fok666 · fok666 · Jan 4, 2026 · Jan 4, 2026 · Jan 4, 2026 · Jan 4, 2026
diff --git a/.github/workflows/docker-automate.yaml b/.github/workflows/docker-automate.yaml
@@ -25,7 +25,7 @@ jobs:
         logMessage: |
           Build process begins
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Build the Docker image
       run: docker build . --file Dockerfile --build-arg AGENT_VERSION=${{ inputs.agent_version }} --tag fok666/azuredevops:$(date +%s) --tag fok666/azuredevops:latest
 
@@ -55,7 +55,7 @@ jobs:
             Post-build actions started.
 
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -1,50 +1,180 @@
 name: Docker Image CI
+
 on:
   push:
     branches: [ main ]
     paths-ignore:
       - '**/*.md'
-      - '**/*.y?ml'
   pull_request:
     branches: [ main ]
     paths-ignore:
       - '**/*.md'
-      - '**/*.y?ml'
+
+env:
+  REGISTRY_IMAGE: fok666/github-runner
+  GHCR_IMAGE: ghcr.io/${{ github.repository }}
 
 jobs:
+  build-and-test:
+    name: Build and Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY_IMAGE }}
+            ${{ env.GHCR_IMAGE }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha,prefix={{branch}}-
+
+      - name: Get the date
+        id: date
+        run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
+
+      - name: Extract branch name
+        id: extract_branch
+        shell: bash
+        run: |
+          ref="${GITHUB_REF#refs/heads/}"
+          ref="${ref#refs/pull/}"
+          ref="${ref//\//-}"
+          echo "branch=$ref" >> $GITHUB_OUTPUT
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          tags: ${{ env.REGISTRY_IMAGE }}:test
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          outputs: type=docker,dest=/tmp/image.tar
 
-  build:
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp/image.tar
+          retention-days: 1
 
+  security-scan:
+    name: Security Scan
     runs-on: ubuntu-latest
+    needs: build-and-test
+
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp
+
+      - name: Load Docker image
+        run: docker load --input /tmp/image.tar
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY_IMAGE }}:test
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Run Trivy vulnerability scanner (table output)
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY_IMAGE }}:test
+          format: 'table'
+          exit-code: '0'
+          severity: 'CRITICAL,HIGH'
+
+  test:
+    name: Test Image
+    runs-on: ubuntu-latest
+    needs: build-and-test
+
     steps:
-    - uses: actions/checkout@v4.1.7
-    - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag fok666/github-runner:$(date +%s) --tag fok666/github-runner:latest
+      - name: Check out the repo
+        uses: actions/checkout@v6
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp
+
+      - name: Load Docker image
+        run: docker load --input /tmp/image.tar
 
-  push_to_registry:
+      - name: Test image runs
+        run: |
+          docker run --rm --entrypoint /bin/sh ${{ env.REGISTRY_IMAGE }}:test -c "echo 'Container starts successfully'"
 
-    name: Push Docker image to Docker Hub
+      - name: Run test-tools.sh if exists
+        run: |
+          if [ -f ./test-tools.sh ]; then
+            chmod +x ./test-tools.sh
+            ./test-tools.sh
+          else
+            echo "No test-tools.sh found, skipping"
+          fi
+
+  push:
+    name: Push to Registries
     runs-on: ubuntu-latest
+    needs: [build-and-test, security-scan, test]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4.1.7
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3.2.0
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5.5.1
+        uses: docker/metadata-action@v5
         with:
-          images: fok666/github-runner
+          images: |
+            ${{ env.REGISTRY_IMAGE }}
+            ${{ env.GHCR_IMAGE }}
 
       - name: Get the date
         id: date
-        run: echo "::set-output name=date::$(date +'%Y%m%d')"
+        run: echo "date=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
 
       - name: Extract branch name
         id: extract_branch
@@ -56,10 +186,36 @@ jobs:
           echo "branch=$ref" >> $GITHUB_OUTPUT
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6.3.0
+        id: build-push
+        uses: docker/build-push-action@v6
         with:
           context: .
+          platforms: linux/amd64,linux/arm64
           push: true
-          tags: fok666/github-runner:${{ steps.extract_branch.outputs.branch }}-${{ steps.date.outputs.date }}, fok666/github-runner:${{ steps.extract_branch.outputs.branch }}-latest, fok666/github-runner:latest
+          tags: |
+            ${{ env.REGISTRY_IMAGE }}:${{ steps.extract_branch.outputs.branch }}-${{ steps.date.outputs.date }}
+            ${{ env.REGISTRY_IMAGE }}:${{ steps.extract_branch.outputs.branch }}-latest
+            ${{ env.REGISTRY_IMAGE }}:latest
+            ${{ env.GHCR_IMAGE }}:${{ steps.extract_branch.outputs.branch }}-${{ steps.date.outputs.date }}
+            ${{ env.GHCR_IMAGE }}:${{ steps.extract_branch.outputs.branch }}-latest
+            ${{ env.GHCR_IMAGE }}:latest
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          sbom: true
+          provenance: true
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.REGISTRY_IMAGE }}:latest
+          format: spdx-json
+          output-file: sbom-spdx.json
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom-spdx.json
+          retention-days: 30