.github/workflows/docker-hub.yml

name: Docker Hub

on:
  workflow_dispatch:
  push:
    branches: [ main ]
    tags: [ '*' ]

jobs:
  hadolint:
    runs-on: ubuntu-20.04
    name: "Hadolint"
    steps:
      - uses: actions/checkout@v3
      - uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: "./Dockerfile"

  publish:
    needs: hadolint
    name: Publish
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Login to DockerHub
        uses: docker/login-action@v1 
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      
      - name: Build and publish
        run: |
          # If it is a tag:
          if [ -z "${GITHUB_REF##refs/tags/*}" ] ; then
            ./scripts/docker-hub-publish.sh ${GITHUB_REF#refs/tags/}
          else
            ./scripts/docker-hub-publish.sh ${GITHUB_SHA}
          fi

      - name: Trivy Scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'zeitgeistpm/zeitgeist-node:latest'
          format: 'sarif'
          output: 'zetgeist-node-report.sarif'
          severity: 'HIGH,CRITICAL'