docker-flutter-sdk/.gitea/workflows/publish.yaml

name: Build and Push Flutter SDK Image

on:
  release:
    types: [published, prereleased]

permissions:
  contents: read

env:
  IMAGE_NAME: gpb-flutter-sdk-web

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Determine Tag Type
        id: tag_type
        run: |
          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
            echo "tag=dev" >> $GITHUB_OUTPUT
          else
            echo "tag=latest" >> $GITHUB_OUTPUT
          fi          

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_SVRNTY_USERNAME }}
          password: ${{ secrets.DOCKERHUB_SVRNTY_ACCESS_TOKEN }}

      - name: Build image for Scout analysis
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64
          push: false
          load: true
          build-args: |
            FLUTTER_VERSION=${{ github.event.release.tag_name }}            
          tags: ${{ vars.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}

      - name: Install Docker Scout
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh          

      - name: Docker Scout CVE Scan
        run: |
          docker scout cves ${{ vars.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} --only-severity critical,high          

      - name: Build and push with attestations
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64
          push: true
          sbom: true
          provenance: mode=max
          build-args: |
            FLUTTER_VERSION=${{ github.event.release.tag_name }}            
          tags: |
            ${{ vars.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
            ${{ vars.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag_type.outputs.tag }}            
          labels: |
            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
            org.opencontainers.image.description=Minimal Flutter SDK for Web/WASM CI builds
            org.opencontainers.image.version=${{ github.event.release.tag_name }}
            org.opencontainers.image.revision=${{ github.sha }}