, prereleased]

permissions:
  contents: read

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - dockerfile: Dockerfile
            image_name: gpb-flutter-sdk-web
            description: Minimal Flutter SDK for Web/WASM CI builds
          - dockerfile: Dockerfile.android
            image_name: gpb-flutter-sdk-android
            description: Flutter SDK for Android CI builds
          - dockerfile: Dockerfile.linux
            image_name: gpb-flutter-sdk-linux
            description: Flutter SDK for Linux desktop CI builds
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Determine Tag Type
        id: tag_type
        run: |
          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
            echo "tag=dev" >> $GITHUB_OUTPUT
          else
            echo "tag=latest" >> $GITHUB_OUTPUT
          fi          

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Build image for Scout analysis
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ${{ matrix.dockerfile }}
          platforms: linux/amd64
          push: false
          load: true
          build-args: |
            FLUTTER_VERSION=${{ github.event.release.tag_name }}            
          tags: ${{ vars.REGISTRY }}/${{ matrix.image_name }}:${{ github.event.release.tag_name }}

      - name: Install Docker Scout
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh          

      - name: Docker Scout CVE Scan
        run: |
          docker scout cves ${{ vars.REGISTRY }}/${{ matrix.image_name }}:${{ github.event.release.tag_name }} --only-severity critical,high          

      - name: Build and push with attestations
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ${{ matrix.dockerfile }}
          platforms: linux/amd64
          push: true
          sbom: true
          provenance: mode=max
          build-args: |
            FLUTTER_VERSION=${{ github.event.release.tag_name }}            
          tags: |
            ${{ vars.REGISTRY }}/${{ matrix.image_name }}:${{ github.event.release.tag_name }}
            ${{ vars.REGISTRY }}/${{ matrix.image_name }}:${{ steps.tag_type.outputs.tag }}            
          labels: |
            org.opencontainers.image.title=${{ matrix.image_name }}
            org.opencontainers.image.description=${{ matrix.description }}
            org.opencontainers.image.version=${{ github.event.release.tag_name }}
            org.opencontainers.image.revision=${{ github.sha }}