diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml index 0136992e..cd743a6f 100644 --- a/.github/workflows/docker-hub.yml +++ b/.github/workflows/docker-hub.yml @@ -1,4 +1,5 @@ name: Docker Hub Workflow +run-name: Docker Hub Workflow on: workflow_dispatch: @@ -48,9 +49,15 @@ jobs: name: Login to DockerHub if: github.event_name != 'pull_request' run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin + - + name: Run trivy scan + uses: numerique-gouv/action-trivy-cache@main + with: + docker-build-args: '--target backend-production -f Dockerfile' + docker-image-name: 'docker.io/lasuite/meet-backend:${{ github.sha }}' - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . target: backend-production @@ -92,9 +99,15 @@ jobs: name: Login to DockerHub if: github.event_name != 'pull_request' run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin + - + name: Run trivy scan + uses: numerique-gouv/action-trivy-cache@main + with: + docker-build-args: '-f src/frontend/Dockerfile --target frontend-production' + docker-image-name: 'docker.io/lasuite/meet-frontend:${{ github.sha }}' - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . file: ./src/frontend/Dockerfile diff --git a/Dockerfile b/Dockerfile index 7785dc7d..4d367e7b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,14 @@ # Django Meet # ---- base image to inherit from ---- -FROM python:3.10-slim-bullseye as base +FROM python:3.12.6-alpine3.20 as base # Upgrade pip to its latest release to speed up dependencies installation -RUN python -m pip install --upgrade pip +RUN python -m pip install --upgrade pip setuptools # Upgrade system packages to install security updates -RUN apt-get update && \ - apt-get -y upgrade && \ - rm -rf /var/lib/apt/lists/* +RUN apk update && \ + apk upgrade # ---- Back-end builder image ---- FROM base as back-builder @@ -38,12 +37,9 @@ RUN yarn install --frozen-lockfile && \ FROM base as link-collector ARG MEET_STATIC_ROOT=/data/static -# Install libpangocairo & rdfind -RUN apt-get update && \ - apt-get install -y \ - libpangocairo-1.0-0 \ - rdfind && \ - rm -rf /var/lib/apt/lists/* +RUN apk add \ + pango \ + rdfind # Copy installed python dependencies COPY --from=back-builder /install /usr/local @@ -66,17 +62,14 @@ FROM base as core ENV PYTHONUNBUFFERED=1 -# Install required system libs -RUN apt-get update && \ - apt-get install -y \ - gettext \ - libcairo2 \ - libffi-dev \ - libgdk-pixbuf2.0-0 \ - libpango-1.0-0 \ - libpangocairo-1.0-0 \ - shared-mime-info && \ - rm -rf /var/lib/apt/lists/* +RUN apk add \ + gettext \ + cairo \ + libffi-dev \ + gdk-pixbuf \ + pango \ + shared-mime-info + # Copy entrypoint COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint @@ -106,9 +99,7 @@ FROM core as backend-development USER root:root # Install psql -RUN apt-get update && \ - apt-get install -y postgresql-client && \ - rm -rf /var/lib/apt/lists/* +RUN apk add postgresql-client # Uninstall Meet and re-install it in editable mode along with development # dependencies diff --git a/src/frontend/Dockerfile b/src/frontend/Dockerfile index d2f105c5..cef393c7 100644 --- a/src/frontend/Dockerfile +++ b/src/frontend/Dockerfile @@ -32,12 +32,13 @@ WORKDIR /home/frontend RUN npm run build # ---- Front-end image ---- -FROM nginxinc/nginx-unprivileged:1.25 as frontend-production +FROM nginxinc/nginx-unprivileged:1.26-alpine as frontend-production # Un-privileged user running the application ARG DOCKER_USER USER ${DOCKER_USER} + COPY --from=meet-builder \ /home/frontend/dist \ /usr/share/nginx/html