Skip to content

Commit

Permalink
- updates ci:test
Browse files Browse the repository at this point in the history
  • Loading branch information
@saxix
saxix committed Jun 18, 2024
1 parent 058e23e commit 2f3c00e
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 73 deletions.
2 changes: 0 additions & 2 deletions .github/actions/docker_build/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,13 +114,11 @@ runs:
id: build_push
with:
context: .
image: ${{ inputs.image }}
tags: ${{ inputs.image }}
target: ${{ inputs.target }}
file: ./docker/Dockerfile
platforms: linux/amd64
push: true
attestation: false
build-args: |
BUILD_DATE=${{ steps.build_args.outputs.BUILD_DATE }}
CHECKSUM=${{ steps.build_args.outputs.CHECKSUM }}
Expand Down
3 changes: 2 additions & 1 deletion .github/actions/image_meta/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,8 @@ runs:
if: ${{ inputs.debug == 'true' }}
shell: bash
run: |
echo "::group:: Image Meta for ${{ inputs.image }}"
echo "::group:: summary"
echo "::notice:: Image Meta for ${{ inputs.image }}"
echo "::notice:: ${{ toJSON( steps.check.outputs) }}"
if [[ '${{steps.check.outputs.updated}}' == 'true' ]]; then
echo "::notice::✅ Image is updated "
Expand Down
60 changes: 31 additions & 29 deletions .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,36 @@ jobs:
verbose: false
name: codecov-${{env.GITHUB_REF_NAME}}


trivy:
name: Check Image with Trivy
runs-on: ubuntu-latest
needs: [build]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: DockerHub login
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{needs.build.outputs.image}}
format: 'sarif'
output: 'trivy-results.sarif'
# format: 'table'
# exit-code: '0'
# ignore-unfixed: true
# vuln-type: 'os,library'
# severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'


release:
# if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
name: Build and Push Distribution
Expand All @@ -188,38 +218,10 @@ jobs:
uses: ./.github/actions/docker_build
with:
image: ${{steps.image_name.outputs.name}}
checksum: ${{needs.setup.outputs.checksum}}
target: "dist"
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
- run: |
echo "::notice:: ${{steps.image_name.outputs.name}} pushed to dockerhub"
trivy:
name: Check Image with Trivy
runs-on: ubuntu-latest
needs: [release]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: DockerHub login
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ needs.release.outputs.image }}
format: 'sarif'
output: 'trivy-results.sarif'
# format: 'table'
# exit-code: '0'
# ignore-unfixed: true
# vuln-type: 'os,library'
# severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
61 changes: 20 additions & 41 deletions docker/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,16 @@ LABEL version=$VERSION
LABEL checksum=$CHECKSUM
LABEL distro="builder-test"

#COPY pyproject.toml pdm.lock ./
#COPY docker/conf/config.toml /etc/xdg/pdm/config.toml
COPY . /code
WORKDIR /code
COPY pyproject.toml pdm.lock ./
COPY docker/conf/config.toml /etc/xdg/pdm/config.toml

RUN set -x \
&& pip install -U pip pdm \
&& mkdir -p $PKG_DIR \
&& pdm sync --no-editable -v --no-self

RUN <<EOF cat> /RELEASE
{"version": "$VERSION",
"commit": "$SOURCE_COMMIT",
Expand All @@ -146,13 +153,7 @@ RUN <<EOF cat> /RELEASE
}
EOF

RUN set -x \
&& pip install -U pip pdm \
&& mkdir -p $PKG_DIR \
&& pdm sync --no-editable -v --no-self


FROM python_base AS python_prod_deps
FROM build_deps AS python_prod_deps
ARG PKG_DIR
ARG CHECKSUM
ENV CHECKSUM=$CHECKSUM
Expand All @@ -172,37 +173,16 @@ LABEL version=$VERSION
LABEL checksum=$CHECKSUM
LABEL distro="builder-prod"

RUN set -x \
&& buildDeps="build-essential \
cmake \
curl \
gcc \
libgdal-dev \
libgif-dev \
libjpeg-dev \
liblapack-dev \
libopenblas-dev \
libpng-dev \
libpq-dev \
libwebp-dev \
libssl-dev \
libxml2-dev \
python3-dev \
zlib1g-dev \
" \
&& apt-get update \
&& apt-get install -y --no-install-recommends $buildDeps \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \

WORKDIR /code
COPY docker/conf/config.toml /etc/xdg/pdm/config.toml
COPY pyproject.toml pdm.lock /README.md /LICENSE ./
COPY ./src /code/src
#COPY pyproject.toml pdm.lock /README.md /LICENSE ./
#COPY ./src /code/src

COPY . /code
WORKDIR /code

RUN mkdir -p $PKG_DIR \
&& pip install -U pdm \
RUN set -x \
&& pip install -U pip pdm \
&& mkdir -p $PKG_DIR \
&& pdm sync --no-editable -v --prod


Expand All @@ -222,6 +202,9 @@ ENV GITHUB_SERVER_URL=$GITHUB_SERVER_URL
ARG GITHUB_REPOSITORY
ENV GITHUB_REPOSITORY=$GITHUB_REPOSITORY


WORKDIR /code
COPY --chown=user:app --from=python_prod_deps /code /code
RUN <<EOF cat> /RELEASE
{"version": "$VERSION",
"commit": "$SOURCE_COMMIT",
Expand All @@ -231,10 +214,6 @@ RUN <<EOF cat> /RELEASE
}
EOF

WORKDIR /code
COPY --chown=user:app --from=python_prod_deps /code /code
COPY --chown=user:app --from=python_prod_deps /RELEASE /RELEASE

VOLUME /var/run/app/
EXPOSE 8000
ENTRYPOINT exec docker-entrypoint.sh "$0" "$@"
Expand Down

0 comments on commit 2f3c00e

Please sign in to comment.