Skip to content

chore(deps): bump opossum from 8.5.0 to 10.0.0 in /services/tts #450

chore(deps): bump opossum from 8.5.0 to 10.0.0 in /services/tts

chore(deps): bump opossum from 8.5.0 to 10.0.0 in /services/tts #450

Workflow file for this run

name: Docker Build and Push
on:
push:
branches: [main]
tags: ['v*']
pull_request:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
name: Build and Push Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix={{branch}}-
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Push to GHCR on main branch
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
scan:
name: Scan Docker Image
runs-on: ubuntu-latest
needs: build
if: github.event_name != 'pull_request'
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'sarif'
output: 'trivy-image-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-image-results.sarif'
category: 'trivy-image'
test-image:
name: Test Docker Image
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build image for testing
uses: docker/build-push-action@v5
with:
context: .
load: true
tags: predictiq-api:test
cache-from: type=gha
- name: Test image startup
run: |
docker run --rm -d --name test-api -p 8080:8080 predictiq-api:test
sleep 5
if docker ps | grep -q test-api; then
echo "✅ Container started successfully"
docker stop test-api
else
echo "❌ Container failed to start"
exit 1
fi
- name: Assert CORS_DEV_MODE is not set in production image
run: |
ENV_VARS=$(docker inspect --format='{{range .Config.Env}}{{println .}}{{end}}' predictiq-api:test)
if echo "$ENV_VARS" | grep -q "^CORS_DEV_MODE=true"; then
echo "❌ CORS_DEV_MODE=true found in production Docker image environment!"
exit 1
fi
echo "✅ CORS_DEV_MODE=true is not baked into the production Docker image"