Skip to content

Merge pull request #107 from QWED-AI/alert-autofix-263 #27

Merge pull request #107 from QWED-AI/alert-autofix-263

Merge pull request #107 from QWED-AI/alert-autofix-263 #27

name: Docker Publish
on:
push:
branches: [main]
paths:
- 'Dockerfile'
- 'requirements.txt'
- 'requirements.in'
- 'qwed_sdk/**'
- 'action_entrypoint.py'
- '.github/workflows/docker-publish.yml'
release:
types: [published]
workflow_dispatch:
inputs:
tag:
description: 'Docker image tag (leave empty for latest)'
required: false
default: ''
permissions:
contents: write
packages: write
env:
REGISTRY: docker.io
IMAGE_NAME: qwedai/qwed-verification
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract metadata (tags, labels)
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.IMAGE_NAME }}
tags: |
# latest on main push
type=raw,value=latest,enable={{is_default_branch}}
# version tag on release (e.g., v3.0.1 -> 3.0.1)
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
# manual tag from workflow_dispatch
type=raw,value=${{ github.event.inputs.tag }},enable=${{ github.event.inputs.tag != '' }}
# SHA for traceability
type=sha,prefix=sha-
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64
- name: Generate SBOM
uses: anchore/sbom-action@v0.18.0
with:
image: ${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
format: spdx-json
output-file: sbom.spdx.json
- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.spdx.json
retention-days: 90
- name: Run Docker Scout vulnerability scan
uses: docker/scout-action@v1
if: github.event_name != 'pull_request'
with:
command: cves
image: ${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
sarif-file: docker-scout-results.sarif
summary: true
continue-on-error: true
- name: Image digest
run: echo "Image pushed with digest ${{ steps.build.outputs.digest }}"