Update and move to qlever-llc

Qlever-LLC · Jun 9, 2021 · 4d84fe9 · 4d84fe9
1 parent a81d401
commit 4d84fe9
Show file tree

Hide file tree

Showing 21 changed files with 1,765 additions and 1,060 deletions.
diff --git a/.github/workflows/build-and-push-services.yml b/.github/workflows/build-and-push-services.yml
@@ -4,6 +4,11 @@ on:
   push:
   pull_request:
 
+env:
+  # Set to true to push images to DockerHub
+  # NB: images are public unless you configure DockerHub repo properly
+  DOCKERHUB_PUSH: 1
+
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -70,12 +75,14 @@ jobs:
 
   build-and-push:
     name: Build and push docker Image
-    needs: setup
+    needs:
+      - setup
 
     strategy:
       matrix:
         service:
-          - 'trellisfw/unfisk'
+          # Assume repo slug is the service slug?
+          - ${{ github.repository }}
         context:
           - '.'
 
@@ -86,7 +93,7 @@ jobs:
         uses: actions/[email protected]
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.1.0
+        uses: docker/setup-qemu-action@v1.2.0
 
       - name: Set up Docker Buildx
         id: buildx
@@ -102,36 +109,52 @@ jobs:
 
       - name: Cache docker layers
         if: ${{ !env.ACT }} # Awaiting ACT version after 0.2.17 for this feature
-        uses: actions/[email protected].5
+        uses: actions/[email protected].6
         id: cache
         with:
           path: /tmp/.buildx-cache
-          #key: ${{ runner.os }}-buildx-${{ matrix.service }}-${{ github.sha }}
-          # Don't separate cache by service etc.
-          key: ${{ runner.os }}-buildx
+          key: ${{ runner.os }}-buildx-${{ matrix.service }}-${{ github.sha }}
           restore-keys: |
-            ${{ runner.os }}-buildx-${{ matrix.service }}
+            ${{ runner.os }}-buildx-${{ matrix.service }}-
             ${{ runner.os }}-buildx-
 
       - name: Prepare Tags
         id: prepare
+        # TODO: Clean up this monstrosity... one day...
         run: |
-          DOCKER_IMAGE=${{ matrix.service }}
+          # Nameo on DockerHub (Doesn't like upper case)
+          DOCKER_IMAGE=$(echo ${{ matrix.service }} | tr '[:upper:]' '[:lower:]')
+          # Name on GHCR
+          GHCR_IMAGE=ghcr.io/${DOCKER_IMAGE}
+          # Allow overriding DockerHub repo if different from slug?
+          if [[ "${{ secrets.DOCKER_REPO }}" ]]; then
+            DOCKER_IMAGE=$(echo ${{ matrix.service }} | sed 's/${{ github.repository_owner }}/${{ secrets.DOCKER_REPO }}/g')
+          fi
 
-          TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.version }}"
+          TAGS="${GHCR_IMAGE}:${{ needs.setup.outputs.version }}"
+          DH_TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.version }}"
           if [[ "${{ needs.setup.outputs.release }}" ]]; then
             if [[ "${{ needs.setup.outputs.prerelease }}" ]]; then
-              TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}"
+              TAGS="${GHCR_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}"
+              DH_TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}"
               # TODO: Keep old prerelease builds?
             else
-              TAGS="$TAGS,${DOCKER_IMAGE}:latest"
-              TAGS="$TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}"
-              TAGS="$TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.major }}"
+              TAGS="$TAGS,${GHCR_IMAGE}:latest"
+              TAGS="$TAGS,${GHCR_IMAGE}:${{ needs.setup.outputs.major }}"
+              TAGS="$TAGS,${GHCR_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}"
+              DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:latest"
+              DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}"
+              DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}"
             fi
           fi
 
           if [ "${{ github.event_name }}" = "push" ]; then
-            TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
+            TAGS="$TAGS,${GHCR_IMAGE}:sha-${GITHUB_SHA::8}"
+            DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
+          fi
+
+          if [[ "${{ env.DOCKERHUB_PUSH }}" ]]; then
+            TAGS="$TAGS,${DH_TAGS}"
           fi
 
           echo ::set-output name=tags::${TAGS}
@@ -140,14 +163,22 @@ jobs:
           echo ${{ github.event.repository.license }}
 
       - name: Login to DockerHub
-        if: github.event_name != 'pull_request'
+        if: ${{ env.DOCKERHUB_PUSH && github.event_name != 'pull_request' }}
         uses: docker/[email protected]
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Build and push
-        uses: docker/[email protected]
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push images
+        uses: docker/[email protected]
         with:
           context: ${{ matrix.context }}
           file: ${{ matrix.context }}/Dockerfile
@@ -158,6 +189,7 @@ jobs:
             VERSION=${{ steps.prepare.outputs.version }}
             BUILD_DATE=${{ steps.prepare.outputs.created }}
             GIT_REF=${{ github.sha }}
+            SERVICE=${{ matrix.service }}
           labels: |
             org.opencontainers.image.title=${{ matrix.service }}
             org.opencontainers.image.url=${{ github.event.repository.html_url }}
@@ -167,4 +199,97 @@ jobs:
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
           cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+
+      - # Temp fix
+        # https://github.com/docker/build-push-action/issues/252
+        # https://github.com/moby/buildkit/issues/1896
+        name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
+  # Use Snyk to check docker image
+  snyk-image:
+    name: Snyk Checks
+
+    needs:
+      - setup
+      - build-and-push
+
+    strategy:
+      matrix:
+        service:
+          # Assume repo slug is the service slug?
+          - ${{ github.repository }}
+        context:
+          - '.'
+
+    runs-on: ubuntu-latest
+
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    # Only run if we have a Snyk token?
+    #if: ${{ env.SNYK_TOKEN }}
+
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+
+      - name: Find Docker tag for Snyk
+        id: tag
+        run: |
+          # Doesn't like upper case
+          OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')
+          # Nameo on DockerHub (Doesn't like upper case)
+          DOCKER_IMAGE=$(echo ${{ matrix.service }} | tr '[:upper:]' '[:lower:]')
+          # Name on GHCR
+          GHCR_IMAGE=ghcr.io/${DOCKER_IMAGE}
+          # Allow overriding DockerHub repo if different from slug?
+          if [[ "${{ secrets.DOCKER_REPO }}" ]]; then
+            DOCKER_IMAGE=$(echo ${{ matrix.service }} | sed 's/${{ github.repository_owner }}/${{ secrets.DOCKER_REPO }}/g')
+          fi
+
+          TAG="${GHCR_IMAGE}:next"
+          if [[ "${{ needs.setup.outputs.release }}" ]]; then
+            if [[ "${{ needs.setup.outputs.prerelease }}" ]]; then
+              TAG="${GHCR_IMAGE}:next"
+            else
+              TAG="${GHCR_IMAGE}:latest"
+            fi
+          fi
+
+          echo ::set-output name=tag::${TAG}
+          echo ::set-output name=org::${OWNER}
+          echo ::set-output name=cur::${GHCR_IMAGE}:sha-${GITHUB_SHA::8}
+
+      - name: Monitor Service image with Snyk
+        uses: snyk/actions/docker@master
+        # Don't break workflow on errros?
+        continue-on-error: true
+        with:
+          command: container monitor
+          image: ${{ steps.tag.outputs.tag }}
+          args: --org=${{ steps.tag.outputs.org }} --file=${{ matrix.context }}/Dockerfile
+
+      - name: Test current Service image with Snyk
+        uses: snyk/actions/docker@master
+        # Don't break workflow on errros?
+        continue-on-error: true
+        with:
+          image: ${{ steps.tag.outputs.tag }}
+          args: --org=${{ steps.tag.outputs.org }} --file=${{ matrix.context }}/Dockerfile
+
+      - name: Secure Code Warrior
+        uses: SecureCodeWarrior/github-action-add-sarif-contextual-training@v1
+        with:
+          inputSarifFile: ./snyk.sarif
+          outputSarifFile: ./securecodewarrior.sarif
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ./securecodewarrior.sarif
+          #sarif_file: ./snyk.sarif
diff --git a/.gitignore b/.gitignore
@@ -17,10 +17,10 @@ docker-compose.override.yml
 act/
 
