---
when:
  - event: [pull_request, tag]
  - event: [push, manual]
    branch:
      - ${CI_REPO_DEFAULT_BRANCH}

steps:
  - name: security-build
    image: quay.io/thegeeklab/wp-docker-buildx:4
    settings:
      containerfile: Containerfile
      output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
      repo: thegeeklab/${CI_REPO_NAME}

  - name: security-scan
    image: ghcr.io/aquasecurity/trivy
    commands:
      - trivy -v
      - trivy image --input oci/${CI_REPO_NAME}
    environment:
      TRIVY_EXIT_CODE: "1"
      TRIVY_IGNORE_UNFIXED: "true"
      TRIVY_NO_PROGRESS: "true"
      TRIVY_SEVERITY: HIGH,CRITICAL
      TRIVY_TIMEOUT: 1m

  - name: publish-dockerhub
    image: quay.io/thegeeklab/wp-docker-buildx:4
    group: container
    settings:
      auto_tag: true
      containerfile: Containerfile
      password:
        from_secret: docker_password
      provenance: false
      repo: thegeeklab/${CI_REPO_NAME}
      username:
        from_secret: docker_username
    when:
      - event: [tag]
      - event: [push, manual]
        branch:
          - ${CI_REPO_DEFAULT_BRANCH}

  - name: publish-quay
    image: quay.io/thegeeklab/wp-docker-buildx:4
    group: container
    settings:
      auto_tag: true
      containerfile: Containerfile
      password:
        from_secret: quay_password
      provenance: false
      registry: quay.io
      repo: quay.io/thegeeklab/${CI_REPO_NAME}
      username:
        from_secret: quay_username
    when:
      - event: [tag]
      - event: [push, manual]
        branch:
          - ${CI_REPO_DEFAULT_BRANCH}