From 6fb7a20f8f15469b66961fe5b6704746e8479816 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomasz=20G=C4=85gor?= Date: Sun, 15 Dec 2024 22:33:04 +0100 Subject: [PATCH] feat: use https://github.com/tgagor/template-dockerfiles tool for building and squashing --- .github/workflows/build.yml | 170 +++++++++------------------ stream9/Dockerfile => Dockerfile.tpl | 3 +- build-ghcr.yaml | 27 +++++ build-hub.yaml | 32 +++++ stream10 | 1 - stream10-development | 1 - stream9/stream9 | 1 - 7 files changed, 114 insertions(+), 121 deletions(-) rename stream9/Dockerfile => Dockerfile.tpl (83%) create mode 100644 build-ghcr.yaml create mode 100644 build-hub.yaml delete mode 120000 stream10 delete mode 120000 stream10-development delete mode 120000 stream9/stream9 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 20dba8f..374dc0b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,98 +19,26 @@ on: jobs: build: - runs-on: ubuntu-22.04 - strategy: - matrix: - tag: - - stream9 - - stream10-development + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Guess next version - id: guessed_tag_version - uses: mathieudutour/github-tag-action@v6.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - dry_run: true - append_to_pre_release_tag: pre - - name: Extract version from tag - env: - VERSION_TAG: ${{ steps.guessed_tag_version.outputs.new_tag }} - run: echo "DOCKER_TAG=$(echo $VERSION_TAG | sed -e "s/^v//" -e "s/-.*$//")" >> $GITHUB_ENV - - - name: Build, squash and push + - name: Setup Template Dockerfiles run: | - echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin + curl -fLo /usr/local/bin/td https://github.com/tgagor/template-dockerfiles/releases/latest/download/td-linux-amd64 + chmod +x /usr/local/bin/td - # build - docker build \ - --build-arg TAG=${{ matrix.tag }} \ - --tag tgagor/centos:${{ matrix.tag }} ${{ matrix.tag }}/ - - # squash - docker run --name tgagor-${{ matrix.tag }} tgagor/centos:${{ matrix.tag }} true - docker export tgagor-${{ matrix.tag }} | docker import \ - --change 'CMD ["/bin/bash"]' \ - --change 'LABEL maintainer="Tomasz Gągor "' \ - --change 'LABEL org.opencontainers.image.authors="Tomasz Gągor"' \ - --change 'LABEL org.opencontainers.image.licenses=GPL-2.0' \ - --change "LABEL org.opencontainers.image.version=$DOCKER_TAG" \ - --change "LABEL org.opencontainers.image.source=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ - --change "LABEL org.opencontainers.image.url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ - --change "LABEL org.opencontainers.image.revision=$GITHUB_SHA" \ - --change "LABEL org.opencontainers.image.branch=${GITHUB_REF#refs/*/}" \ - --change "LABEL org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \ - - tgagor/centos:${{ matrix.tag }} - - # tag - docker tag tgagor/centos:${{ matrix.tag }} ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} - - # push - docker push ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} - - security-scan: - runs-on: ubuntu-22.04 - needs: - - build - strategy: - matrix: - tag: - - stream9 - - stream10-development - steps: - - uses: actions/checkout@v4 - - name: Fetch image + - name: Build, squash and push run: | echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin - docker pull ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} + td --config build-ghcr.yaml \ + --build \ + --squash \ + --push \ + --tag ${{ github.sha }} \ + --delete - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} - format: template - template: '@/contrib/sarif.tpl' - # don't fail - exit-code: 0 - output: trivy-results.sarif - severity: CRITICAL,HIGH,MEDIUM - - - name: Upload Trivy scan results to GitHub Security tab - if: github.ref == 'refs/heads/master' - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: trivy-results.sarif - - release: - runs-on: ubuntu-22.04 - needs: - - build - - security-scan - steps: - - uses: actions/checkout@v4 - name: Bump version and push tag if: github.ref == 'refs/heads/master' id: tag_version @@ -128,43 +56,17 @@ jobs: if: github.ref != 'refs/heads/master' run: echo "DOCKER_TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV - - name: Fetch and tag images - run: | - echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin - - docker pull ghcr.io/tgagor/centos:stream9-${{ github.sha }} - docker pull ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} - - docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:stream9 - docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:9 - docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:${DOCKER_TAG}-stream9 - docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:stream - docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:${DOCKER_TAG} - docker tag ghcr.io/tgagor/centos:stream9-${{ github.sha }} tgagor/centos:latest - - docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:stream10 - docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:stream10-development - docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:10 - docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:${DOCKER_TAG}-stream10 - docker tag ghcr.io/tgagor/centos:stream10-development-${{ github.sha }} tgagor/centos:${DOCKER_TAG}-stream10-development - - - name: Push images + - name: Rebuild for Docker Hub and Push if: github.ref == 'refs/heads/master' run: | echo ${{ secrets.HUB_ACCESS }} | docker login -u $GITHUB_ACTOR --password-stdin - docker push tgagor/centos:${DOCKER_TAG}-stream9 - docker push tgagor/centos:stream9 - docker push tgagor/centos:9 - docker push tgagor/centos:stream - docker push tgagor/centos:${DOCKER_TAG} - docker push tgagor/centos:latest - - docker push tgagor/centos:${DOCKER_TAG}-stream10 - docker push tgagor/centos:${DOCKER_TAG}-stream10-development - docker push tgagor/centos:stream10 - docker push tgagor/centos:stream10-development - docker push tgagor/centos:10 + td --config build-hub.yaml \ + --build \ + --squash \ + --push \ + --tag ${{ github.sha }} \ + --delete - name: Update README if: github.ref == 'refs/heads/master' && !contains(github.event.commits[0].message, 'auto-update README') @@ -208,3 +110,39 @@ jobs: release_name: Release ${{ steps.tag_version.outputs.new_tag }} body: | Weekly rebuild on ${{ steps.date.outputs.date }} + + + security-scan: + runs-on: ubuntu-latest + needs: + - build + strategy: + matrix: + tag: + - stream9 + - stream10 + steps: + - uses: actions/checkout@v4 + - name: Fetch image + run: | + echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin + + set -x + docker pull ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/tgagor/centos:${{ matrix.tag }}-${{ github.sha }} + format: template + template: '@/contrib/sarif.tpl' + # don't fail + exit-code: 0 + output: trivy-results.sarif + severity: CRITICAL,HIGH,MEDIUM + + - name: Upload Trivy scan results to GitHub Security tab + if: github.ref == 'refs/heads/master' + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: trivy-results.sarif diff --git a/stream9/Dockerfile b/Dockerfile.tpl similarity index 83% rename from stream9/Dockerfile rename to Dockerfile.tpl index 32113f7..620da0b 100644 --- a/stream9/Dockerfile +++ b/Dockerfile.tpl @@ -1,5 +1,4 @@ -ARG TAG=stream -FROM quay.io/centos/centos:$TAG +FROM quay.io/centos/centos:{{ .centos }} # upgrade packages RUN dnf upgrade --setopt=install_weak_deps=False -y && \ diff --git a/build-ghcr.yaml b/build-ghcr.yaml new file mode 100644 index 0000000..7b1e0b1 --- /dev/null +++ b/build-ghcr.yaml @@ -0,0 +1,27 @@ +--- +registry: ghcr.io +prefix: tgagor +maintainer: Tomasz Gągor + +labels: + org.opencontainers.image.licenses: GPL-2.0-only + org.opencontainers.image.url: https://hub.docker.com/repository/docker/tgagor/centos/general + org.opencontainers.image.documentation: https://github.com/tgagor/docker-centos/blob/master/README.md + org.opencontainers.image.title: Weekly updated CentOS Docker images + org.opencontainers.image.description: | + Those images are just standard CentOS base images, but: + + 1. With all the package updates installed weekly. + 2. Squashed to single layer for a smaller size. + +images: + centos: + dockerfile: Dockerfile.tpl + variables: + centos: + - stream9 + - stream10 + tags: + - centos:{{ .centos }}-{{ .tag }} + labels: + org.opencontainers.image.base.name: quay.io/centos/centos:{{ .centos }} diff --git a/build-hub.yaml b/build-hub.yaml new file mode 100644 index 0000000..a00b34a --- /dev/null +++ b/build-hub.yaml @@ -0,0 +1,32 @@ +--- +prefix: tgagor +maintainer: Tomasz Gągor + +labels: + org.opencontainers.image.licenses: GPL-2.0-only + org.opencontainers.image.url: https://hub.docker.com/repository/docker/tgagor/centos/general + org.opencontainers.image.documentation: https://github.com/tgagor/docker-centos/blob/master/README.md + org.opencontainers.image.title: Weekly updated CentOS Docker images + org.opencontainers.image.description: | + Those images are just standard CentOS base images, but: + + 1. With all the package updates installed weekly. + 2. Squashed to single layer for a smaller size. + +images: + centos: + dockerfile: Dockerfile.tpl + variables: + centos: + - stream9 + - stream10 + tags: + - centos:{{ .centos }} + - centos:{{ .centos | trimPrefix "stream" }} + - centos:{{ .tag | splitList "-" | first }}-{{ .centos }} + - centos:{{ .tag | splitList "-" | first }} + - centos:{{ .centos }}-{{ .tag | splitList "-" | rest | first }} + - centos:stream + - centos:latest + labels: + org.opencontainers.image.base.name: quay.io/centos/centos:{{ .centos }} diff --git a/stream10 b/stream10 deleted file mode 120000 index 51c76d5..0000000 --- a/stream10 +++ /dev/null @@ -1 +0,0 @@ -stream9 \ No newline at end of file diff --git a/stream10-development b/stream10-development deleted file mode 120000 index 51c76d5..0000000 --- a/stream10-development +++ /dev/null @@ -1 +0,0 @@ -stream9 \ No newline at end of file diff --git a/stream9/stream9 b/stream9/stream9 deleted file mode 120000 index 51c76d5..0000000 --- a/stream9/stream9 +++ /dev/null @@ -1 +0,0 @@ -stream9 \ No newline at end of file