From 0416962e0f8ed73e84a5d1750de00824203b493e Mon Sep 17 00:00:00 2001 From: Sebastian Slettebakken Date: Tue, 2 Jul 2024 15:37:56 +0200 Subject: [PATCH] feat: Run as non-root, update compose and publish action on release --- .github/workflows/build.yaml | 10 +++++----- Dockerfile | 4 ++++ docker-compose.override.yml | 18 ++++++++---------- docker-compose.yaml | 4 +--- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6b81db6..716a317 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,8 +1,8 @@ name: Create and publish a Docker image on: - push: - branches: [main] + release: + types: [published] workflow_dispatch: @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v4 # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. - name: Log in to the Container registry - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -35,7 +35,7 @@ jobs: # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. @@ -43,7 +43,7 @@ jobs: # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. - name: Build and push Docker image id: push - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + uses: docker/build-push-action@v6 with: context: . push: true diff --git a/Dockerfile b/Dockerfile index 7970734..d1b44a9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,10 @@ FROM mcr.microsoft.com/dotnet/runtime:5.0 AS run LABEL org.opencontainers.image.source="https://github.com/equinor/ms-continuus" WORKDIR /app +RUN groupadd -g 1000 dotnet-non-root-group +RUN useradd -u 1000 -g dotnet-non-root-group dotnet-non-root-user && chown -R 1000 /app +USER 1000 + COPY --from=build /app/out . ADD src/version /app/src/version CMD ["dotnet", "ms-continuus.dll"] diff --git a/docker-compose.override.yml b/docker-compose.override.yml index 56e89cd..e65405a 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -1,9 +1,7 @@ -version: "3.8" - services: ms-continuus: environment: - GITHUB_URL: http://mock-api:5000 + # GITHUB_URL: http://mock-api:5000 STORAGE_ACCOUNT_CON_STRING: DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://storage-emulator:10000/devstoreaccount1; depends_on: - storage-emulator @@ -16,10 +14,10 @@ services: - "10000:10000" command: ["azurite","--blobHost", "0.0.0.0", "--location", "/data"] - mock-api: - build: mock_api - volumes: - - ./mock_api:/app - ports: - - "5000:5000" - command: "python /app/mock_gh_api.py" + # mock-api: + # build: mock_api + # volumes: + # - ./mock_api:/app + # ports: + # - "5000:5000" + # command: "python /app/mock_gh_api.py" diff --git a/docker-compose.yaml b/docker-compose.yaml index 1fed195..04dcf52 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,9 +1,7 @@ -version: "3.8" - services: ms-continuus: - image: sdpequinor/ms-continuus + image: ghcr.io/equinor/ms-continuus build: . environment: GITHUB_ORG: equinor