Skip to content

Commit

Permalink
Update
Browse files Browse the repository at this point in the history
  • Loading branch information
awlayton committed Jun 16, 2021
1 parent 6670705 commit 6ab845d
Show file tree
Hide file tree
Showing 13 changed files with 493 additions and 302 deletions.
164 changes: 145 additions & 19 deletions .github/workflows/build-and-push-services.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ on:
push:
pull_request:

env:
# Set to true to push images to DockerHub
# NB: images are public unless you configure DockerHub repo properly
DOCKERHUB_PUSH: 1

jobs:
setup:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -70,12 +75,14 @@ jobs:

build-and-push:
name: Build and push docker Image
needs: setup
needs:
- setup

strategy:
matrix:
service:
- 'trellisfw/ainz'
# Assume repo slug is the service slug?
- ${{ github.repository }}
context:
- '.'

Expand All @@ -86,7 +93,7 @@ jobs:
uses: actions/[email protected]

- name: Set up QEMU
uses: docker/setup-qemu-action@v1.1.0
uses: docker/setup-qemu-action@v1.2.0

- name: Set up Docker Buildx
id: buildx
Expand All @@ -102,36 +109,52 @@ jobs:

- name: Cache docker layers
if: ${{ !env.ACT }} # Awaiting ACT version after 0.2.17 for this feature
uses: actions/[email protected].5
uses: actions/[email protected].6
id: cache
with:
path: /tmp/.buildx-cache
#key: ${{ runner.os }}-buildx-${{ matrix.service }}-${{ github.sha }}
# Don't separate cache by service etc.
key: ${{ runner.os }}-buildx
key: ${{ runner.os }}-buildx-${{ matrix.service }}-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-${{ matrix.service }}
${{ runner.os }}-buildx-${{ matrix.service }}-
${{ runner.os }}-buildx-
- name: Prepare Tags
id: prepare
# TODO: Clean up this monstrosity... one day...
run: |
DOCKER_IMAGE=${{ matrix.service }}
# Nameo on DockerHub (Doesn't like upper case)
DOCKER_IMAGE=$(echo ${{ matrix.service }} | tr '[:upper:]' '[:lower:]')
# Name on GHCR
GHCR_IMAGE=ghcr.io/${DOCKER_IMAGE}
# Allow overriding DockerHub repo if different from slug?
if [[ "${{ secrets.DOCKER_REPO }}" ]]; then
DOCKER_IMAGE=$(echo ${{ matrix.service }} | sed 's/${{ github.repository_owner }}/${{ secrets.DOCKER_REPO }}/g')
fi
TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.version }}"
TAGS="${GHCR_IMAGE}:${{ needs.setup.outputs.version }}"
DH_TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.version }}"
if [[ "${{ needs.setup.outputs.release }}" ]]; then
if [[ "${{ needs.setup.outputs.prerelease }}" ]]; then
TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}"
TAGS="${GHCR_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}"
DH_TAGS="${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}.${{ needs.setup.outputs.patch }}-${{ needs.setup.outputs.prerelease }}"
# TODO: Keep old prerelease builds?
else
TAGS="$TAGS,${DOCKER_IMAGE}:latest"
TAGS="$TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}"
TAGS="$TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.major }}"
TAGS="$TAGS,${GHCR_IMAGE}:latest"
TAGS="$TAGS,${GHCR_IMAGE}:${{ needs.setup.outputs.major }}"
TAGS="$TAGS,${GHCR_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}"
DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:latest"
DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}"
DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:${{ needs.setup.outputs.major }}.${{ needs.setup.outputs.minor }}"
fi
fi
if [ "${{ github.event_name }}" = "push" ]; then
TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
TAGS="$TAGS,${GHCR_IMAGE}:sha-${GITHUB_SHA::8}"
DH_TAGS="$DH_TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
fi
if [[ "${{ env.DOCKERHUB_PUSH }}" ]]; then
TAGS="$TAGS,${DH_TAGS}"
fi
echo ::set-output name=tags::${TAGS}
Expand All @@ -140,14 +163,22 @@ jobs:
echo ${{ github.event.repository.license }}
- name: Login to DockerHub
if: github.event_name != 'pull_request'
if: ${{ env.DOCKERHUB_PUSH && github.event_name != 'pull_request' }}
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push
uses: docker/[email protected]
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push images
uses: docker/[email protected]
with:
context: ${{ matrix.context }}
file: ${{ matrix.context }}/Dockerfile
Expand All @@ -158,6 +189,7 @@ jobs:
VERSION=${{ steps.prepare.outputs.version }}
BUILD_DATE=${{ steps.prepare.outputs.created }}
GIT_REF=${{ github.sha }}
SERVICE=${{ matrix.service }}
labels: |
org.opencontainers.image.title=${{ matrix.service }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
Expand All @@ -167,4 +199,98 @@ jobs:
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new

