Publish images to 4.x and 4.x-rootless tags #56

	name: "Publish images to 4.x and 4.x-rootless tags"

	on:
	workflow_dispatch:
	inputs:
	image_tag:
	description: Image tag on dockerhub to promote to the puppet-dev-tools 4.x image tag (ie. 2021-06-29-da6666a)
	required: true
	image_tag_rootless:
	description: Image tag on dockerhub to promote to the puppet-dev-tools 4.x-rootless image tag (ie. 2021-06-29-da6666a-rootless)
	required: true

	jobs:
	publish-4x-image:
	runs-on: ubuntu-latest
	env:
	IMAGE_BASE: "${{ secrets.DOCKERHUB_PUSH_USERNAME }}/puppet-dev-tools"
	steps:
	- name: Login to Docker Hub
	run: echo ${{ secrets.DOCKERHUB_PASSWORD }} \| docker login -u ${{ secrets.DOCKERHUB_LOGIN_USERNAME }} --password-stdin
	- name: Pull image
	env:
	IMAGE_TAG: ${{ github.event.inputs.image_tag }}
	run: \|
	docker pull ${IMAGE_BASE}:${IMAGE_TAG}
	- name: Trivy scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ env.IMAGE_BASE }}:${{ github.event.inputs.image_tag }}
	exit-code: 1
	ignore-unfixed: true
	severity: 'CRITICAL,HIGH,MEDIUM'
	vuln-type: os
	timeout: 10m0s
	skip-files: "/root/.pdk/cache/ruby//gems/aws-sdk-core-/lib/aws-sdk-ssooidc/client.rb"
	- name: Publish standard image to 4.x
	env:
	IMAGE_TAG: ${{ github.event.inputs.image_tag }}
	run: \|
	docker tag ${IMAGE_BASE}:${IMAGE_TAG} ${IMAGE_BASE}:4.x
	docker push ${IMAGE_BASE}:4.x
	- name: Publish rootless image to 4.x-rootless
	env:
	IMAGE_TAG: ${{ github.event.inputs.image_tag_rootless }}
	run: \|
	docker pull ${IMAGE_BASE}:${IMAGE_TAG}
	docker tag ${IMAGE_BASE}:${IMAGE_TAG} ${IMAGE_BASE}:4.x-rootless
	docker push ${IMAGE_BASE}:4.x-rootless

Provide feedback