From 9b912b9395adcf62b41273fc907327d8b6c68e0b Mon Sep 17 00:00:00 2001
From: Steve Wagner <ciroque@live.com>
Date: Tue, 14 Mar 2023 14:27:34 -0700
Subject: [PATCH] First pass at a build Docker image gh action

---
 .github/workflows/build-and-sign-image.yml | 71 ++++++++++++++++++++++
 .github/workflows/go.yml                   |  2 +-
 2 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/build-and-sign-image.yml

diff --git a/.github/workflows/build-and-sign-image.yml b/.github/workflows/build-and-sign-image.yml
new file mode 100644
index 0000000..938ab2d
--- /dev/null
+++ b/.github/workflows/build-and-sign-image.yml
@@ -0,0 +1,71 @@
+# This workflow will build and push a signed Docker image
+
+name: Build and sign image
+
+on:
+  # THIS BLOCK IS FOR TESTING
+  branch_protection_rule:
+    types:
+      - created
+
+# THIS BLOCK IS THE ACTUAL DESIRED EVENT TRIGGER
+#  pull_request:
+#    branches:
+#      - "*" # Run on all branches
+#    types:
+#      - closed   ## This needs to be uncommented after testing
+
+env:
+  REGISTRY: hub.docker.com
+  IMAGE_NAME: "ciroque/nginx-k8s-loadbalancer" # ${{ github.repository }}
+
+jobs:
+  build_and_sign_image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v3
+
+        - name: Install cosign
+          if: github.event_name != 'pull_request'
+          uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
+          with:
+            cosign-release: 'v1.13.1'
+
+        - name: Docker Buildx
+          uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+
+        - name: Log into registry ${{ env.REGISTRY }} for ${{ github.actor }}
+          uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+          with:
+            registry: ${{ env.REGISTRY }}
+            username: ${{ github.actor }}
+            password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+        - name: Build Docker Image
+          uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+          with:
+            context: .
+            file: ./Dockerfile
+            push: true
+            tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+        - name: Run Trivy vulnerability scanner
+          uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2
+          continue-on-error: true
+          with:
+            image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }}
+            format: 'sarif'
+            output: 'trivy-results-${{ inputs.image }}.sarif'
+            ignore-unfixed: 'true'
+
+        - name: Upload Trivy scan results to GitHub Security tab
+          uses: github/codeql-action/upload-sarif@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6
+          continue-on-error: true
+          with:
+            sarif_file: 'trivy-results-${{ inputs.image }}.sarif'
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 3e9a76d..f90d3a3 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -5,7 +5,7 @@ name: Go
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "main", "*" ]
   pull_request:
     branches: [ "main" ]