Dockerfile improvements and automatic Github Actions builds (#14)

* Initial GA push

* Fix Actions

* Remove test runs

* Update Trivy scanner to latest syntax

* Remove unnecessary build stage

* Switch to slim base images

* Minor Dockerfile improvements

* Fix slim builds

* Fix slim builds round 2
This commit is contained in:
Seth For Privacy 2023-12-12 20:11:36 -05:00 committed by GitHub
parent f7303d73af
commit 8f6eeaba73
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 212 additions and 7 deletions

View File

@ -0,0 +1,35 @@
name: "Test build of image when Dockerfile is changed"
on:
push:
branches-ignore:
- master
pull_request:
workflow_dispatch:
jobs:
rebuild-container:
name: "Build image with cache"
runs-on: ubuntu-latest
steps:
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3.0.0
with:
platforms: linux/arm64
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3.0.0
-
name: Checkout repository
uses: actions/checkout@v4
-
name: Build image
id: docker_build_amd64
uses: docker/build-push-action@v5.1.0
with:
push: false
load: true
platforms: linux/amd64
tags: public-pool:amd64
cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool:latest

37
.github/workflows/trivy-analysis.yml vendored Normal file
View File

@ -0,0 +1,37 @@
name: Build and scan container for vulnerabilities with Trivy
on:
push:
pull_request:
schedule:
- cron: '22 14 * * 0'
workflow_dispatch:
jobs:
build:
name: Build and scan images
runs-on: ubuntu-latest
steps:
-
name: Checkout code
uses: actions/checkout@v4
-
name: Build image from Dockerfile
uses: docker/build-push-action@v5.1.0
with:
push: false
load: true
tags: ${{ secrets.DOCKER_USERNAME }}/public-pool:latest
-
name: Run Trivy vulnerability scanner against "latest" image
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ secrets.DOCKER_USERNAME }}/public-pool:latest'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
-
name: Upload "latest" Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'

61
.github/workflows/update-base-image.yml vendored Normal file
View File

@ -0,0 +1,61 @@
name: "Update image and push to Github Packages and Docker Hub weekly"
on:
schedule:
- cron: "0 12 * * 1" # Run every Monday at noon.
workflow_dispatch:
jobs:
rebuild-container:
name: "Rebuild Container with the latest base image"
runs-on: ubuntu-latest
steps:
-
name: Prepare outputs
id: prep
run: |
echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3.0.0
with:
platforms: linux/arm64
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3.0.0
-
name: Login to GitHub Container Registry
uses: docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Login to DockerHub
uses: docker/login-action@v3.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
-
name: Checkout repository
uses: actions/checkout@v4
-
name: Get short SHA
id: get_short_sha
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-
name: Build and push to Docker Hub and GitHub Packages Docker Registry
id: docker_build
uses: docker/build-push-action@v5.1.0
with:
push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/${{ github.repository_owner }}/public-pool:latest
ghcr.io/${{ github.repository_owner }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
${{ secrets.DOCKER_USERNAME }}/public-pool:latest
${{ secrets.DOCKER_USERNAME }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
labels: |
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.created=${{ steps.prep.outputs.created }}
org.opencontainers.image.revision=${{ github.sha }}

View File

@ -0,0 +1,64 @@
name: "Update image when Dockerfile is changed"
on:
push:
branches:
- master
workflow_dispatch:
jobs:
rebuild-container:
name: "Rebuild Container with the latest base image"
runs-on: ubuntu-latest
steps:
-
name: Prepare outputs
id: prep
run: |
echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3.0.0
with:
platforms: linux/arm64
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3.0.0
-
name: Login to GitHub Container Registry
uses: docker/login-action@v3.0.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Login to DockerHub
uses: docker/login-action@v3.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
-
name: Checkout repository
uses: actions/checkout@v4
-
name: Get short SHA
id: get_short_sha
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-
name: Build and push to Docker Hub and GitHub Packages Docker Registry
uses: docker/build-push-action@v5.1.0
id: docker_build_push
with:
push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/${{ github.repository_owner }}/public-pool:latest
ghcr.io/${{ github.repository_owner }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
${{ secrets.DOCKER_USERNAME }}/public-pool:latest
${{ secrets.DOCKER_USERNAME }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
labels: |
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.created=${{ steps.prep.outputs.created }}
org.opencontainers.image.revision=${{ github.sha }}
cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool:latest
cache-to: type=inline

View File

@ -2,27 +2,35 @@
# Docker build environment #
############################
FROM node:18.16.1-bookworm AS build
FROM node:18.16.1-bookworm-slim AS build
# Upgrade all packages and install dependencies
RUN apt-get update \
&& apt-get upgrade -y
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
python3 \
build-essential \
&& apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
WORKDIR /build
COPY . .
RUN npm i
RUN npm run build
# Build Public Pool using NPM
RUN npm i && npm run build
############################
# Docker final environment #
############################
FROM node:18.16.1-bookworm
FROM node:18.16.1-bookworm-slim
EXPOSE 3333
EXPOSE 3334
EXPOSE 8332
# Expose ports for Stratum and Bitcoin RPC
EXPOSE 3333 3334 8332
WORKDIR /public-pool
# Copy built binaries into the final image
COPY --from=build /build .
#COPY .env.example .env