name: Build and Publish Docker Image
on:
push:
branches:
- main
tags:
- 'v*'
pull_request:
branches:
- main
env:
GHCR_REGISTRY: ghcr.io
DOCKERHUB_REGISTRY: docker.io
GHCR_IMAGE_NAME: deployment-team/unimus-mcp
DOCKERHUB_IMAGE_NAME: controlaltautomate/unimus-mcp
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.DOCKERHUB_REGISTRY }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract metadata for GitHub Container Registry
id: meta-ghcr
uses: docker/metadata-action@v5
with:
images: ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Extract metadata for Docker Hub
id: meta-dockerhub
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKERHUB_IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image to both registries
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: |
${{ steps.meta-ghcr.outputs.tags }}
${{ steps.meta-dockerhub.outputs.tags }}
labels: |
${{ steps.meta-ghcr.outputs.labels }}
${{ steps.meta-dockerhub.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Test container health check
if: github.event_name != 'pull_request'
run: |
docker run -d --name test-container \
--env-file <(echo "UNIMUS_URL=http://invalid-host" && echo "UNIMUS_TOKEN=invalid-token") \
-p 8080:8080 \
${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest
echo "Waiting for container to start and liveness probe to respond..."
ATTEMPTS=0
MAX_ATTEMPTS=6 # 60 seconden wachten is ruim voldoende
until curl -sf http://localhost:8080/healthz > /dev/null || [ $ATTEMPTS -eq $MAX_ATTEMPTS ]; do
ATTEMPTS=$((ATTEMPTS+1))
echo "Attempt $ATTEMPTS/$MAX_ATTEMPTS: Waiting for liveness probe..."
sleep 10
done
echo "Final check on the liveness probe:"
if curl -sf http://localhost:8080/healthz; then
echo "✅ Liveness probe (/healthz) is responding with 200 OK."
echo "Container has started successfully."
else
echo "❌ Liveness probe failed to respond correctly."
echo "--- Container Logs ---"
docker logs test-container
echo "----------------------"
exit 1
fi
# Cleanup
docker stop test-container
docker rm test-container
security-scan:
runs-on: ubuntu-latest
if: github.event_name != 'pull_request'
needs: build-and-push
permissions:
contents: read
security-events: write
packages: read
steps:
- name: Log in to GitHub Container Registry for scanning
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
