name: Build container image

on:
  push:
    branches: [ master ]

env:
  USER: chris
  PASS: q',\H(Od:G3).Xv<#!5P

jobs:
  Build-and-release-image:

    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest

    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Log into registry
        uses: docker/login-action@v3
        with:
          registry: https://cs-git.ddnss.de
          username: ${{ env.USER }}
          password: ${{ env.PASS }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: cs-git.ddnss.de/arbeitsschutz-ulm/website

      - name: Build and push Docker image
        uses: docker/build-push-action@v4
        env:
          ACTIONS_RUNTIME_TOKEN: ''
        with:
          tags: cs-git.ddnss.de/arbeitsschutz-ulm/website:master
          push: true

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'https://cs-git.ddnss.de/arbeitsschutz-ulm/website:master'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          output: 'image-scan.txt'
        env:
          TRIVY_USERNAME: ${{ env.USER }}
          TRIVY_PASSWORD: ${{ env.PASS }}
          TRIVY_BRANCH: 'master'