Fixed dockerize install steps - 5.x

.github/PULL_REQUEST_TEMPLATE.md

@@ -26,3 +26,7 @@ Improvement - Description (#ISSUENUMBER)
 
 # Closing issues
 Put `closes #XXXX` in your comment to auto-close the issue that your PR fixes (if such).
+
+# PR Comment Commands
+
+- Commenting `/build` on a pull request will trigger the build & deploy workflow for the current branch.

.github/workflows/build-deploy.yml

@@ -6,6 +6,9 @@ on:
       - closed
       - opened
       - synchronize
+  issue_comment:
+    types:
+      - created
   schedule:
     - cron: '23 20 * * 0'
   workflow_dispatch:
@@ -14,7 +17,11 @@ env:
   REGISTRY: ghcr.io
 jobs:
   buildx:
-    if: github.event.pull_request.merged == true || contains(fromJson('["schedule", "workflow_dispatch"]'), github.event_name) || github.event_name == 'pull_request' && startsWith(github.head_ref,'build/')
+    if: |-
+      github.event.pull_request.merged == true || 
+      contains(fromJson('["schedule", "workflow_dispatch"]'), github.event_name) || 
+      github.event_name == 'pull_request' && startsWith(github.head_ref,'build/') ||
+      ( github.event.issue.pull_request && contains(github.event.comment.body, '/build') )
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -24,7 +31,7 @@ jobs:
         uses: docker/setup-qemu-action@v2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - uses: actions/checkout@v3
 
@@ -45,6 +52,7 @@ jobs:
             type=ref,event=pr,enable=${{ github.event.pull_request.merged == false }}
             type=raw,value=${{ github.event.pull_request.base.ref }},enable=${{ github.event.pull_request.merged == true }}
             type=ref,event=branch,enable=${{ contains(fromJson('["schedule", "workflow_dispatch"]'), github.event_name) }}
+            type=raw,event=default,value=pr-${{ github.event.issue.number }},enable=${{ github.event.issue.pull_request != null }}
           labels: |
             maintainer=Digital Victoria
             repository=${{ github.repositoryUrl }}
@@ -53,6 +61,23 @@ jobs:
             org.opencontainers.image.title=${{ matrix.images }}
             org.opencontainers.image.description=${{ matrix.images }} image for Bay container platform
 
+      - name: Create the AWX-EE context
+        if: matrix.images == 'awx-ee'
+        run: |
+          pip install --upgrade ansible-builder
+          ansible-builder create \
+            --output-filename Dockerfile \
+            --verbosity 3
+        working-directory: ./images/awx-ee
+
+      - name: Upload AWX-EE context for review
+        if: matrix.images == 'awx-ee'
+        uses: actions/upload-artifact@v4
+        with:
+          name: awx-ee-context
+          path: ./images/awx-ee/context
+          retention-days: 1
+
       - name: Build and push the images
         uses: docker/[email protected]
         with:
@@ -61,4 +86,4 @@ jobs:
             ./gh-actions-bake.hcl
             ${{ steps.meta.outputs.bake-file }}
           # Target the default group - probably unnecessary.
-          targets: ${{ matrix.images }}
+          targets: ${{ matrix.images }}

.github/workflows/vulnerability-scan-build.yml

@@ -21,7 +21,7 @@ jobs:
           echo "SANITISED-REF-NAME=${{ github.ref_name }}" | tr  '/' '-' >> "$GITHUB_OUTPUT"
       - name: Scan for vulnerabilities
         id: scan
-        uses: crazy-max/ghaction-container-scan@v2
+        uses: crazy-max/ghaction-container-scan@v3
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ steps.sanitise-ref-name.outputs.SANITISED-REF-NAME }}
           dockerfile: ./images/${{ matrix.images }}

.github/workflows/vulnerability-scan-schedule-5x.yml

@@ -0,0 +1,33 @@
+name: vulnerability-scan-schedule
+run-name: Scheduled CVE vulnerability scan of published images.
+env:
+  REGISTRY: ghcr.io
+on:
+  schedule:
+    - cron: '0 22 * * 3'
+  workflow_dispatch:
+jobs:
+  vulnerability-scan-schedule:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        images: ${{ fromJson(vars.IMAGES) }}
+        exclude:
+          - images: mailpit
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: 5.x
+      - name: Scan for vulnerabilities
+        id: scan
+        uses: crazy-max/ghaction-container-scan@v3
+        with:
+          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:5.x
+          annotations: true
+          dockerfile: ./images/${{ matrix.images }}
+      - name: Upload SARIF file
+        if: ${{ steps.scan.outputs.sarif != '' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/vulnerability-scan-schedule-6x.yml

@@ -0,0 +1,32 @@
+name: vulnerability-scan-schedule
+run-name: Scheduled CVE vulnerability scan of published images.
+env:
+  REGISTRY: ghcr.io
+on:
+  schedule:
+    - cron: '0 22 * * 3'
+  workflow_dispatch:
+
+jobs:
+  vulnerability-scan-schedule:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        images: ${{ fromJson(vars.IMAGES) }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: 6.x
+      - name: Scan for vulnerabilities
+        id: scan
+        uses: crazy-max/ghaction-container-scan@v3
+        with:
+          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:6.x
+          annotations: true
+          dockerfile: ./images/${{ matrix.images }}
+      - name: Upload SARIF file
+        if: ${{ steps.scan.outputs.sarif != '' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

gh-actions-bake.hcl

@@ -20,7 +20,14 @@ target "elasticsearch" {
 }
 target "mailhog" {
   inherits = ["docker-metadata-action"]
-  context       = "${CONTEXT}/mailhog"
+  context       = "${CONTEXT}/mailpit"
+  dockerfile    = "Dockerfile"
+
+  platforms     = ["linux/amd64", "linux/arm64"]
+}
+target "mailpit" {
+  inherits = ["docker-metadata-action"]
+  context       = "${CONTEXT}/mailpit"
   dockerfile    = "Dockerfile"
 
   platforms     = ["linux/amd64", "linux/arm64"]
@@ -60,7 +67,7 @@ target "php-cli" {
 
   labels = {
     "org.opencontainers.image.description" = "PHP Drupal CLI image for Bay container platform"
-    "org.opencontainers.image.source" = "https://github.com/dpc-sdp/bay/blob/5.x/images/bay-php/Dockerfile.cli"
+    "org.opencontainers.image.source" = "https://github.com/dpc-sdp/bay/blob/6.x/images/bay-php/Dockerfile.cli"
   }
 }
 target "php-fpm" {
@@ -72,7 +79,7 @@ target "php-fpm" {
 
   labels = {
     "org.opencontainers.image.description" = "PHP-FPM image for Bay container platform"
-    "org.opencontainers.image.source" = "https://github.com/dpc-sdp/bay/blob/5.x/images/bay-php/Dockerfile.fpm"
+    "org.opencontainers.image.source" = "https://github.com/dpc-sdp/bay/blob/6.x/images/bay-php/Dockerfile.fpm"
   }
 }
 target "ripple-static" {
@@ -86,4 +93,12 @@ target "ripple-static" {
     "org.opencontainers.image.description" = "Ripple static site generator image optimised for the Bay container platform"
   }
 }
-
+target "awx-ee" {
+    inherits = ["docker-metadata-action"]
+    context = "${CONTEXT}/awx-ee/context"
+    platforms = ["linux/amd64", "linux/arm64"]
+    args = {
+        PYCMD = "/usr/local/bin/python3"
+        PKGMGR = "/usr/bin/apt-get"
+    }
+}

images/awx-ee/README.md

@@ -9,7 +9,7 @@ The AWX execution environment is a container image that AWX will use to execute
 - `requirements.txt`: Defined python dependencies
 - `requirements.yml`: Ansible collections to install
 
-AWX has `singledigital/awx-ee:latest` added as an execution environment with a pull policy of always, when the image is updated kuberenetes will pull a new image to run the plays in.
+AWX has `ghcr.io/dpc-sdp/bay/awx-ee:6.x` added as an execution environment with a pull policy of always, when the image is updated kuberenetes will pull a new image to run the plays in.
 
 ## Dependencies
 
@@ -20,7 +20,7 @@ AWX has `singledigital/awx-ee:latest` added as an execution environment with a p
 Commands run from this directory if you have ansible-builder installed locally.
 
 ```
-$ ansible-builder build --tag singledigital/awx-ee:latest --container-runtime docker
+$ ansible-builder build --tag ghcr.io/dpc-sdp/bay/awx-ee:6.x --container-runtime docker
 ```
 
 OR run with docker.
@@ -31,14 +31,14 @@ $ docker run --rm -it \
     -v $(pwd):/data \
     -w /data \
     quay.io/ansible/ansible-builder:latest \
-      ansible-builder build --tag singledigital/awx-ee:latest --container-runtime docker
+      ansible-builder build --tag ghcr.io/dpc-sdp/bay/awx-ee:6.x --container-runtime docker
 
 # Build the image
-$ docker build -f context/Dockerfile -t singledigital/awx-ee:latest context
+$ docker build -f context/Dockerfile -t ghcr.io/dpc-sdp/bay/awx-ee:6.x context
 ```
 
 ## Deploying the image
 
 ```
-$ docker push singledigital/awx-ee:latest
+$ docker push ghcr.io/dpc-sdp/bay/awx-ee:6.x
 ```

images/awx-ee/bindep.txt

@@ -22,3 +22,4 @@ curl
 openssl
 jq
 rsync
+apache2-utils

images/awx-ee/docker-bake.hcl

@@ -7,17 +7,15 @@ variable "IMAGE_TAG" {
 }
 
 group "default" {
-    targets = ["ee"]
+    targets = ["awx-ee"]
 }
 
-target "ee" {
+target "docker-metadata-action" {}
+
+target "awx-ee" {
+    inherits = ["docker-metadata-action"]
     context = "./context"
-    dockerfile = "Dockerfile"
     platforms = ["linux/amd64", "linux/arm64"]
-    tags = [
-        // "singledigital/awx-ee:${IMAGE_TAG}",
-        "${GHCR}/dpc-sdp/bay/awx-ee:${IMAGE_TAG}"
-    ]
     args = {
         PYCMD = "/usr/local/bin/python3"
         PKGMGR = "/usr/bin/apt-get"