name: Publish Docker Image on: pull_request: push: branches: - "main" jobs: DockerBuildAndRelease: runs-on: ubuntu-latest steps: - name: Checkout Repository uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Registry id: registry_push uses: docker/login-action@v3 with: registry: registry.dangerous.tech username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Build and Push id: docker_build uses: docker/build-push-action@v5 with: context: . push: true tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest - name: Generate SBOM uses: anchore/sbom-action@v0 id: sbom with: image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest registry-username: ${{ secrets.REGISTRY_USERNAME }} registry-password: ${{ secrets.REGISTRY_PASSWORD }} format: spdx-json output-file: ./sbom.spdx.json - name: Scan SBOM uses: anchore/scan-action@v3 id: scan with: sbom: sbom.spdx.json severity-cutoff: medium fail-build: false only-fixed: true by-cve: true - name: upload Anchore scan SARIF report uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Changelog uses: TriPSs/conventional-changelog-action@v3 id: changelog if: ${{ github.event_name != 'pull_request' }} with: github-token: ${{ secrets.GITHUB_TOKEN }} git-message: "chore 🤖: Release {version}" output-file: "CHANGELOG.md" tag-prefix: "v" fallback-version: "1.0.0" release-count: 0 # preserve all versions in changelog skip-on-empty: false # otherwise we don't publish fixes - name: Create Release uses: softprops/action-gh-release@v1 id: release if: ${{ steps.changelog.outputs.skipped == 'false' }} env: GITHUB_TOKEN: ${{ secrets.github_token }} with: tag_name: ${{ steps.changelog.outputs.tag }} name: ${{ steps.changelog.outputs.tag }} body: ${{ steps.changelog.outputs.clean_changelog }} files: | sbom.spdx.json