--- when: - event: [pull_request, tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} steps: security-build: image: quay.io/thegeeklab/wp-docker-buildx:1 settings: containerfile: Containerfile.multiarch output: type=oci,dest=oci/${CI_REPO_NAME},tar=false repo: ${CI_REPO} security-scan: image: ghcr.io/aquasecurity/trivy commands: - trivy -v - trivy image --input oci/${CI_REPO_NAME} environment: TRIVY_EXIT_CODE: "1" TRIVY_IGNORE_UNFIXED: "true" TRIVY_NO_PROGRESS: "true" TRIVY_SEVERITY: HIGH,CRITICAL TRIVY_TIMEOUT: 1m TRIVY_SKIP_FILES: /usr/local/bin/gomplate publish-dockerhub: group: container image: quay.io/thegeeklab/wp-docker-buildx:1 settings: auto_tag: true containerfile: Containerfile.multiarch password: from_secret: docker_password platforms: - linux/amd64 - linux/arm64 - linux/arm/v7 provenance: false repo: ${CI_REPO} username: from_secret: docker_username when: - event: [tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} publish-quay: group: container image: quay.io/thegeeklab/wp-docker-buildx:1 settings: auto_tag: true containerfile: Containerfile.multiarch password: from_secret: quay_password platforms: - linux/amd64 - linux/arm64 - linux/arm/v7 provenance: false registry: quay.io repo: quay.io/${CI_REPO} username: from_secret: quay_username when: - event: [tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH}