From 8da35d1555892367adca8a3edf2f096202b2771d Mon Sep 17 00:00:00 2001 From: JonJagger Date: Sat, 8 Feb 2025 08:28:41 +0000 Subject: [PATCH 1/2] Check base-image workflow input has tag and digest --- .github/workflows/base_image_trigger.yml | 14 +++++-- .github/workflows/main.yml | 5 +++ bin/lib.sh | 50 +++++++++++++++++------- 3 files changed, 51 insertions(+), 18 deletions(-) diff --git a/.github/workflows/base_image_trigger.yml b/.github/workflows/base_image_trigger.yml index 1bf0ff6..ebb864c 100644 --- a/.github/workflows/base_image_trigger.yml +++ b/.github/workflows/base_image_trigger.yml @@ -3,11 +3,15 @@ name: Base Image Update on: workflow_dispatch: inputs: + base_image_name: + description: "Dockerfile FROM ${BASE_IMAGE} : name" + required: true + default: "cyberdojo/sinatra-base" base_image_tag: - description: "Image-Tag for cyberdojo/sinatra-base (short commit SHA - first 7 digits), eg edb2887" + description: "Dockerfile FROM ${BASE_IMAGE} : tag, eg edb2887" required: true base_image_digest: - description: "Image-Digest for cyberdojo/sinatra-base, eg ddab9080c..." + description: "Dockerfile FROM ${BASE_IMAGE} : digest, eg ddab9080c..." required: true @@ -21,8 +25,10 @@ jobs: - name: Outputs id: vars run: | - TAG_WITH_DIGEST="${{ inputs.base_image_tag }}@sha256:${{ inputs.base_image_digest }}" - echo "base_image=cyberdojo/sinatra-base:${TAG_WITH_DIGEST}" >> ${GITHUB_OUTPUT} + NAME="${{ inputs.base_image_name }}" + TAG="${{ inputs.base_image_tag }}" + DIGEST="${{ inputs.base_image_digest }}" + echo "base_image=${NAME}:${TAG}@sha256:${DIGEST}" >> ${GITHUB_OUTPUT} echo "kosli_trail=base-image-update-${{ inputs.base_image_tag }}" >> ${GITHUB_OUTPUT} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6397544..4cfc67f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -53,6 +53,11 @@ jobs: with: fetch-depth: 1 + - name: Check BASE_IMAGE + run: | + source ./bin/lib.sh + exit_non_zero_if_bad_base_image "${{ inputs.BASE_IMAGE }}" + - name: Prepare outputs for workflow jobs id: vars run: | diff --git a/bin/lib.sh b/bin/lib.sh index 785ff78..78a3c00 100644 --- a/bin/lib.sh +++ b/bin/lib.sh @@ -1,22 +1,39 @@ echo_base_image() { + # This is set to the env-var BASE_IMAGE which is set as a docker-compose build --build-arg + # and used the Dockerfile's 'FROM ${BASE_IMAGE}' statement + # This BASE_IMAGE abstraction is to facilitate the base_image_trigger.yml workflow. local -r json="$(curl --fail --silent --request GET https://beta.cyber-dojo.org/saver/base_image)" - echo "${json}" | jq -r '.base_image' - # echo cyberdojo/sinatra-base:559d354@sha256:ddab9080cd0bbd8e976a18bdd01b37b66e47fe83b0db396e65dc3014bad17fd3 + local -r via_curl="$(echo "${json}" | jq -r '.base_image')" + local -r via_code="cyberdojo/sinatra-base:559d354@sha256:ddab9080cd0bbd8e976a18bdd01b37b66e47fe83b0db396e65dc3014bad17fd3" + if [ "${via_curl}" != "${via_code}" ] ; then + stderr "BASE_IMAGE sources disagree" + stderr "Via curl: '${via_curl}'" + stderr "Via code: '${via_code}'" + exit 42 + else + echo "${via_code}" + fi } -echo_env_vars() +exit_non_zero_if_bad_base_image() { - # Setup port env-vars in .env file using versioner - local -r env_filename="${ROOT_DIR}/.env" - docker run --rm cyberdojo/versioner | grep PORT > "${env_filename}" - echo "CYBER_DOJO_SAVER_CLIENT_PORT=4538" >> "${env_filename}" - - # Get identities of dependent services from versioner - # There are none + # Called in setup job in .github/workflows/main.yml + base_image="${1}" + regex=":[a-z0-9]{7}@sha256:[a-z0-9]{64}$" + if ! [[ ${base_image} =~ $regex ]]; then + stderr "BASE_IMAGE must have a 7-digit short-sha tag and a full 64-digit digest, Eg" + stderr " base_image_name : cyberdojo/sinatra-base" + stderr " base_image_tag : 559d354" + stderr " base_image_digest: ddab9080cd0bbd8e976a18bdd01b37b66e47fe83b0db396e65dc3014bad17fd3" + exit 42 + fi +} - # Set env-vars for this repos runner service +echo_env_vars() +{ + # Set env-vars for this repo if [[ ! -v BASE_IMAGE ]] ; then echo BASE_IMAGE="$(echo_base_image)" # --build-arg fi @@ -25,9 +42,6 @@ echo_env_vars() echo COMMIT_SHA="${sha}" # --build-arg fi - # From versioner ... - docker run --rm cyberdojo/versioner:latest - echo CYBER_DOJO_SAVER_SHA="${sha}" echo CYBER_DOJO_SAVER_TAG="${sha:0:7}" @@ -42,6 +56,14 @@ echo_env_vars() local -r AWS_ACCOUNT_ID=244531986313 local -r AWS_REGION=eu-central-1 echo CYBER_DOJO_SAVER_IMAGE=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/saver + + # Setup port env-vars in .env file using versioner + local -r env_filename="${ROOT_DIR}/.env" + docker run --rm cyberdojo/versioner | grep PORT > "${env_filename}" + echo "CYBER_DOJO_SAVER_CLIENT_PORT=4538" >> "${env_filename}" + + # Get identities of all docker-compose.yml dependent services (from versioner) + docker run --rm cyberdojo/versioner:latest } stderr() From e00e224e1359ae725cac3efd1dedff389ce89ec1 Mon Sep 17 00:00:00 2001 From: JonJagger Date: Sat, 8 Feb 2025 08:47:28 +0000 Subject: [PATCH 2/2] Add ignore entries to .snyk config file --- .snyk | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.snyk b/.snyk index c893c50..25e279e 100644 --- a/.snyk +++ b/.snyk @@ -1,3 +1,31 @@ # This file specifies snyk vulnerabilities to be ignored. # If this file contains only comments, then no vulnerabilities are ignored # but do not delete this file - it is needed for the live-snyk-scans repo workflows. +ignore: + SNYK-ALPINE320-CURL-8689556: + - '*': + reason: No fix available + expires: 2025-03-08T10:03:36.581Z + created: 2025-02-08T10:03:36.589Z + SNYK-ALPINE320-CURL-8689557: + - '*': + reason: No fix available + expires: 2025-03-08T10:03:36.581Z + created: 2025-02-08T10:03:36.589Z + SNYK-ALPINE320-CURL-8689558: + - '*': + reason: No fix available + expires: 2025-03-08T10:03:36.581Z + created: 2025-02-08T10:03:36.589Z + SNYK-ALPINE320-OPENSSL-8235201: + - '*': + reason: No fix available + expires: 2025-03-08T10:03:36.581Z + created: 2025-02-08T10:03:36.589Z + SNYK-ALPINE320-OPENSSL-8690013: + - '*': + reason: No fix available + expires: 2025-03-08T10:03:36.581Z + created: 2025-02-08T10:03:36.589Z + +patch: {} \ No newline at end of file