 # yarn 2 stuff
-**/.yarn/*
-!**/.yarn/releases
-!**/.yarn/plugins
-!**/.yarn/versions
-**/.pnp.*
+.yarn/*
+!.yarn/releases
+!.yarn/plugins
+!.yarn/versions
+.pnp.*
 # ignore sdk stuff
-**/.vim
+.vim
diff --git a/.prettierignore b/.prettierignore
@@ -0,0 +1,15 @@
+dist
+node_modules
+yarn-cache
+services-available
+
+LICENSE
+
+tags*
+
+**/yarn.lock
+**/yarn-error.log
+**/.yarn/*
+**/.pnp.*
+
+act
diff --git a/.prettierrc.json b/.prettierrc.json
@@ -1,4 +1,5 @@
 {
   "singleQuote": true,
-  "quoteProps": "consistent"
+  "quoteProps": "consistent",
+  "overrides": [{ "files": ".yarnrc.yml", "options": { "singleQuote": false } }]
 }
diff --git a/.yarn/releases/yarn-2.4.1.cjs → .yarn/releases/yarn-2.4.2.cjs b/.yarn/releases/yarn-2.4.1.cjs → .yarn/releases/yarn-2.4.2.cjs
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -6,4 +6,4 @@ plugins:
   - path: .yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs
     spec: "@yarnpkg/plugin-workspace-tools"
 
-yarnPath: .yarn/releases/yarn-2.4.1.cjs
+yarnPath: .yarn/releases/yarn-2.4.2.cjs
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,13 @@
 ARG NODE_VER=16-alpine
+ARG SERVICE=Qlever-LLC/unfisk
 
 FROM node:$NODE_VER AS install
+ARG SERVICE
 
-WORKDIR /trellis/unfisk
+WORKDIR /$SERVICE
 
-COPY ./.yarn /trellis/unfisk/.yarn
-COPY ./package.json ./yarn.lock ./.yarnrc.yml /trellis/unfisk/
+COPY ./.yarn /$SERVICE/.yarn
+COPY ./package.json ./yarn.lock ./.yarnrc.yml /$SERVICE/
 
 RUN yarn workspaces focus --all --production
 
@@ -14,20 +16,27 @@ FROM install AS build
 # Install dev deps too
 RUN yarn install --immutable
 
-COPY . /trellis/unfisk/
+COPY . /$SERVICE/
 
 # Build code and remove dev deps
-RUN yarn build && rm -rfv .yarn .pnp*
+RUN yarn build --verbose && rm -rfv .yarn .pnp*
 
 FROM node:$NODE_VER AS production
+ARG SERVICE
+
+# Install needed packages
+RUN apk add --no-cache \
+    dumb-init
 
 # Do not run service as root
 USER node
 
-WORKDIR /trellis/unfisk
+WORKDIR /$SERVICE
 
-COPY --from=install /trellis/unfisk/ /trellis/unfisk/
-COPY --from=build /trellis/unfisk/ /trellis/unfisk/
+COPY --from=install /$SERVICE/ /$SERVICE/
+COPY --from=build /$SERVICE/ /$SERVICE/
 
-ENTRYPOINT ["yarn", "run"]
+# Launch entrypoint with dumb-init
+# Remap SIGTERM to SIGINT https://github.com/Yelp/dumb-init#signal-rewriting
+ENTRYPOINT ["/usr/bin/dumb-init", "--rewrite", "15:2", "--", "yarn", "run"]
 CMD ["start"]