From 8f6eeaba733e73742b96c1b58bb390105d8115c4 Mon Sep 17 00:00:00 2001 From: Seth For Privacy Date: Tue, 12 Dec 2023 20:11:36 -0500 Subject: [PATCH] Dockerfile improvements and automatic Github Actions builds (#14) * Initial GA push * Fix Actions * Remove test runs * Update Trivy scanner to latest syntax * Remove unnecessary build stage * Switch to slim base images * Minor Dockerfile improvements * Fix slim builds * Fix slim builds round 2 --- .github/workflows/build-image-on-push.yml | 35 ++++++++++++ .github/workflows/trivy-analysis.yml | 37 +++++++++++++ .github/workflows/update-base-image.yml | 61 +++++++++++++++++++++ .github/workflows/update-image-on-push.yml | 64 ++++++++++++++++++++++ Dockerfile | 22 +++++--- 5 files changed, 212 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/build-image-on-push.yml create mode 100644 .github/workflows/trivy-analysis.yml create mode 100644 .github/workflows/update-base-image.yml create mode 100644 .github/workflows/update-image-on-push.yml diff --git a/.github/workflows/build-image-on-push.yml b/.github/workflows/build-image-on-push.yml new file mode 100644 index 0000000..27b6e92 --- /dev/null +++ b/.github/workflows/build-image-on-push.yml @@ -0,0 +1,35 @@ +name: "Test build of image when Dockerfile is changed" + +on: + push: + branches-ignore: + - master + pull_request: + workflow_dispatch: + +jobs: + rebuild-container: + name: "Build image with cache" + runs-on: ubuntu-latest + steps: + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + with: + platforms: linux/arm64 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - + name: Checkout repository + uses: actions/checkout@v4 + - + name: Build image + id: docker_build_amd64 + uses: docker/build-push-action@v5.1.0 + with: + push: false + load: true + platforms: linux/amd64 + tags: public-pool:amd64 + cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool:latest diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml new file mode 100644 index 0000000..ae45fe2 --- /dev/null +++ b/.github/workflows/trivy-analysis.yml @@ -0,0 +1,37 @@ +name: Build and scan container for vulnerabilities with Trivy + +on: + push: + pull_request: + schedule: + - cron: '22 14 * * 0' + workflow_dispatch: + +jobs: + build: + name: Build and scan images + runs-on: ubuntu-latest + steps: + - + name: Checkout code + uses: actions/checkout@v4 + - + name: Build image from Dockerfile + uses: docker/build-push-action@v5.1.0 + with: + push: false + load: true + tags: ${{ secrets.DOCKER_USERNAME }}/public-pool:latest + - + name: Run Trivy vulnerability scanner against "latest" image + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ secrets.DOCKER_USERNAME }}/public-pool:latest' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - + name: Upload "latest" Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/update-base-image.yml b/.github/workflows/update-base-image.yml new file mode 100644 index 0000000..365e43a --- /dev/null +++ b/.github/workflows/update-base-image.yml @@ -0,0 +1,61 @@ +name: "Update image and push to Github Packages and Docker Hub weekly" + +on: + schedule: + - cron: "0 12 * * 1" # Run every Monday at noon. + workflow_dispatch: + +jobs: + rebuild-container: + name: "Rebuild Container with the latest base image" + runs-on: ubuntu-latest + steps: + - + name: Prepare outputs + id: prep + run: | + echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + with: + platforms: linux/arm64 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - + name: Login to GitHub Container Registry + uses: docker/login-action@v3.0.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Login to DockerHub + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - + name: Checkout repository + uses: actions/checkout@v4 + - + name: Get short SHA + id: get_short_sha + run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - + name: Build and push to Docker Hub and GitHub Packages Docker Registry + id: docker_build + uses: docker/build-push-action@v5.1.0 + with: + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository_owner }}/public-pool:latest + ghcr.io/${{ github.repository_owner }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }} + ${{ secrets.DOCKER_USERNAME }}/public-pool:latest + ${{ secrets.DOCKER_USERNAME }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }} + labels: | + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.created=${{ steps.prep.outputs.created }} + org.opencontainers.image.revision=${{ github.sha }} diff --git a/.github/workflows/update-image-on-push.yml b/.github/workflows/update-image-on-push.yml new file mode 100644 index 0000000..732ad40 --- /dev/null +++ b/.github/workflows/update-image-on-push.yml @@ -0,0 +1,64 @@ +name: "Update image when Dockerfile is changed" + +on: + push: + branches: + - master + workflow_dispatch: + +jobs: + rebuild-container: + name: "Rebuild Container with the latest base image" + runs-on: ubuntu-latest + steps: + - + name: Prepare outputs + id: prep + run: | + echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3.0.0 + with: + platforms: linux/arm64 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3.0.0 + - + name: Login to GitHub Container Registry + uses: docker/login-action@v3.0.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Login to DockerHub + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - + name: Checkout repository + uses: actions/checkout@v4 + - + name: Get short SHA + id: get_short_sha + run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - + name: Build and push to Docker Hub and GitHub Packages Docker Registry + uses: docker/build-push-action@v5.1.0 + id: docker_build_push + with: + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository_owner }}/public-pool:latest + ghcr.io/${{ github.repository_owner }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }} + ${{ secrets.DOCKER_USERNAME }}/public-pool:latest + ${{ secrets.DOCKER_USERNAME }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }} + labels: | + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.created=${{ steps.prep.outputs.created }} + org.opencontainers.image.revision=${{ github.sha }} + cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool:latest + cache-to: type=inline diff --git a/Dockerfile b/Dockerfile index 894bdbd..beaeb21 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,27 +2,35 @@ # Docker build environment # ############################ -FROM node:18.16.1-bookworm AS build +FROM node:18.16.1-bookworm-slim AS build + +# Upgrade all packages and install dependencies +RUN apt-get update \ + && apt-get upgrade -y +RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + python3 \ + build-essential \ + && apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* WORKDIR /build COPY . . -RUN npm i -RUN npm run build +# Build Public Pool using NPM +RUN npm i && npm run build ############################ # Docker final environment # ############################ -FROM node:18.16.1-bookworm +FROM node:18.16.1-bookworm-slim -EXPOSE 3333 -EXPOSE 3334 -EXPOSE 8332 +# Expose ports for Stratum and Bitcoin RPC +EXPOSE 3333 3334 8332 WORKDIR /public-pool +# Copy built binaries into the final image COPY --from=build /build . #COPY .env.example .env