feat: Run as non-root, update compose and publish action on release

.github/workflows/build.yaml

@@ -1,8 +1,8 @@
 name: Create and publish a Docker image
 
 on:
-  push:
-    branches: [main]
+  release:
+    types: [published]
   workflow_dispatch:
 
 
@@ -27,23 +27,23 @@ jobs:
         uses: actions/checkout@v4
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
       # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
       - name: Build and push Docker image
         id: push
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true

Dockerfile

@@ -12,6 +12,10 @@ FROM mcr.microsoft.com/dotnet/runtime:5.0 AS run
 LABEL org.opencontainers.image.source="https://github.com/equinor/ms-continuus"
 WORKDIR /app
 
+RUN groupadd -g 1000 dotnet-non-root-group
+RUN useradd -u 1000 -g dotnet-non-root-group dotnet-non-root-user && chown -R 1000 /app
+USER 1000
+
 COPY --from=build /app/out .
 ADD src/version /app/src/version
 CMD ["dotnet", "ms-continuus.dll"]

docker-compose.override.yml

@@ -1,9 +1,7 @@
-version: "3.8"
-
 services:
   ms-continuus:
     environment:
-      GITHUB_URL: http://mock-api:5000
+      # GITHUB_URL: http://mock-api:5000
       STORAGE_ACCOUNT_CON_STRING: DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://storage-emulator:10000/devstoreaccount1;
     depends_on:
       - storage-emulator
@@ -16,10 +14,10 @@ services:
       - "10000:10000"
     command: ["azurite","--blobHost", "0.0.0.0", "--location", "/data"]
 
-  mock-api:
-    build: mock_api
-    volumes:
-      - ./mock_api:/app
-    ports:
-      - "5000:5000"
-    command: "python /app/mock_gh_api.py"
+  # mock-api:
+  #   build: mock_api
+  #   volumes:
+  #     - ./mock_api:/app
+  #   ports:
+  #     - "5000:5000"
+  #   command: "python /app/mock_gh_api.py"

docker-compose.yaml

@@ -1,9 +1,7 @@
-version: "3.8"
-
 services:
 
   ms-continuus:
-    image: sdpequinor/ms-continuus
+    image: ghcr.io/equinor/ms-continuus
     build: .
     environment:
       GITHUB_ORG: equinor