From d4896a6dc36c79311311a78ba928aa176fc9abeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Malte=20Lauk=C3=B6tter?=
 <malte.laukoetter@digitalservice.bund.de>
Date: Wed, 22 Nov 2023 15:05:16 +0100
Subject: [PATCH] Add deactivated build and push image job

---
 .github/workflows/pipeline.yml | 68 ++++++++++++++++++++++++++++++++++
 .talismanrc                    |  4 +-
 README.md                      |  2 +
 3 files changed, 72 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index 3196fbc..21eea8d 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -189,3 +189,71 @@ jobs:
           commit: true
           url: ${{ secrets.SLACK_WEBHOOK_URL }}
           token: ${{ secrets.GITHUB_TOKEN }}
+
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == 'refs/heads/main' && false }}
+    needs:
+      - build
+      - audit-licenses
+      - vulnerability-scan
+    permissions:
+      contents: read
+      id-token: write # This is used to complete the identity challenge with sigstore/fulcio..
+      packages: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: validate github workflow files to have pinned versions
+        uses: digitalservicebund/github-actions/github-actions-linter@5009471245d84903ea1af84104eb1908f8e2b2a2
+
+      - name: Build image from Dockerfile
+        run: |
+          docker build -t ${{ env.IMAGE_NAME }}:${{ github.sha }} . --build-arg COMMIT_SHA=${{ github.sha }}
+
+      - name: Generate cosign vulnerability scan record
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: "cosign-vuln"
+          output: "vulnerabilities.json"
+
+      - name: Upload cosign vulnerability scan record
+        uses: actions/upload-artifact@v3
+        with:
+          name: "vulnerabilities.json"
+          path: "vulnerabilities.json"
+          if-no-files-found: error
+
+      - name: Install cosign
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
+
+      - name: Login to container registry
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          registry: "ghcr.io"
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image
+        run: |
+          docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}
+          docker tag ${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          docker push --all-tags ghcr.io/${{ env.IMAGE_NAME }}
+
+      - name: Sign the published Docker image
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+      - name: Attest the vulnerability scan
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
diff --git a/.talismanrc b/.talismanrc
index e12bb35..03eff4b 100644
--- a/.talismanrc
+++ b/.talismanrc
@@ -1,10 +1,10 @@
 fileignoreconfig:
 - filename: .github/workflows/pipeline.yml
-  checksum: 3b840c15ff7418409f3e1fe93bc2891a624d2790234a243ee0a41e2e79ebfff7
+  checksum: 7df83e5a39767b69860157cbb434c5fb74088ee93145226d493ab911d2747fbd
 - filename: .github/workflows/scan.yml
   checksum: b06430d20570ad4ce61e6078af8a2851ef1c1bf832f0a4f70c490bde1f533cdd
 - filename: README.md
-  checksum: 9cc9276b29311ab943fa3967d1160e46cfc86e9088a3c5da2b7ab00f43a1f9be
+  checksum: 7420902b2398edae580fd51b1043019441b4c3c78fc5495e0bc065a24fbefb95
 - filename: public/fonts/BundesSerifWeb-Italic.woff
   checksum: 2cad03dd85939c73e892cce6d994a89046677e94ceb11dd1cde5a23a3b35c392
 - filename: public/fonts/BundesSansWeb-BoldItalic.woff
diff --git a/README.md b/README.md
index 113be17..f8f1b2c 100644
--- a/README.md
+++ b/README.md
@@ -134,6 +134,8 @@ The website is then available under http://localhost:3000
 
 If you want to include any additional files during the build that are not in the `app` or `public` directories you need to add them to the `.dockerignore` file.
 
+The pipeline GitHub Action includes a job to build the Docker Image and push it to GitHub Packages. This job is currently deactivated. To enable it you need to remove the `&& false` from the end of the `if` predicate of the `build-and-push-image` job.
+
 ### DIY
 
 If you're familiar with deploying node applications, the built-in Remix app server is production-ready.