mirror of
https://github.com/benjamin-wilson/public-pool.git
synced 2025-03-17 13:21:43 +01:00
Dockerfile improvements and automatic Github Actions builds (#14)
* Initial GA push * Fix Actions * Remove test runs * Update Trivy scanner to latest syntax * Remove unnecessary build stage * Switch to slim base images * Minor Dockerfile improvements * Fix slim builds * Fix slim builds round 2
This commit is contained in:
parent
f7303d73af
commit
8f6eeaba73
35
.github/workflows/build-image-on-push.yml
vendored
Normal file
35
.github/workflows/build-image-on-push.yml
vendored
Normal file
@ -0,0 +1,35 @@
|
||||
name: "Test build of image when Dockerfile is changed"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches-ignore:
|
||||
- master
|
||||
pull_request:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
rebuild-container:
|
||||
name: "Build image with cache"
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3.0.0
|
||||
with:
|
||||
platforms: linux/arm64
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3.0.0
|
||||
-
|
||||
name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
-
|
||||
name: Build image
|
||||
id: docker_build_amd64
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
with:
|
||||
push: false
|
||||
load: true
|
||||
platforms: linux/amd64
|
||||
tags: public-pool:amd64
|
||||
cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool:latest
|
37
.github/workflows/trivy-analysis.yml
vendored
Normal file
37
.github/workflows/trivy-analysis.yml
vendored
Normal file
@ -0,0 +1,37 @@
|
||||
name: Build and scan container for vulnerabilities with Trivy
|
||||
|
||||
on:
|
||||
push:
|
||||
pull_request:
|
||||
schedule:
|
||||
- cron: '22 14 * * 0'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and scan images
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
-
|
||||
name: Build image from Dockerfile
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
with:
|
||||
push: false
|
||||
load: true
|
||||
tags: ${{ secrets.DOCKER_USERNAME }}/public-pool:latest
|
||||
-
|
||||
name: Run Trivy vulnerability scanner against "latest" image
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: '${{ secrets.DOCKER_USERNAME }}/public-pool:latest'
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
-
|
||||
name: Upload "latest" Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
61
.github/workflows/update-base-image.yml
vendored
Normal file
61
.github/workflows/update-base-image.yml
vendored
Normal file
@ -0,0 +1,61 @@
|
||||
name: "Update image and push to Github Packages and Docker Hub weekly"
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: "0 12 * * 1" # Run every Monday at noon.
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
rebuild-container:
|
||||
name: "Rebuild Container with the latest base image"
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Prepare outputs
|
||||
id: prep
|
||||
run: |
|
||||
echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
|
||||
-
|
||||
name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3.0.0
|
||||
with:
|
||||
platforms: linux/arm64
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3.0.0
|
||||
-
|
||||
name: Login to GitHub Container Registry
|
||||
uses: docker/login-action@v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
-
|
||||
name: Login to DockerHub
|
||||
uses: docker/login-action@v3.0.0
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
-
|
||||
name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
-
|
||||
name: Get short SHA
|
||||
id: get_short_sha
|
||||
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
|
||||
-
|
||||
name: Build and push to Docker Hub and GitHub Packages Docker Registry
|
||||
id: docker_build
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
with:
|
||||
push: true
|
||||
platforms: linux/amd64,linux/arm64
|
||||
tags: |
|
||||
ghcr.io/${{ github.repository_owner }}/public-pool:latest
|
||||
ghcr.io/${{ github.repository_owner }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
|
||||
${{ secrets.DOCKER_USERNAME }}/public-pool:latest
|
||||
${{ secrets.DOCKER_USERNAME }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
|
||||
labels: |
|
||||
org.opencontainers.image.source=${{ github.event.repository.html_url }}
|
||||
org.opencontainers.image.created=${{ steps.prep.outputs.created }}
|
||||
org.opencontainers.image.revision=${{ github.sha }}
|
64
.github/workflows/update-image-on-push.yml
vendored
Normal file
64
.github/workflows/update-image-on-push.yml
vendored
Normal file
@ -0,0 +1,64 @@
|
||||
name: "Update image when Dockerfile is changed"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
rebuild-container:
|
||||
name: "Rebuild Container with the latest base image"
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
-
|
||||
name: Prepare outputs
|
||||
id: prep
|
||||
run: |
|
||||
echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
|
||||
-
|
||||
name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3.0.0
|
||||
with:
|
||||
platforms: linux/arm64
|
||||
-
|
||||
name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3.0.0
|
||||
-
|
||||
name: Login to GitHub Container Registry
|
||||
uses: docker/login-action@v3.0.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
-
|
||||
name: Login to DockerHub
|
||||
uses: docker/login-action@v3.0.0
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
-
|
||||
name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
-
|
||||
name: Get short SHA
|
||||
id: get_short_sha
|
||||
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
|
||||
-
|
||||
name: Build and push to Docker Hub and GitHub Packages Docker Registry
|
||||
uses: docker/build-push-action@v5.1.0
|
||||
id: docker_build_push
|
||||
with:
|
||||
push: true
|
||||
platforms: linux/amd64,linux/arm64
|
||||
tags: |
|
||||
ghcr.io/${{ github.repository_owner }}/public-pool:latest
|
||||
ghcr.io/${{ github.repository_owner }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
|
||||
${{ secrets.DOCKER_USERNAME }}/public-pool:latest
|
||||
${{ secrets.DOCKER_USERNAME }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
|
||||
labels: |
|
||||
org.opencontainers.image.source=${{ github.event.repository.html_url }}
|
||||
org.opencontainers.image.created=${{ steps.prep.outputs.created }}
|
||||
org.opencontainers.image.revision=${{ github.sha }}
|
||||
cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool:latest
|
||||
cache-to: type=inline
|
22
Dockerfile
22
Dockerfile
@ -2,27 +2,35 @@
|
||||
# Docker build environment #
|
||||
############################
|
||||
|
||||
FROM node:18.16.1-bookworm AS build
|
||||
FROM node:18.16.1-bookworm-slim AS build
|
||||
|
||||
# Upgrade all packages and install dependencies
|
||||
RUN apt-get update \
|
||||
&& apt-get upgrade -y
|
||||
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
||||
python3 \
|
||||
build-essential \
|
||||
&& apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
|
||||
|
||||
WORKDIR /build
|
||||
|
||||
COPY . .
|
||||
|
||||
RUN npm i
|
||||
RUN npm run build
|
||||
# Build Public Pool using NPM
|
||||
RUN npm i && npm run build
|
||||
|
||||
############################
|
||||
# Docker final environment #
|
||||
############################
|
||||
|
||||
FROM node:18.16.1-bookworm
|
||||
FROM node:18.16.1-bookworm-slim
|
||||
|
||||
EXPOSE 3333
|
||||
EXPOSE 3334
|
||||
EXPOSE 8332
|
||||
# Expose ports for Stratum and Bitcoin RPC
|
||||
EXPOSE 3333 3334 8332
|
||||
|
||||
WORKDIR /public-pool
|
||||
|
||||
# Copy built binaries into the final image
|
||||
COPY --from=build /build .
|
||||
#COPY .env.example .env
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user