name: release-tag

on:
  workflow_dispatch: # Manuelles Auslösen des Workflows
    inputs:
      image_tag:
        description: 'Tag für das zu scannende Docker-Image z.B. latest'
        required: true
        default: 'latest'

env:
  image_name: 404_games
  registry: gitea.tebarius.duckdns.org
  user: tebarius

jobs:
  release-image:
    runs-on: ubuntu-latest

    steps:
      - name: Scan image with trivy
        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: "${{ env.registry }}/${{ env.user }}/${{ env.image_name }}:${{ github.event.inputs.image_tag }}"
          scan-type: image
          hide-progress: true
          ignore-unfixed: true
          severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
          scanners: "vuln,misconfig,secrets"
          output: trivy.txt
        env:
          TRIVY_USERNAME: "${{ env.user }}"
          TRIVY_PASSWORD: "${{ secrets.DOCKER_PULL_TOKEN }}"
      - name: Publish Trivy Output to Summary
        run: |
          if [[ -s trivy.txt ]]; then
            {
              echo "### Security Output"
              echo "<details><summary>Click to expand</summary>"
              echo ""
              echo '```terraform'
              cat trivy.txt
              echo '```'
              echo "</details>"
            } >> $GITHUB_STEP_SUMMARY
          fi