-
# Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
# Use Snyk to check docker image
snyk-image:
name: Snyk Checks

needs:
- setup
- build-and-push

strategy:
matrix:
service:
# Assume repo slug is the service slug?
- ${{ github.repository }}
context:
- '.'

runs-on: ubuntu-latest

env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# Only run if we have a Snyk token?
#if: ${{ env.SNYK_TOKEN }}

steps:
- name: Checkout
uses: actions/[email protected]

- name: Find Docker tag for Snyk
id: tag
run: |
# Doesn't like upper case
OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')
# Nameo on DockerHub (Doesn't like upper case)
DOCKER_IMAGE=$(echo ${{ matrix.service }} | tr '[:upper:]' '[:lower:]')
# Name on GHCR
GHCR_IMAGE=ghcr.io/${DOCKER_IMAGE}
# Allow overriding DockerHub repo if different from slug?
if [[ "${{ secrets.DOCKER_REPO }}" ]]; then
DOCKER_IMAGE=$(echo ${{ matrix.service }} | sed 's/${{ github.repository_owner }}/${{ secrets.DOCKER_REPO }}/g')
fi
TAG="${GHCR_IMAGE}:next"
if [[ "${{ needs.setup.outputs.release }}" ]]; then
if [[ "${{ needs.setup.outputs.prerelease }}" ]]; then
TAG="${GHCR_IMAGE}:next"
else
TAG="${GHCR_IMAGE}:latest"
fi
fi
echo ::set-output name=tag::${TAG}
echo ::set-output name=org::${OWNER}
echo ::set-output name=cur::${GHCR_IMAGE}:sha-${GITHUB_SHA::8}
- name: Monitor Service image with Snyk
uses: snyk/actions/docker@master
# Don't break workflow on errros?
continue-on-error: true
with:
command: container monitor
image: ${{ steps.tag.outputs.tag }}
args: --org=${{ steps.tag.outputs.org }} --file=${{ matrix.context }}/Dockerfile

- name: Test current Service image with Snyk
uses: snyk/actions/docker@master
# Don't break workflow on errros?
continue-on-error: true
with:
image: ${{ steps.tag.outputs.tag }}
args: --org=${{ steps.tag.outputs.org }} --file=${{ matrix.context }}/Dockerfile

- name: Secure Code Warrior
uses: SecureCodeWarrior/github-action-add-sarif-contextual-training@v1
with:
inputSarifFile: ./snyk.sarif
outputSarifFile: ./securecodewarrior.sarif
githubToken: ${{ secrets.GITHUB_TOKEN }}

- name: Upload SARIF file to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ./securecodewarrior.sarif
#sarif_file: ./snyk.sarif
12 changes: 6 additions & 6 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ docker-compose.override.yml
act/

# yarn 2 stuff
**/.yarn/*
!**/.yarn/releases
!**/.yarn/plugins
!**/.yarn/versions
**/.pnp.*
.yarn/*
!.yarn/releases
!.yarn/plugins
!.yarn/versions
.pnp.*
# ignore sdk stuff
**/.vim
.vim
10 changes: 5 additions & 5 deletions .yarn/releases/yarn-2.4.1.cjs → .yarn/releases/yarn-2.4.2.cjs

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion .yarnrc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ plugins:
- path: .yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs
spec: "@yarnpkg/plugin-workspace-tools"

yarnPath: .yarn/releases/yarn-2.4.1.cjs
yarnPath: .yarn/releases/yarn-2.4.2.cjs
27 changes: 18 additions & 9 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
ARG NODE_VER=16-alpine
ARG SERVICE=trellisfw/ainz

FROM node:$NODE_VER AS install
ARG SERVICE

WORKDIR /trellis/ainz
WORKDIR /$SERVICE

COPY ./.yarn /trellis/ainz/.yarn
COPY ./package.json ./yarn.lock ./.yarnrc.yml /trellis/ainz/
COPY ./.yarn /$SERVICE/.yarn
COPY ./package.json ./yarn.lock ./.yarnrc.yml /$SERVICE/

RUN yarn workspaces focus --all --production

Expand All @@ -14,20 +16,27 @@ FROM install AS build
# Install dev deps too
RUN yarn install --immutable

COPY . /trellis/ainz/
COPY . /$SERVICE/

# Build code and remove dev deps
RUN yarn build && rm -rfv .yarn .pnp*
RUN yarn build --verbose && rm -rfv .yarn .pnp*

FROM node:$NODE_VER AS production
ARG SERVICE

# Install needed packages
RUN apk add --no-cache \
dumb-init

# Do not run service as root
USER node

WORKDIR /trellis/ainz
WORKDIR /$SERVICE

COPY --from=install /trellis/ainz/ /trellis/ainz/
COPY --from=build /trellis/ainz/ /trellis/ainz/
COPY --from=install /$SERVICE/ /$SERVICE/
COPY --from=build /$SERVICE/ /$SERVICE/

ENTRYPOINT ["yarn", "run"]
# Launch entrypoint with dumb-init
# Remap SIGTERM to SIGINT https://github.com/Yelp/dumb-init#signal-rewriting
ENTRYPOINT ["/usr/bin/dumb-init", "--rewrite", "15:2", "--", "yarn", "run"]
CMD ["start"]
29 changes: 16 additions & 13 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@trellisfw/ainz",
"version": "2.0.0",
"version": "2.1.0",
"description": "uservice for automating moving resources via rules",
"main": "dist/index.js",
"bin": {
Expand All @@ -13,29 +13,32 @@
"author": "Alex Layton <[email protected]>",
"license": "Apache-2.0",
"dependencies": {
"@oada/client": "^2.4.1",
"@oada/client": "^2.4.2",
"@oada/list-lib": "^2.1.6",
"@oada/types": "^1.5.1",
"ajv": "^7.2.4",
"@tsconfig/node16": "^1.0.1",
"ajv": "^8.6.0",
"bluebird": "^3.7.2",
"debug": "^4.3.2",
"convict": "^6.1.0",
"debug": "^4.3.1",
"dotenv": "^10.0.0",
"handlebars": "^4.7.7",
"json-pointer": "^0.6.1",
"luxon": "^1.26.0",
"luxon": "^1.27.0",
"minimist": "^1.2.5",
"nconf": "^0.11.2",
"p-queue": "^6.6.2"
},
"devDependencies": {
"@tsconfig/node14": "^1.0.0",
"@types/bluebird": "^3.5.33",
"@types/bluebird": "^3.5.35",
"@types/convict": "^6",
"@types/debug": "^4.1.5",
"@types/json-pointer": "^1.0.30",
"@types/luxon": "^1.26.5",
"@types/json-pointer": "^1.0.31",
"@types/luxon": "^1.27.0",
"@types/minimist": "^1.2.1",
"@types/node": "^14.14.43",
"@yarnpkg/pnpify": "^3.0.0-rc.3",
"prettier": "^2.2.1",
"typescript": "^4.2.4"
"@types/node": "^14.17.3",
"@yarnpkg/pnpify": "^3.0.0-rc.6",
"prettier": "^2.3.1",
"typescript": "^4.3.2"
}
}
8 changes: 4 additions & 4 deletions src/addrule.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@ import config from './config';
const info = debug('ainz:add:info');
const error = debug('ainz:add:error');

const TOKENS: string[] = config.get('token').split(',');
const DOMAIN: string = config.get('domain');
const path: string = config.get('rules_path');
const tree = config.get('rules_tree');
const TOKENS = config.get('oada.token');
const DOMAIN = config.get('oada.domain');
const path = config.get('ainz.rules_path');
const tree = config.get('ainz.rules_tree');

const {
// One rule per file
Expand Down
Loading

0 comments on commit 6ab845d

Please sign in to comment.