feat: improve docker build

jbern0rd · jbern0rd · commit e66c34ec303f · 2026-01-08T11:38:16.000+01:00
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -80,23 +80,10 @@ jobs:
           build-args: ${{ inputs.build-args }}
           context: ${{ inputs.context }}
           file: ${{ inputs.dockerfile }}
-          platforms: ${{ inputs.platforms }}
-          push: ${{ inputs.push }}
+          platforms: linux/amd64  # Build single platform for security scanning
+          push: false  # Don't push yet, wait for security checks
           tags: ${{ inputs.image-name }}:${{ inputs.image-tag }}
-
-      - name: Build Docker Image as Tarball
-        if: ${{ inputs.security-scan }}
-        run: |
-          BUILD_ARGS=""
-          if [ -n "${{ inputs.build-args }}" ]; then
-            while IFS= read -r line; do
-              if [ -n "$line" ]; then
-                BUILD_ARGS="$BUILD_ARGS --build-arg $line"
-              fi
-            done <<< "${{ inputs.build-args }}"
-          fi
-          docker build $BUILD_ARGS -t ${{ inputs.image-name }}:${{ inputs.image-tag }} -f ${{ inputs.dockerfile }} ${{ inputs.context }}
-          docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }}
+          outputs: type=docker,dest=vuln-image.tar  # Export as tarball for security scanning
 
       - name: Run Trivy vulnerability scanner
         id: trivy
@@ -196,3 +183,35 @@ jobs:
             ${{ steps.read_hadolint.outputs.report }}
             ```
             </details>
+
+      - name: Fail build on High/Critical Vulnerabilities
+        id: security_check
+        if: ${{ inputs.security-scan }}
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          input: vuln-image.tar
+          format: ${{ (inputs.security-report == 'sarif' && 'sarif') || 'table' }}
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          hide-progress: true
+          skip-setup-trivy: true
+          exit-code: 1
+
+      - name: Build and Push Multi-Platform Image
+        if: ${{ inputs.push }}
+        uses: docker/build-push-action@v6
+        with:
+          build-args: ${{ inputs.build-args }}
+          context: ${{ inputs.context }}
+          file: ${{ inputs.dockerfile }}
+          platforms: ${{ inputs.platforms }}
+          push: true
+          tags: ${{ inputs.image-name }}:${{ inputs.image-tag }}
+
+    - name: Cleanup
+      id: cleanup
+      if: always()
+      run: |
+        rm -f trivy.txt trivy-results.sarif vuln-image.tar
+        docker image rm -f ${{ inputs.image-name }}:${{ inputs.image-tag }}
