.github/workflows/action_publish-images-security-updates.yml

name: Docker Publish (Security Updates)

on:
  workflow_dispatch:
    inputs:
      force_build:
        description: 'Force build even if no vulnerabilities found'
        type: boolean
        default: false
      skip_scan:
        description: 'Skip vulnerability scanning (for testing)'
        type: boolean
        default: false
  schedule:
    - cron: '0 0 * * *'  # Daily at midnight UTC

permissions:
  contents: write

jobs:
  scan-vulnerabilities:
    runs-on: ubuntu-24.04
    outputs:
      has_vulnerabilities: ${{ steps.scan.outputs.has_vulnerabilities || inputs.force_build }}
    steps:
      # Single scan for both vulnerabilities and dependencies
      - id: scan
        if: inputs.skip_scan != true
        uses: aquasecurity/trivy-action@0.29.0
        with:
          image-ref: 'ghcr.io/serversideup/docker-ssh'
          format: 'github'
          output: 'trivy-results.json'
          github-pat: ${{ secrets.GITHUB_TOKEN }}
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
          hide-progress: true

      - name: Upload trivy report as a Github artifact
        uses: actions/upload-artifact@v4
        with:
          name: trivy-sbom-report
          path: '${{ github.workspace }}/dependency-results.sbom.json'
          retention-days: 20
      
      # Parse results to set has_vulnerabilities (for workflow control)
      - if: inputs.skip_scan != true
        id: parse
        shell: bash
        run: |
          if [ -f trivy-results.json ]; then
            VULN_COUNT=$(jq -r '.vulnerabilities | length // 0' trivy-results.json)
            if [ "${VULN_COUNT:-0}" -gt 0 ]; then
              echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
            else
              echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
            fi
          else
            echo "Error: trivy-results.json not found"
            echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
            exit 1
          fi

  get-latest-release:
    runs-on: ubuntu-24.04
    outputs:
      release_version: ${{ steps.get-version.outputs.release_version }}
    steps:
      - name: Get Latest Release
        id: get-version
        run: |
          LATEST_RELEASE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
          echo "release_version=${LATEST_RELEASE}" >> "$GITHUB_OUTPUT"

  build-security-updates:
    needs: [scan-vulnerabilities, get-latest-release]
    if: needs.scan-vulnerabilities.outputs.has_vulnerabilities == 'true'
    uses: ./.github/workflows/service_docker-build-and-publish.yml
    secrets: inherit
    with:
      release_type: 'security'
      ref_type: 'tag'
      version: "${{ needs.get-latest-release.outputs.release_version }}"

  notify:
    needs: [build-security-updates]
    runs-on: ubuntu-24.04
    if: always()
    steps:
      - name: Notify on success
        if: needs.build-security-updates.result == 'success'
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.create({
              owner: context.repo.owner,
              repo: context.repo.name,
              title: '🔒 Security updates applied',
              body: 'Security updates were automatically applied to the latest images.'
            })