diff --git a/.github/actions/docker_build/action.yml b/.github/actions/docker_build/action.yml index 49c3f09a..a48730a6 100644 --- a/.github/actions/docker_build/action.yml +++ b/.github/actions/docker_build/action.yml @@ -114,13 +114,11 @@ runs: id: build_push with: context: . - image: ${{ inputs.image }} tags: ${{ inputs.image }} target: ${{ inputs.target }} file: ./docker/Dockerfile platforms: linux/amd64 push: true - attestation: false build-args: | BUILD_DATE=${{ steps.build_args.outputs.BUILD_DATE }} CHECKSUM=${{ steps.build_args.outputs.CHECKSUM }} diff --git a/.github/actions/image_meta/action.yml b/.github/actions/image_meta/action.yml index bc0981aa..4ebcce32 100644 --- a/.github/actions/image_meta/action.yml +++ b/.github/actions/image_meta/action.yml @@ -180,7 +180,8 @@ runs: if: ${{ inputs.debug == 'true' }} shell: bash run: | - echo "::group:: Image Meta for ${{ inputs.image }}" + echo "::group:: summary" + echo "::notice:: Image Meta for ${{ inputs.image }}" echo "::notice:: ${{ toJSON( steps.check.outputs) }}" if [[ '${{steps.check.outputs.updated}}' == 'true' ]]; then echo "::notice::✅ Image is updated " diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b053a0f5..a989470c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -165,6 +165,36 @@ jobs: verbose: false name: codecov-${{env.GITHUB_REF_NAME}} + + trivy: + name: Check Image with Trivy + runs-on: ubuntu-latest + needs: [build] + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: DockerHub login + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{needs.build.outputs.image}} + format: 'sarif' + output: 'trivy-results.sarif' +# format: 'table' +# exit-code: '0' +# ignore-unfixed: true +# vuln-type: 'os,library' +# severity: 'CRITICAL,HIGH' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + release: # if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name name: Build and Push Distribution @@ -188,38 +218,10 @@ jobs: uses: ./.github/actions/docker_build with: image: ${{steps.image_name.outputs.name}} + checksum: ${{needs.setup.outputs.checksum}} target: "dist" username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }} - run: | echo "::notice:: ${{steps.image_name.outputs.name}} pushed to dockerhub" - - - trivy: - name: Check Image with Trivy - runs-on: ubuntu-latest - needs: [release] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: DockerHub login - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ needs.release.outputs.image }} - format: 'sarif' - output: 'trivy-results.sarif' -# format: 'table' -# exit-code: '0' -# ignore-unfixed: true -# vuln-type: 'os,library' -# severity: 'CRITICAL,HIGH' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' diff --git a/docker/Dockerfile b/docker/Dockerfile index 5e92ced2..01de8779 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -134,9 +134,16 @@ LABEL version=$VERSION LABEL checksum=$CHECKSUM LABEL distro="builder-test" +#COPY pyproject.toml pdm.lock ./ +#COPY docker/conf/config.toml /etc/xdg/pdm/config.toml +COPY . /code WORKDIR /code -COPY pyproject.toml pdm.lock ./ -COPY docker/conf/config.toml /etc/xdg/pdm/config.toml + +RUN set -x \ + && pip install -U pip pdm \ + && mkdir -p $PKG_DIR \ + && pdm sync --no-editable -v --no-self + RUN < /RELEASE {"version": "$VERSION", "commit": "$SOURCE_COMMIT", @@ -146,13 +153,7 @@ RUN < /RELEASE } EOF -RUN set -x \ - && pip install -U pip pdm \ - && mkdir -p $PKG_DIR \ - && pdm sync --no-editable -v --no-self - - -FROM python_base AS python_prod_deps +FROM build_deps AS python_prod_deps ARG PKG_DIR ARG CHECKSUM ENV CHECKSUM=$CHECKSUM @@ -172,37 +173,16 @@ LABEL version=$VERSION LABEL checksum=$CHECKSUM LABEL distro="builder-prod" -RUN set -x \ - && buildDeps="build-essential \ - cmake \ - curl \ - gcc \ - libgdal-dev \ - libgif-dev \ - libjpeg-dev \ - liblapack-dev \ - libopenblas-dev \ - libpng-dev \ - libpq-dev \ - libwebp-dev \ - libssl-dev \ - libxml2-dev \ - python3-dev \ - zlib1g-dev \ - " \ - && apt-get update \ - && apt-get install -y --no-install-recommends $buildDeps \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ - -WORKDIR /code COPY docker/conf/config.toml /etc/xdg/pdm/config.toml -COPY pyproject.toml pdm.lock /README.md /LICENSE ./ -COPY ./src /code/src +#COPY pyproject.toml pdm.lock /README.md /LICENSE ./ +#COPY ./src /code/src +COPY . /code +WORKDIR /code -RUN mkdir -p $PKG_DIR \ - && pip install -U pdm \ +RUN set -x \ + && pip install -U pip pdm \ + && mkdir -p $PKG_DIR \ && pdm sync --no-editable -v --prod @@ -222,6 +202,9 @@ ENV GITHUB_SERVER_URL=$GITHUB_SERVER_URL ARG GITHUB_REPOSITORY ENV GITHUB_REPOSITORY=$GITHUB_REPOSITORY + +WORKDIR /code +COPY --chown=user:app --from=python_prod_deps /code /code RUN < /RELEASE {"version": "$VERSION", "commit": "$SOURCE_COMMIT", @@ -231,10 +214,6 @@ RUN < /RELEASE } EOF -WORKDIR /code -COPY --chown=user:app --from=python_prod_deps /code /code -COPY --chown=user:app --from=python_prod_deps /RELEASE /RELEASE - VOLUME /var/run/app/ EXPOSE 8000 ENTRYPOINT exec docker-entrypoint.sh "$0" "$@"