From bbed02953f08d41b74234de20f210e4734280afc Mon Sep 17 00:00:00 2001 From: Leon Kuchenbecker Date: Wed, 9 Oct 2024 08:57:17 +0200 Subject: [PATCH] Revert last Docker CD refactoring (#59) * Revert "Fix tag extraction in dockerhub CD (#56)" This reverts commit 1d683638c4e52ce5ccda708edce5dec31b1a7593. * Revert "Refactor Docker Hub CI to use composite action and enable debian / alpine flavors (#54)" This reverts commit 92e9ab329fd2faac4bf8c1dbf9b3ce8c13130020. * Switch Dockerfile to Alpine --- .github/workflows/ci_workflow_dispatch.yaml | 49 ++++++++++++++----- .github/workflows/docker_on_release.yaml | 54 ++++++++++++++++----- Dockerfile | 1 - Dockerfile.debian | 48 ------------------ 4 files changed, 77 insertions(+), 75 deletions(-) delete mode 100644 Dockerfile.debian diff --git a/.github/workflows/ci_workflow_dispatch.yaml b/.github/workflows/ci_workflow_dispatch.yaml index 0a3d087b..e94b0e1f 100644 --- a/.github/workflows/ci_workflow_dispatch.yaml +++ b/.github/workflows/ci_workflow_dispatch.yaml @@ -34,7 +34,6 @@ jobs: strategy: matrix: service: ${{ fromJson(needs.changed-services.outputs.services) }} - flavor: ["", "debian"] fail-fast: false steps: @@ -74,17 +73,41 @@ jobs: id: symlink-requirements run: cp -r lock services/${{ matrix.service }}/lock - - name: Prepare Dockerfiles - id: prepare-dockerfiles - run: cp Dockerfile* services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile* + - name: Prepare Dockerfile + id: prepare-dockerfile + run: cp Dockerfile services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile - - name: Docker build and push - uses: ghga-de/gh-action-ci@v1 + - uses: docker/setup-qemu-action@v3 + name: Set up QEMU + + - uses: docker/setup-buildx-action@v3 + name: Set up Docker Buildx + + - uses: docker/login-action@v3 + name: Login to DockerHub + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - uses: docker/build-push-action@v5 + name: Build and push + id: docker_build with: - checkout: "false" - dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }} - dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }} - tag: "${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}" - trivy_severity: "CRITICAL" - flavor: "${{ matrix.flavor }}" - working_directory: "services/${{ matrix.service }}" + push: true + platforms: "${{ env.DOCKERHUB_PLATFORMS }}" + tags: "${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}" + context: "services/${{ matrix.service }}" + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "docker.io/${{ env.DOCKERHUB_NAMESPACE }}/${{ steps.extract-service-name.outputs.name }}:${{ steps.extract-service-version.outputs.version }}-${{ github.sha }}" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: ${{ env.TRIVY_SEVERITY }} + + - name: Image digest + shell: bash + run: echo ${{ steps.docker_build.outputs.digest }} diff --git a/.github/workflows/docker_on_release.yaml b/.github/workflows/docker_on_release.yaml index 580e989c..c513780b 100644 --- a/.github/workflows/docker_on_release.yaml +++ b/.github/workflows/docker_on_release.yaml @@ -127,7 +127,6 @@ jobs: strategy: matrix: service: ${{ fromJson(needs.changed-services.outputs.services) }} - flavor: ["", "debian"] fail-fast: false steps: @@ -174,21 +173,50 @@ jobs: exit 1 fi + - name: Ensure that tag complies with semantic versioning. + uses: matt-usurp/validate-semver@v2 + with: + version: ${{ steps.extract-service-version.outputs.version }} + - name: Symlink requirement files id: symlink-requirements run: cp -r lock services/${{ matrix.service }}/lock - - name: Prepare Dockerfiles - id: prepare-dockerfiles - run: cp Dockerfile* services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile* + - name: Prepare Dockerfile + id: prepare-dockerfile + run: cp Dockerfile services/${{ matrix.service }}/ && sed -i "s/\(ENTRYPOINT \)\[\]/\1[\"${{ matrix.service }}\"]/" services/${{ matrix.service }}/Dockerfile + + - uses: docker/setup-qemu-action@v3 + name: Set up QEMU - - name: Docker build and push - uses: ghga-de/gh-action-ci@v1 + - uses: docker/setup-buildx-action@v3 + name: Set up Docker Buildx + + - uses: docker/login-action@v3 + name: Login to DockerHub with: - checkout: "false" - dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }} - dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }} - tag: "${{ steps.extract-service-version.outputs.version }}" - trivy_severity: "CRITICAL" - flavor: "${{ matrix.flavor }}" - working_directory: "services/${{ matrix.service }}" + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - uses: docker/build-push-action@v5 + name: Build and push + id: docker_build + with: + push: true + platforms: "${{ env.DOCKERHUB_PLATFORMS }}" + tags: "${{ steps.docker-tag.outputs.tag }}" + context: "services/${{ matrix.service }}" + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "docker.io/${{ steps.docker-tag.outputs.tag }}" + format: "table" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: ${{ env.TRIVY_SEVERITY }} + + - name: Image digest + shell: bash + run: echo ${{ steps.docker_build.outputs.digest }} diff --git a/Dockerfile b/Dockerfile index ae6b887b..b7e4c738 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,5 +46,4 @@ WORKDIR /home/appuser USER appuser ENV PYTHONUNBUFFERED=1 -# Please adapt to package name: ENTRYPOINT [] diff --git a/Dockerfile.debian b/Dockerfile.debian deleted file mode 100644 index b867d7c4..00000000 --- a/Dockerfile.debian +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2021 - 2024 Universität Tübingen, DKFZ, EMBL, and Universität zu Köln -# for the German Human Genome-Phenome Archive (GHGA) -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -## creating building container -FROM python:3.12-slim-bookworm AS builder -# update and install dependencies -RUN apt update -RUN apt upgrade -y -RUN pip install build -# copy code -COPY . /service -WORKDIR /service -# build wheel -RUN python -m build - -# creating running container -FROM python:3.12-slim-bookworm -# update and install dependencies -RUN apt update -RUN apt upgrade -y -# copy and install requirements and wheel -WORKDIR /service -COPY --from=builder /service/lock/requirements.txt /service -RUN pip install --no-deps -r requirements.txt -RUN rm requirements.txt -COPY --from=builder /service/dist/ /service -RUN pip install --no-deps *.whl -RUN rm *.whl -# create new user and execute as that user -RUN useradd --create-home appuser -WORKDIR /home/appuser -USER appuser -# set environment -ENV PYTHONUNBUFFERED=1 - -ENTRYPOINT []