Merge pull request #1 from numerique-gouv/add-ci

[CI] Add docker build
numerique-gouv · Apr 30, 2024 · 857e37e · 857e37e
2 parents 9c4b35e + 1481995
commit 857e37e
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 1 deletion.
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
@@ -0,0 +1,62 @@
+name: Docker Hub Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'main'
+
+env:
+  DOCKER_USER: 1001:127
+
+jobs:
+  build-and-push-backend:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - dockerfile: dockerfiles/goofys/Dockerfile
+            image: lasuite/goofys
+            path: dockerfiles/goofys
+            cmd_version: "echo \"VERSION=$( awk '/VERSION/  {print substr($3, 2)}' dockerfiles/goofys/Dockerfile)\" >> $GITHUB_ENV"
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      - 
+        name: Read version
+        run: ${{ matrix.cmd_version }}
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ matrix.image }}
+          tags: |
+            type=pep440,pattern={{version}},value=${{ env.VERSION }}
+      -
+        name: Load sops secrets
+        uses: rouja/actions-sops@main
+        with:
+          secret-file: .github/workflows/secrets.enc.env
+          age-key: ${{ secrets.SOPS_PRIVATE }}
+      -
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
+      -
+        name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.path }}
+          file: ${{ matrix.dockerfile }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
diff --git a/.github/workflows/secrets.enc.env b/.github/workflows/secrets.enc.env
@@ -0,0 +1,11 @@
+SOPS_PRIVATE=ENC[AES256_GCM,data:dnmMX41o1puCyAdtURv1O63zi23MJfATLDL+Os3QJS5jemm6rEa5g3Yrm19U+WOVKpNA8gTU1OXen1JbLgvjQLzSlbIbXWushDg=,iv:AsWQ3VsFw8LsreGx9VxvDhaeCQS3sSw7yebdDEmjNvc=,tag:XhOAwuIe8jEshXo9T1ghLA==,type:str]
+DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:cl8ULZC2/AYeDN8=,iv:ZnokC118+ECokaIbNOU1YVFkWkxkGPUpBCx9iYsncWE=,tag:KlZ4EBB4iwMcZBFLhm0R8g==,type:str]
+DOCKER_HUB_USER=ENC[AES256_GCM,data:Jnf+l4GWmQ==,iv:OWvqUFg2wvCRH8/OJ/HBeE7WCEOdWqe1q9NEKsJJdzI=,tag:K6XzPXQ4U1oYd65eXn0Y8A==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZml0NlpIYllrZ20vN1Fl\ncUpRSERpNzhQMWFnT0ZibGV5cC9ueXcyMHlVCnpxY3BxbmNLNXpaVW9odkNLUjNR\nMnNvNmZ1WXcreThOZUtoVEdGNStTSDAKLS0tIFdETXo4ekVJSEJDeXFpWnZMVkFW\ncDFxZEg0VUswOGVJRmlIRmhoeTF1TEEKMWTYcmopAk1DDrB48r3VMdSbhbIiAIcv\nezr3p1TlnyddN7mCJQDwxYdiIc/fo3KGzmh+NxCuG7N2+M48YKIr9g==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQ1dOcXp0Q2hiaW1hYm1W\nN3ZlR2hjbVphclU2MDViNjJFWmx3cHlDaGx3CitSMlBZRWJFQlZSL2RTNjNJNDlH\nZXVtUmxqbUIxY0IrVGZaTmxlc2N6VUEKLS0tIDJjOWp5OXdKcUMxSmZYRUI0ck9G\ndUFNMk9aRFlKVGVMYm5zcTAyTFAvTncKtreq0BMHA11PRV7LXTvGdEx47C+CfbM1\ng9QhopVofsKYqnwFblcRIL31XiiGIBRNo9mskZcNauY87axQYj22ZQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1lj633f3hmscvy0nsewqej8k3jrk9wkhrgw4lafx0p9748ncvjs3qkvdd3d
+sops_lastmodified=2024-04-30T08:20:26Z
+sops_mac=ENC[AES256_GCM,data:49O5/5tbLVOAgZQITlKdD6kdGb7k8AMU25NIQEX/h96uLbsld9OK6R55pZet318sD/vbT38Kr+GZ50arZKiFCxqkQ51CdNWnmnXLOrpkDYiBTC6oL4F3SruQyK5iHXg1gxMWOGwT2kaFnqejltx5ksIexJdz9D+E8rLi38+fogE=,iv:H/m/xY3L/mvYWA36dzh6EQWC3+UcySzwf1JbqY+ueXI=,tag:ePRjHn0hmOPO2l3/K6GSJw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1
diff --git a/.sops.yaml b/.sops.yaml
@@ -0,0 +1,7 @@
+creation_rules:
+  # Using a single-key group to be able to use per-key comments,
+  # see https://github.com/getsops/sops/issues/845#issuecomment-1364109772
+  - key_groups:
+    - age:
+      - age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x # jacques
+      - age1lj633f3hmscvy0nsewqej8k3jrk9wkhrgw4lafx0p9748ncvjs3qkvdd3d # github
diff --git a/dockerfiles/goofys/Dockerfile b/dockerfiles/goofys/Dockerfile
@@ -1,5 +1,6 @@
 FROM golang:1.22.2
 
+ENV VERSION v0.24.0
 
 RUN apt update ;\
   apt install -y git fuse ;\
@@ -8,7 +9,7 @@ RUN apt update ;\
   go get github.com/kahing/goofys ;\
   go install github.com/kahing/goofys ;\
   curl -sSL -o /usr/local/bin/catfs \
-  https://github.com/kahing/catfs/releases/download/v0.8.0/catfs ;\
+  https://github.com/kahing/catfs/releases/download/v0.9.0/catfs ;\
   chmod +x /usr/local/bin/catfs
 
 ARG ENDPOINT

diff --git a/scripts/install-hooks.sh b/scripts/install-hooks.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+mkdir -p "$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/"
+PRE_COMMIT_FILE="$(dirname -- "${BASH_SOURCE[0]}")/../.git/hooks/pre-commit"
+
+cat <<'EOF' >$PRE_COMMIT_FILE
+#!/bin/bash
+
+# directories containing potential secrets
+DIRS="."
+
+bold=$(tput bold)
+normal=$(tput sgr0)
+
+# allow to read user input, assigns stdin to keyboard
+exec </dev/tty
+
+for d in $DIRS; do
+	# find files containing secrets that should be encrypted
+	for f in $(find "${d}" -type f -regex ".*\.enc\..*"); do
+		if ! $(grep -q "unencrypted_suffix" $f); then
+			printf '\xF0\x9F\x92\xA5 '
+			echo "File $f has non encrypted secrets!"
+			exit 1
+		fi
+	done
+done
+EOF
+
+chmod +x $PRE_COMMIT_FILE
diff --git a/scripts/updatekeys.sh b/scripts/updatekeys.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+find . -name "*.enc.*" -exec sops updatekeys -y {} \;