name: Build and Push Docker Image
on:
push:
branches: [ master ]
tags: [ 'v*' ]
release:
types: [ published ]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
attestations: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha,prefix=sha-
# Tag as 'latest' on master branch
type=raw,value=latest,enable={{is_default_branch}}
# Tag as 'dev' on master branch pushes (not releases)
type=raw,value=dev,enable=${{ github.ref == 'refs/heads/master' && github.event_name == 'push' }}
- name: Build and push Docker image
id: build-push
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
subject-digest: ${{ steps.build-push.outputs.digest }}
push-to-registry: true
set-package-visibility:
runs-on: ubuntu-latest
needs: build-and-push
permissions:
packages: write
steps:
- name: Set package visibility to public
run: |
# Wait a moment for package to be available
sleep 10
# Try to set package visibility to public
response=$(curl -s -o /dev/null -w "%{http_code}" \
-X PATCH \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/user/packages/container/shioaji-mcp" \
-d '{"visibility":"public"}')
if [ "$response" = "200" ] || [ "$response" = "409" ]; then
echo "✅ Package visibility set to public or already public"
else
echo "⚠️ Could not set package visibility (HTTP $response)"
echo "Please manually set the package to public in GitHub UI"
echo "Go to: https://github.com/users/musingfox/packages/container/shioaji-mcp/settings"
fi
docker-security-scan:
runs-on: ubuntu-latest
needs: build-and-push
permissions:
security-events: write
steps:
- name: Run Trivy vulnerability scanner on image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
