--- when: - event: [pull_request, tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} steps: - name: security-build image: quay.io/thegeeklab/wp-docker-buildx:5 settings: containerfile: Containerfile output: type=oci,dest=oci/${CI_REPO_NAME},tar=false repo: thegeeklab/${CI_REPO_NAME} cache_to: type=local,dest=oci/cache/${CI_REPO_NAME},mode=max registry_config: from_secret: DOCKER_REGISTRY_CONFIG_PULL - name: security-scan image: docker.io/aquasec/trivy depends_on: security-build commands: - trivy -v - trivy image --input oci/${CI_REPO_NAME} environment: TRIVY_EXIT_CODE: "1" TRIVY_IGNORE_UNFIXED: "true" TRIVY_NO_PROGRESS: "true" TRIVY_SEVERITY: HIGH,CRITICAL TRIVY_TIMEOUT: 1m TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2 - name: publish-dockerhub image: quay.io/thegeeklab/wp-docker-buildx:5 depends_on: security-scan settings: auto_tag: true containerfile: Containerfile password: from_secret: docker_password provenance: false repo: thegeeklab/${CI_REPO_NAME} username: from_secret: docker_username cache_from: - 'type=local\\,src=oci/cache/${CI_REPO_NAME}' when: - event: [tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} - name: publish-quay image: quay.io/thegeeklab/wp-docker-buildx:5 depends_on: security-scan settings: auto_tag: true containerfile: Containerfile password: from_secret: quay_password provenance: false registry: quay.io repo: quay.io/thegeeklab/${CI_REPO_NAME} username: from_secret: quay_username cache_from: - 'type=local\\,src=oci/cache/${CI_REPO_NAME}' when: - event: [tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH}