---
name: Secure image build
on: workflow_dispatch
permissions:
  contents: read

jobs:

  build-and-push-image:
    name: Build and push image
    runs-on: ubuntu-latest
    steps:

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build image
        uses: redhat-actions/buildah-build@v2
        with:
          image: quay.io/rh_ee_jablair/ubi9
          tags: v0.0.1
          containerfiles: |
            ./2024-08-28-rhacs-actions-pipeline/Containerfile

      - name: Push to quay.io
        uses: redhat-actions/push-to-registry@v2
        with:
          image: ubi9
          tags: v0.0.1
          registry: quay.io/rh_ee_jablair
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_PASSWORD }}


  scan-image:
    runs-on: ubuntu-latest
    steps:

      - name: Rhacs login
        uses: stackrox/central-login@v1
        with:
          endpoint: ${{ env.CENTRAL_ENDPOINT }}

      - name: Install roxctl
        uses: stackrox/roxctl-installer-action@v1
        with:
          central-endpoint: ${{ env.CENTRAL_ENDPOINT }}
          central-token: ${{ env.ROX_API_TOKEN }}

      - name: Scan image with roxctl
        shell: bash
        run: |
          roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1"