name: Create and release development container
on:
  workflow_run:
    workflows: ["Build, test, security"]
    types:
      - completed
    branches:
      - dev
jobs:
  Create-and-release-dev-container:
    name: Build the dev docker container image and push it to dockerhub
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dawidd6/action-download-artifact@v6
        with:
          github_token: ${{ secrets.TOKEN_GITHUB }}
          run_id: ${{ github.event.workflow_run.id }}
          name: dev-build-files
          path: ./build
      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - uses: docker/build-push-action@v5
        with:
          push: true
          context: .
          file: ./docker/dev/Dockerfile
          tags: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-dev:latest

  Test-Trivy:
    name: Scan development docker container with trivy
    runs-on: ubuntu-latest
    needs: Create-and-release-dev-container
    permissions:
      security-events: write
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-dev:latest
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: 0
          ignore-unfixed: true

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
          sha: ${{ github.sha }}
          ref: ${{ github.ref }}