Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: Sage-Bionetworks-IT/rstudio-service-catalog
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: c1ab03db8607957c36f8d9ce0c89b2f954011c86
Choose a base ref
..
head repository: Sage-Bionetworks-IT/rstudio-service-catalog
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 9dce771d16fe0b495255c64181c52d0ade20ee67
Choose a head ref
Showing with 76 additions and 3 deletions.
  1. +12 −0 .github/workflows/trivy.yml
  2. +14 −0 .github/workflows/trivy_periodic_image_scan.yml
  3. +3 −1 .pre-commit-config.yaml
  4. +17 −2 Dockerfile
  5. +15 −0 install_packages_or_fail.R
  6. +15 −0 install_versioned_package_or_fail.R
12 changes: 12 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -24,9 +24,18 @@ on:
required: false
type: number
default: 0
outputs:
trivy_conclusion:
description: "The pass/fail return code from Trivy"
value: ${{ jobs.trivy.outputs.trivy_conclusion }}

env:
sarif_file_name: trivy-results.sarif
# downloading the trivy-db from its default GitHub location fails because
# the site experiences too many downloads. The fix is to pull from this
# alternate location.
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1

jobs:
trivy:
@@ -87,4 +96,7 @@ jobs:
with:
sarif_file: ${{ env.sarif_file_name }}
wait-for-processing: true

outputs:
trivy_conclusion: steps.trivy.conclusion
...
14 changes: 14 additions & 0 deletions .github/workflows/trivy_periodic_image_scan.yml
Original file line number Diff line number Diff line change
@@ -32,4 +32,18 @@ jobs:
# While GitHub repo's can be mixed (upper and lower) case,
# Docker images can only be lower case
IMAGE_NAME: ${{ needs.to-lower-case.outputs.lowercase-repo-name }}
EXIT_CODE: 1

# If scan failed, rebuild the image
update-image:
needs: periodic-scan
runs-on: ubuntu-latest
if: ${{!cancelled() && needs.periodic-scan.outputs.trivy_conclusion == 'failure' }}
# tag the repo to trigger a new build
steps:
- name: Bump version and push tag
id: tag_version
uses: mathieudutour/github-tag-action@v6.2
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
...
4 changes: 3 additions & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
ci:
autoupdate_schedule: monthly
repos:
- repo: https://github.com/awslabs/git-secrets
rev: b9e96b3212fa06aea65964ff0d5cda84ce935f38
@@ -28,7 +30,7 @@ repos:
hooks:
- id: remove-tabs
- repo: https://github.com/sirosen/check-jsonschema
rev: 0.29.4
rev: 0.30.0
hooks:
- id: check-github-workflows
- id: check-github-actions
19 changes: 17 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -6,6 +6,17 @@ ENV DISABLE_AUTH=true
RUN apt-get -y update && \
apt-get -y upgrade && \
apt-get -y install libpng-dev \
libcurl4-openssl-dev \
libxml2-dev \
libfontconfig1-dev \
libgit2-dev \
libfontconfig1-dev \
libfribidi-dev \
libfreetype6-dev \
libpng-dev \
libtiff5-dev \
libjpeg-dev \
libharfbuzz-dev \
python3 \
python3-pip \
python3-venv \
@@ -20,9 +31,13 @@ USER rstudio
RUN python3 -m pip install virtualenv

# Install R packages
RUN R -e "install.packages(c('tidyverse','devtools','BiocManager', 'reticulate'))"
ADD install_packages_or_fail.R /
ADD install_versioned_package_or_fail.R /
# synapser depends on rjson 0.2.21, but a newer version is installed by default
RUN Rscript --no-save install_versioned_package_or_fail.R rjson 0.2.21
RUN Rscript --no-save install_packages_or_fail.R tidyverse devtools BiocManager reticulate
# Install synapser and, by extension, the synapse Python client
RUN R -e "install.packages('synapser', repos=c('http://ran.synapse.org', 'http://cran.fhcrc.org'))"
RUN Rscript --no-save install_packages_or_fail.R synapser
# Install Python package boto3, which will be used by the synapse Python client
RUN R -e "reticulate::virtualenv_install(reticulate::virtualenv_list()[1], 'boto3')"

15 changes: 15 additions & 0 deletions install_packages_or_fail.R
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/usr/bin/env Rscript
# from https://stackoverflow.com/questions/26244530/how-do-i-make-install-packages-return-an-error-if-an-r-package-cannot-be-install
# install the latest versions of a list of packages and fail
# if any package fails to install

packages = commandArgs(trailingOnly=TRUE)

for (l in packages) {

install.packages(l, dependencies=TRUE, repos=c('http://ran.synapse.org', 'https://cran.rstudio.com'))

if ( ! library(l, character.only=TRUE, logical.return=TRUE) ) {
quit(status=1, save='no')
}
}
15 changes: 15 additions & 0 deletions install_versioned_package_or_fail.R
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/usr/bin/env Rscript
# install a specific version of a given package and fail if
# the package fails to install

theargs = commandArgs(trailingOnly=TRUE)

package=theargs[1]
version=theargs[2]

install.packages('remotes', dependencies=TRUE, repos='https://cran.rstudio.com')
remotes::install_version(package, version = version, repos = 'https://cran.rstudio.com')

if ( ! library(package, character.only=TRUE, logical.return=TRUE) ) {
quit(status=1, save='no')
}