name: Scan Image for CVEs

on:
  push:
    branches:
      - main
      - develop

env: # global: unkritische, strukturgebende Variablen
  TARGET_HOST: host.containers.internal
  TARGET_USER: traefik
  CONTAINER_NAME: localhost/valtrix-website

jobs:
  build_and_deploy:
    runs-on: ubuntu-latest
    env: # Job-spezifisch: Secrets und sensible Werte
      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
      SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}

    steps:
      - name: Build container on target host
        shell: bash
        run: |
          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
            set -euo pipefail
            export CONTAINER_NAME='$CONTAINER_NAME'
            echo 'Start Trivy Scan: '\$CONTAINER_NAME '
            trivy image \$CONTAINER_NAME:latest
          "