From 79139193e55181c76ebc53d8404d49d0f66b7beb Mon Sep 17 00:00:00 2001 From: sethforprivacy Date: Tue, 12 Dec 2023 12:03:02 -0500 Subject: [PATCH] Initial Github Actions push Fix environment file Revert main.yml change --- .github/workflows/build-image-on-push.yml | 35 ++++++++++++ .github/workflows/trivy-analysis.yml | 37 +++++++++++++ .github/workflows/update-base-image.yml | 61 +++++++++++++++++++++ .github/workflows/update-image-on-push.yml | 64 ++++++++++++++++++++++ Dockerfile | 14 ++++- 5 files changed, 208 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/build-image-on-push.yml create mode 100644 .github/workflows/trivy-analysis.yml create mode 100644 .github/workflows/update-base-image.yml create mode 100644 .github/workflows/update-image-on-push.yml diff --git a/.github/workflows/build-image-on-push.yml b/.github/workflows/build-image-on-push.yml new file mode 100644 index 0000000..8c400b2 --- /dev/null +++ b/.github/workflows/build-image-on-push.yml @@ -0,0 +1,35 @@ +name: "Test build of image when Dockerfile is changed" + +on: + push: + branches-ignore: + - master + pull_request: + workflow_dispatch: + +jobs: + rebuild-container: + name: "Build image with cache" + runs-on: ubuntu-latest + steps: + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + with: + platforms: linux/arm64 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - + name: Checkout repository + uses: actions/checkout@v4 + - + name: Build image + id: docker_build_amd64 + uses: docker/build-push-action@v5.1.0 + with: + push: false + load: true + platforms: linux/amd64 + tags: public-pool-ui:amd64 + cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool-ui:latest diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml new file mode 100644 index 0000000..86e8737 --- /dev/null +++ b/.github/workflows/trivy-analysis.yml @@ -0,0 +1,37 @@ +name: Build and scan container for vulnerabilities with Trivy + +on: + push: + pull_request: + schedule: + - cron: '22 14 * * 0' + workflow_dispatch: + +jobs: + build: + name: Build and scan images + runs-on: ubuntu-latest + steps: + - + name: Checkout code + uses: actions/checkout@v4 + - + name: Build image from Dockerfile + uses: docker/build-push-action@v5.1.0 + with: + push: false + load: true + tags: ${{ secrets.DOCKER_USERNAME }}/public-pool-ui:latest + - + name: Run Trivy vulnerability scanner against "latest" image + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ secrets.DOCKER_USERNAME }}/public-pool-ui:latest' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - + name: Upload "latest" Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/update-base-image.yml b/.github/workflows/update-base-image.yml new file mode 100644 index 0000000..39406b5 --- /dev/null +++ b/.github/workflows/update-base-image.yml @@ -0,0 +1,61 @@ +name: "Update image and push to Github Packages and Docker Hub weekly" + +on: + schedule: + - cron: "0 12 * * 1" # Run every Monday at noon. + workflow_dispatch: + +jobs: + rebuild-container: + name: "Rebuild Container with the latest base image" + runs-on: ubuntu-latest + steps: + - + name: Prepare outputs + id: prep + run: | + echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + with: + platforms: linux/arm64 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - + name: Login to GitHub Container Registry + uses: docker/login-action@v3.0.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Login to DockerHub + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - + name: Checkout repository + uses: actions/checkout@v4 + - + name: Get short SHA + id: get_short_sha + run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - + name: Build and push to Docker Hub and GitHub Packages Docker Registry + id: docker_build + uses: docker/build-push-action@v5.1.0 + with: + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository_owner }}/public-pool-ui:latest + ghcr.io/${{ github.repository_owner }}/public-pool-ui:${{ steps.get_short_sha.outputs.sha_short }} + ${{ secrets.DOCKER_USERNAME }}/public-pool-ui:latest + ${{ secrets.DOCKER_USERNAME }}/public-pool-ui:${{ steps.get_short_sha.outputs.sha_short }} + labels: | + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.created=${{ steps.prep.outputs.created }} + org.opencontainers.image.revision=${{ github.sha }} diff --git a/.github/workflows/update-image-on-push.yml b/.github/workflows/update-image-on-push.yml new file mode 100644 index 0000000..b536d5f --- /dev/null +++ b/.github/workflows/update-image-on-push.yml @@ -0,0 +1,64 @@ +name: "Update image when Dockerfile is changed" + +on: + push: + branches: + - master + workflow_dispatch: + +jobs: + rebuild-container: + name: "Rebuild Container with the latest base image" + runs-on: ubuntu-latest + steps: + - + name: Prepare outputs + id: prep + run: | + echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + with: + platforms: linux/arm64 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - + name: Login to GitHub Container Registry + uses: docker/login-action@v3.0.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Login to DockerHub + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - + name: Checkout repository + uses: actions/checkout@v4 + - + name: Get short SHA + id: get_short_sha + run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - + name: Build and push to Docker Hub and GitHub Packages Docker Registry + uses: docker/build-push-action@v5.1.0 + id: docker_build_push + with: + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository_owner }}/public-pool-ui:latest + ghcr.io/${{ github.repository_owner }}/public-pool-ui:${{ steps.get_short_sha.outputs.sha_short }} + ${{ secrets.DOCKER_USERNAME }}/public-pool-ui:latest + ${{ secrets.DOCKER_USERNAME }}/public-pool-ui:${{ steps.get_short_sha.outputs.sha_short }} + labels: | + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.created=${{ steps.prep.outputs.created }} + org.opencontainers.image.revision=${{ github.sha }} + cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool-ui:latest + cache-to: type=inline diff --git a/Dockerfile b/Dockerfile index b6d8a47..84e9979 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,14 +2,22 @@ # Docker build environment # ############################ -FROM node:18.16.1-bookworm AS build +FROM node:18.16.1-bookworm-slim AS build + +# Upgrade all packages and install dependencies +RUN apt-get update \ + && apt-get upgrade -y +RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3 \ + build-essential \ + && apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* WORKDIR /build COPY . . -RUN npm i -RUN npm run build +# Build Public Pool UI using NPM +RUN npm i && npm run build ############################ # Docker final environment #