.github/workflows/ci.yml

name: CI

on:
  push:
    branches:
      - main
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+*"
  pull_request:
    branches:
      - main

env:
  platforms: linux/amd64,linux/arm64

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

      - name: Get Alpine version
        id: alpine
        run: echo "version=$(grep -m1 'FROM alpine' <Dockerfile | awk -F'[:]' '{print $2}')" >> $GITHUB_OUTPUT

      - name: Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

      - name: Setup QEMU
        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
        with:
          platforms: arm64
        if: github.event_name != 'pull_request'

      - name: Login to GitHub Container Registry
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.event_name != 'pull_request' }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
        with:
          images: |
            name=ghcr.io/nginxinc/alpine-fips
          tags: |
            type=edge
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{version}},suffix=-alpine${{ steps.alpine.outputs.version }}

      - name: Build Docker image
        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
        id: build-push
        with:
          file: Dockerfile
          context: "."
          cache-from: type=gha,scope=alpine
          cache-to: type=gha,scope=alpine,mode=max
          tags: ${{ steps.meta.outputs.tags }}
          load: ${{ github.event_name == 'pull_request' }}
          push: ${{ github.event_name != 'pull_request' }}
          platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }}
          pull: true
          sbom: ${{ github.event_name != 'pull_request' }}
          provenance: ${{ github.event_name != 'pull_request' }}

      - name: Run Grype vulnerability scanner
        uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 # v3.3.6
        continue-on-error: true
        id: scan
        with:
          image: ghcr.io/nginxinc/alpine-fips:${{ steps.meta.outputs.version }}
          only-fixed: true
          add-cpes-if-none: true

      - name: Upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Create/Update Draft
        uses: lucacome/draft-release@3ed3808cb75e4398e021a19a171ce62f4943f2f7 # v1.0.0
        with:
          minor-label: "enhancement"
          major-label: "change"
          publish: ${{ startsWith(github.ref, 'refs/tags/') }}
          collapse-after: 20
        if: ${{ github.event_name != 'pull_request' }}