Merge branch 'main' into message

mathieu-benoit · Oct 5, 2023 · bd9a6ce · bd9a6ce
2 parents 602c54c + 6d3ef4f
commit bd9a6ce
Show file tree

Hide file tree

Showing 8 changed files with 39 additions and 26 deletions.
diff --git a/.github/workflows/close-pr.yml b/.github/workflows/close-pr.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout humctl bin
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: delete humanitec env
         run: |
           .github/workflows/bin/humctl delete env ${{ env.ENVIRONMENT_ID }} \

diff --git a/.github/workflows/open-pr.yml b/.github/workflows/open-pr.yml
@@ -13,12 +13,13 @@ env:
   SCORE_COMPOSE_VERSION: 'latest'
   SCORE_HELM_VERSION: 'latest'
   SCORE_HUMANITEC_VERSION: 'latest'
+  WORKLOAD_NAME: my-sample-app
 jobs:
   build-run-test-push:
     runs-on: ubuntu-latest
     steps:
       - name: checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: install score-compose
         uses: score-spec/setup-score@v2
         with:
@@ -30,10 +31,10 @@ jobs:
           score-compose run \
               --build app/ \
               -f score/score.yaml \
-              -o ${{ vars.APP_NAME }}-compose.yaml
+              -o ${{ env.WORKLOAD_NAME }}-compose.yaml
           cat <<EOF > base-compose.yaml
           services:
-            my-sample-app:
+            ${{ env.WORKLOAD_NAME }}:
               image: ${{ env.IMAGE_NAME }}:${{ env.ENVIRONMENT_ID }}
               read_only: true
               cap_drop:
@@ -43,9 +44,10 @@ jobs:
       - name: build & run container
         run: |
           docker compose \
-              -f ${{ vars.APP_NAME }}-compose.yaml \
+              -f ${{ env.WORKLOAD_NAME }}-compose.yaml \
               -f base-compose.yaml \
               up \
+              --build \
               -d \
               --wait \
               --wait-timeout 30
@@ -70,30 +72,30 @@ jobs:
         run: |
           score-helm run \
               -f score/score.yaml \
-              -o ${{ vars.APP_NAME }}-values.yaml
+              -o ${{ env.WORKLOAD_NAME }}-values.yaml
       - name: helm install
         id: helm-install
         run: |
           helm repo add \
               score-helm-charts \
               https://score-spec.github.io/score-helm-charts
           helm install \
-              ${{ vars.APP_NAME }} \
+              ${{ env.WORKLOAD_NAME }} \
               score-helm-charts/workload \
-              --values ${{ vars.APP_NAME }}-values.yaml \
-              --set containers.${{ vars.APP_NAME }}.image.name=${{ env.IMAGE_NAME }}:${{ env.ENVIRONMENT_ID }} \
+              --values ${{ env.WORKLOAD_NAME }}-values.yaml \
+              --set containers.${{ env.WORKLOAD_NAME }}.image.name=${{ env.IMAGE_NAME }}:${{ env.ENVIRONMENT_ID }} \
               --wait \
               --timeout=30s
           kubectl wait \
               --for=condition=available \
               --timeout=30s \
-              deployment/${{ vars.APP_NAME }}
+              deployment/${{ env.WORKLOAD_NAME }}
       - name: catch helm install errors
         if: ${{ failure() && steps.helm-install.outcome == 'failure' }}
         run: |
           kubectl get events
           kubectl logs \
-              -l app.kubernetes.io/name=${{ vars.APP_NAME }}
+              -l app.kubernetes.io/name=${{ env.WORKLOAD_NAME }}
       - name: authenticate to google cloud
         uses: google-github-actions/auth@v1
         with:
@@ -128,7 +130,7 @@ jobs:
       ENVIRONMENT_NAME: PR-${{ github.event.number }}
     steps:
       - name: checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: create humanitec preview env
         run: |
           .github/workflows/bin/humctl create environment ${{ env.ENVIRONMENT_ID }} \
@@ -175,7 +177,7 @@ jobs:
               -f score/score.yaml \
               --extensions score/humanitec.score.yaml \
               --message "$(curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "${{ github.event.pull_request.commits_url }}?per_page=100" | jq -r .[-1].commit.message)" \
-              --property containers.${{ vars.APP_NAME }}.image=${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
+              --property containers.${{ env.WORKLOAD_NAME }}.image=${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
               | tee score_output.json
       - name: wait for deployment
         run: |

diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml
@@ -11,15 +11,16 @@ on:
       - 'v*'
 env:
   IMAGE_TAG: ${{ github.ref_name }}
-  IMAGE_NAME: ${{ secrets.REGISTRY_LOCATION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.REGISTRY_NAME }}/${{ vars.APP_NAME }}
+  IMAGE_NAME: ${{ secrets.REGISTRY_LOCATION }}-docker.pkg.dev/${{ secrets.PROJECT_ID }}/${{ secrets.REGISTRY_NAME }}/my-sample-app
   ENVIRONMENT_ID: development
   SCORE_HUMANITEC_VERSION: 'latest'
+  WORKLOAD_NAME: my-sample-app
 jobs:
   build-push:
     runs-on: ubuntu-22.04
     steps:
       - name: checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: authenticate to google cloud
         uses: google-github-actions/auth@v1
         with:
@@ -53,16 +54,16 @@ jobs:
         run: |
           docker tag \
               ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \
-              ghcr.io/${{ github.repository_owner }}/${{ vars.APP_NAME }}:latest
+              ghcr.io/${{ github.repository_owner }}/${{ env.WORKLOAD_NAME }}:latest
       - name: push container in ghcr
         run: |
           docker push \
-              ghcr.io/${{ github.repository_owner }}/${{ vars.APP_NAME }}:latest
+              ghcr.io/${{ github.repository_owner }}/${{ env.WORKLOAD_NAME }}:latest
   deploy-humanitec:
     needs: build-push
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: create humanitec app
         run: |
           .github/workflows/bin/humctl create app ${{ vars.APP_NAME }} \
@@ -119,7 +120,7 @@ jobs:
               -f score/score.yaml \
               --extensions score/humanitec.score.yaml \
               --message ${{ github.ref_name }} \
-              --property containers.${{ vars.APP_NAME }}.image=${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
+              --property containers.${{ env.WORKLOAD_NAME }}.image=${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} \
               | tee score_output.json
       - name: wait for deployment
         run: |

diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
 # Sail Sharp - Security best practices with .NET Core & Kubernetes
 
+[![push-tag](https://github.com/mathieu-benoit/sail-sharp/actions/workflows/push-tag.yml/badge.svg)](https://github.com/mathieu-benoit/sail-sharp/actions/workflows/push-tag.yml)
+
 Associated blog posts:
 - [Sail Sharp, 8 tips to optimize and secure your .NET containers for Kubernetes](https://medium.com/p/c68ba253844a)
 - [Keyless Google Cloud Authentication to push your containers to Artifact Registry from GitHub Actions](https://medium.com/p/3932dce678b8)

diff --git a/app/Dockerfile b/app/Dockerfile
@@ -1,4 +1,6 @@
-FROM mcr.microsoft.com/dotnet/sdk:7.0.400-alpine3.18@sha256:e3b051cbad561cec1b1ce3586aaf1279aeda72c2416f41c909d293cddf21c011 as builder
+# https://mcr.microsoft.com/product/dotnet/sdk
+FROM mcr.microsoft.com/dotnet/sdk:8.0.100-rc.1-alpine3.18-amd64@sha256:9079dc84e5e8582cedf569c33912d675165a779928453065e9b4b7363ed02089 as builder
+RUN apk add clang build-base zlib-dev
 WORKDIR /app
 COPY my-sample-app.csproj .
 RUN dotnet restore my-sample-app.csproj \
@@ -10,15 +12,15 @@ RUN dotnet publish my-sample-app.csproj \
     -o /my-sample-app \
     --no-restore \
     --self-contained true \
-    -p:PublishSingleFile=true \
     -p:PublishTrimmed=true \
     -p:TrimMode=full
 
-FROM mcr.microsoft.com/dotnet/runtime-deps:7.0.10-alpine3.18@sha256:e86ce2bf9b77a93075dbe03bc5a3ba4eeae93bdfc5415a9354c22ed3504d46a8
+# https://mcr.microsoft.com/product/dotnet/runtime-deps
+FROM mcr.microsoft.com/dotnet/runtime-deps:8.0.0-rc.1-alpine3.18-amd64@sha256:417dd8282260a8229cbe36521ef61a63c16a689141f517419b48d8f8b2f2e684
 WORKDIR /app
 COPY --from=builder /my-sample-app .
 EXPOSE 8080
-ENV ASPNETCORE_URLS=http://*:8080
+ENV ASPNETCORE_HTTP_PORTS=8080
 ENV DOTNET_EnableDiagnostics=0
 USER 1000
 ENTRYPOINT ["/app/my-sample-app"]
diff --git a/app/Program.cs b/app/Program.cs
@@ -1,6 +1,6 @@
 using Microsoft.AspNetCore.Builder;
 
-var builder = WebApplication.CreateBuilder(args);
+var builder = WebApplication.CreateSlimBuilder(args);
 var app = builder.Build();
 
 var message = builder.Configuration["MESSAGE"];

diff --git a/app/my-sample-app.csproj b/app/my-sample-app.csproj
@@ -1,5 +1,9 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
-  </PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <PublishAot>true</PublishAot>
+    <OptimizationPreference>Size</OptimizationPreference>
+    <InvariantGlobalization>true</InvariantGlobalization>
+    <StackTraceSupport>false</StackTraceSupport>
+</PropertyGroup>
 </Project>
diff --git a/score/humanitec.score.yaml b/score/humanitec.score.yaml
@@ -1,2 +1,4 @@
 apiVersion: humanitec.org/v1b1
 profile: humanitec/default-module
+spec:
+  terminationGracePeriodSeconds: 60