--- when: - event: [pull_request, tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} steps: binary: image: docker.io/clux/muslrust:nightly-2021-04-14 commands: - make build security-build: image: quay.io/thegeeklab/wp-docker-buildx:2 settings: containerfile: Containerfile output: type=oci,dest=oci/${CI_REPO_NAME},tar=false repo: thegeeklab/${CI_REPO_NAME} security-scan: image: ghcr.io/aquasecurity/trivy commands: - trivy -v - trivy image --input oci/${CI_REPO_NAME} environment: TRIVY_EXIT_CODE: "1" TRIVY_IGNORE_UNFIXED: "true" TRIVY_NO_PROGRESS: "true" TRIVY_SEVERITY: HIGH,CRITICAL TRIVY_TIMEOUT: 1m TRIVY_SKIP_FILES: /usr/local/bin/gomplate publish-dockerhub: group: container image: quay.io/thegeeklab/wp-docker-buildx:2 settings: auto_tag: true containerfile: Containerfile password: from_secret: docker_password provenance: false repo: thegeeklab/${CI_REPO_NAME} username: from_secret: docker_username when: - event: [tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} publish-quay: group: container image: quay.io/thegeeklab/wp-docker-buildx:2 settings: auto_tag: true containerfile: Containerfile password: from_secret: quay_password provenance: false registry: quay.io repo: quay.io/thegeeklab/${CI_REPO_NAME} username: from_secret: quay_username when: - event: [tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH}