Build and push images with Github Actions to DockerHub

[jacksgt]

Build and push (5.x) images with Github Actions to DockerHub.
4.x and 3.x images can be added by creating another workflow for them.
Also, as the comments indicate, the images can easily be pushed to both DockerHub and GHCR (from the same build).

References:

• https://docs.github.com/en/actions/guides/publishing-docker-images
• https://github.com/docker/build-push-action/blob/master/docs/advanced/tags-labels.md
• https://github.com/docker/metadata-action
• https://github.com/marketplace/actions/docker-login

Note: docker / buildx does not support '+' in the image tag name.

invalid tag "martialblog/limesurvey:0.0.0+test5-apache": invalid
reference format

Use underscores instead, like the images already have on Dockerhub

• Fixes Limesurvey 5 images on docker hub? #66

[jacksgt]

@martialblog Please add your DockerHub username and password as "secrets" to the Github repository. Then you can test the "Login to DockerHub" step and enable the "push: true" option. Feel free to push directly on this branch.

[martialblog]

@jacksgt 🥇 MVP Award

I just added an access token as env secret. Not sure about the namespace yet, haven't workend too much with GitHub Actions. We can change that later.

[martialblog]

The 3.* is LTS so we need that. 4.* is replaces by 5.* completely as far as I known

[martialblog]

What I currently imagine for the CI is this:

• hadolint runs on all branches/PR
• Images are build on all branches/PR
• Container structure tests on all branches/PR
• Trivy Scan on Tags (report as artifact)
• Push on Tags

[jacksgt]

What I currently imagine for the CI is this:

* hadolint runs on all branches/PR

* Images are build on all branches/PR

* Container structure tests on all branches/PR

* Trivy Scan on Tags (report as artifact)

* Push on Tags

Yes, I think that sounds good and feasible.
This could also utilize an external build cache for the image build, see docker-build action.
We should create a new issue for that, such that we don't have too much scope-creep in this PR.

[jacksgt]

Okay, I think we are ready to go here. I squashed the commits and cleaned up the TODOs.
@martialblog are you fine with creating a '5.0.3+210609_test' tag to perform a complete integration test?
(Until now the images have not been pushed to DockerHub).

[martialblog]

Yeah sure, we can just delete it afterwards

[martialblog]

I agree on the scope-creep, but before we merge... can be set this up so that the build phase and the push phase are two workflows. That way be can plug in the structure-tests and cve-scans later

[jacksgt]

Hooraayy!

FYI @martialblog Images will now need to be tagged like 5.0.3-BUILD (note the dash). Docker tags don't support + (which is valid semver) and when you use _ then the metadata GH action step will complain because that's not valid semver ...
So, need to use -.

moby/moby#16304

[martialblog]

That's ok, we just need to update the README accordingly