--- when: - event: [pull_request, tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} steps: - name: security-build image: quay.io/thegeeklab/wp-docker-buildx:5 settings: containerfile: Containerfile.multiarch output: type=oci,dest=oci/${CI_REPO_NAME},tar=false repo: thegeeklab/${CI_REPO_NAME} registry_config: from_secret: DOCKER_REGISTRY_CONFIG_PULL - name: security-scan image: docker.io/aquasec/trivy depends_on: security-build commands: - trivy -v - trivy image --input oci/${CI_REPO_NAME} environment: TRIVY_EXIT_CODE: "1" TRIVY_IGNORE_UNFIXED: "true" TRIVY_NO_PROGRESS: "true" TRIVY_SEVERITY: HIGH,CRITICAL TRIVY_TIMEOUT: 1m TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2 - name: publish-dockerhub image: quay.io/thegeeklab/wp-docker-buildx:5 depends_on: [security-scan] settings: auto_tag: true containerfile: Containerfile.multiarch password: from_secret: docker_password platforms: - linux/amd64 - linux/arm64 - linux/arm/v7 - linux/arm/v6 provenance: false repo: thegeeklab/${CI_REPO_NAME} username: from_secret: docker_username when: - event: [tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} - name: publish-quay image: quay.io/thegeeklab/wp-docker-buildx:5 depends_on: [security-scan] settings: auto_tag: true containerfile: Containerfile.multiarch password: from_secret: quay_password platforms: - linux/amd64 - linux/arm64 - linux/arm/v7 - linux/arm/v6 provenance: false registry: quay.io repo: quay.io/thegeeklab/${CI_REPO_NAME} username: from_secret: quay_username when: - event: [tag] - event: [push, manual] branch: - ${CI_REPO_DEFAULT_BRANCH} depends_on: - test