name: build

on:
  push:
    branches: [main]
  workflow_dispatch:

env:
  REGISTRY: harbor.furynrage.com
  IMAGE: harbor.furynrage.com/demo-app/app
  # DinD sidecar в act-runner pod слушает 2375 на host network
  DOCKER_HOST: tcp://localhost:2375

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install docker CLI
        run: |
          apt-get update -qq
          apt-get install -y -qq --no-install-recommends docker.io ca-certificates

      - name: Compute sha tag
        id: tag
        run: echo "sha=$(echo $GITHUB_SHA | cut -c1-7)" >> $GITHUB_OUTPUT

      - name: Login + build + push
        run: |
          SHA=${{ steps.tag.outputs.sha }}
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login $REGISTRY -u "${{ secrets.REGISTRY_USER }}" --password-stdin
          docker build -t $IMAGE:$SHA -t $IMAGE:latest .
          docker push $IMAGE:$SHA
          docker push $IMAGE:latest

      - name: Trivy scan
        run: |
          SHA=${{ steps.tag.outputs.sha }}
          docker run --rm \
            -e TRIVY_USERNAME="${{ secrets.REGISTRY_USER }}" \
            -e TRIVY_PASSWORD="${{ secrets.REGISTRY_PASSWORD }}" \
            aquasec/trivy:latest image \
              --severity CRITICAL,HIGH \
              --exit-code 0 \
              --no-progress \
              $IMAGE:$SHA