build.yml

name: "Build midaz images"

on:
  pull_request:
    branches:
      - develop
    types:
      - opened
      - edited
      - synchronize
      - reopened

permissions:
  id-token: write
  contents: read
  pull-requests: write

jobs:
  build_and_publish:
    runs-on: ubuntu-24.04
    env:
      DOCKERHUB_ORG: lerianstudio
    strategy:
      matrix:
        app:
          - name: "midaz-onboarding"
            working_dir: "components/onboarding"
          - name: "midaz-transaction"
            working_dir: "components/transaction"

    name: Build And Publish Docker Image to Midaz
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: "${{ secrets.DOCKER_USERNAME }}"
          password: "${{ secrets.DOCKER_PASSWORD }}"

      - name: Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.DOCKERHUB_ORG }}/${{ matrix.app.name }}
          tags: |
            type=semver,pattern={{version}}
            type=ref,event=branch,suffix=-${{ github.sha }}

      - name: Build and Push Docker image (Multi-Arch)
        uses: docker/build-push-action@v5
        with:
          file: ${{ matrix.app.working_dir }}/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}

      - name: Extract tag name
        shell: bash
        run: echo "tag=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
        id: extract_tag

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ env.DOCKERHUB_ORG }}/${{ matrix.app.name }}:${{ steps.extract_tag.outputs.tag }}'
          format: 'table'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'