From 586cf28b0a0afa7fde5bfb57c0af3f20c9a912ee Mon Sep 17 00:00:00 2001 From: Emterry Date: Wed, 28 Feb 2024 13:58:06 +0000 Subject: [PATCH] first test at passing image --- .editorconfig | 18 +++++++++ .github/CODEOWNERS | 3 -- .github/workflows/build-and-test.yml | 26 +++++++++++++ .github/workflows/release.yml | 55 ++++++++++++++++++++++++++++ .github/workflows/super-linter.yml | 34 +++++++++++++++++ CODEOWNERS | 1 + Dockerfile | 53 +++++++++++++++++++++++++++ README.md | 33 +++++++++++++++-- scripts/build-and-test.sh | 24 ++++++++++++ test/container-structure-test.yml | 25 +++++++++++++ 10 files changed, 266 insertions(+), 6 deletions(-) create mode 100644 .editorconfig delete mode 100644 .github/CODEOWNERS create mode 100644 .github/workflows/build-and-test.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/super-linter.yml create mode 100644 CODEOWNERS create mode 100644 Dockerfile create mode 100755 scripts/build-and-test.sh create mode 100644 test/container-structure-test.yml diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..b8a3c84 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,18 @@ +root = true + +[*] +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true + +[*.json] +indent_style = space +indent_size = 2 + +[*.sh] +indent_style = space +indent_size = 2 + +[{*.yml,*.yaml}] +indent_style = space +indent_size = 2 diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS deleted file mode 100644 index ac066e6..0000000 --- a/.github/CODEOWNERS +++ /dev/null @@ -1,3 +0,0 @@ -# Add a team or username to this file -# Example: -# * @ministryofjustice/operations-engineering diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml new file mode 100644 index 0000000..f082648 --- /dev/null +++ b/.github/workflows/build-and-test.yml @@ -0,0 +1,26 @@ +--- +name: Build and Test + +on: + pull_request: + branches: + - main + +permissions: {} + +jobs: + build-and-test: + name: Build and Test + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + id: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Build and Test + id: build_and_test + shell: bash + run: | + bash scripts/build-and-test.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..8a075de --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,55 @@ +--- +name: Release + +on: + push: + tags: + - "*" + +permissions: {} + +jobs: + release: + name: Release + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + packages: write + steps: + - name: Checkout + id: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install cosign + id: install_cosign + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 + + - name: Log in to GitHub Container Registry + id: login_ghcr + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and Push + id: build_and_push + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + push: true + tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }} + + - name: Sign + id: sign + shell: bash + run: | + cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }} + + - name: Verify + id: verify + run: | + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} \ + ghcr.io/${{ github.repository }}@${{ steps.build_and_push.outputs.digest }} diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml new file mode 100644 index 0000000..bd991d1 --- /dev/null +++ b/.github/workflows/super-linter.yml @@ -0,0 +1,34 @@ +--- +name: Super-Linter + +on: + pull_request: + branches: + - main + types: + - edited + - opened + - reopened + - synchronize + +permissions: {} + +jobs: + super-linter: + name: Super-Linter + runs-on: ubuntu-latest + permissions: + contents: read + statuses: write + steps: + - name: Checkout + id: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + + - name: Run Super-Linter + id: super_linter + uses: super-linter/super-linter/slim@25003d0370b45d97187597838ecb9fdadfc08aea # v6.2.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..f0042be --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ + * @ministryofjustice/analytical-platform diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..3be868c --- /dev/null +++ b/Dockerfile @@ -0,0 +1,53 @@ +FROM public.ecr.aws/ubuntu/ubuntu@sha256:722b3bddfe96b95441f626cf94974d79213090ecbd16954f71d7c080fb413561 + +LABEL org.opencontainers.image.vendor="Ministry of Justice" \ + org.opencontainers.image.authors="Analytical Platform (analytical-platform@digital.justice.gov.uk)" + # uncomment if required to your repository details + #org.opencontainers.image.title="{image title}" \ + #org.opencontainers.image.description="{decription}" \ + #org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform" + +ENV CONTAINER_USER="analyticalplatform" \ + CONTAINER_UID="1000" \ + CONTAINER_GROUP="analyticalplatform" \ + CONTAINER_GID="1000" \ + DEBIAN_FRONTEND="noninteractive" + +# User +RUN groupadd \ + --gid ${CONTAINER_GID} \ + ${CONTAINER_GROUP} \ + && useradd \ + --uid ${CONTAINER_UID} \ + --gid ${CONTAINER_GROUP} \ + --create-home \ + --shell /bin/bash \ + ${CONTAINER_USER} + +# Base +RUN apt-get update --yes \ + && apt-get install --yes \ + "apt-transport-https=2.4.11" \ + "curl=7.81.0-1ubuntu1.15" \ + "git=1:2.34.1-1ubuntu1.10" \ + "gpg=2.2.27-3ubuntu2.1" \ + "python3.10=3.10.12-1~22.04.3" \ + "python3-pip=22.0.2+dfsg-1ubuntu0.4" \ + "unzip=6.0-26ubuntu3.2" \ + && apt-get clean --yes \ + && rm --force --recursive /var/lib/apt/lists/* + +USER ${CONTAINER_USER} + +WORKDIR /home/${CONTAINER_USER} + +# Basic health check that always returns a success status +HEALTHCHECK CMD true + +# Place build logic here: +# Example +# COPY . /home/${CONTAINER_USER} +# RUN python -m pip install --no-cache-dir --upgrade pip==23.3.1 \ +# && python -m pip install --no-cache-dir --requirement requirements.txt + +# CMD ["foo.handler"] diff --git a/README.md b/README.md index b6878d8..27fa512 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,26 @@ -# Ministry of Justice Template Repository +# Analytical Platform Image Build Template [![repo standards badge](https://img.shields.io/endpoint?labelColor=231f20&color=005ea5&style=for-the-badge&label=MoJ%20Compliant&url=https%3A%2F%2Foperations-engineering-reports.cloud-platform.service.justice.gov.uk%2Fapi%2Fv1%2Fcompliant_public_repositories%2Fendpoint%2Ftemplate-repository&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAABmJLR0QA/wD/AP+gvaeTAAAHJElEQVRYhe2YeYyW1RWHnzuMCzCIglBQlhSV2gICKlHiUhVBEAsxGqmVxCUUIV1i61YxadEoal1SWttUaKJNWrQUsRRc6tLGNlCXWGyoUkCJ4uCCSCOiwlTm6R/nfPjyMeDY8lfjSSZz3/fee87vnnPu75z3g8/kM2mfqMPVH6mf35t6G/ZgcJ/836Gdug4FjgO67UFn70+FDmjcw9xZaiegWX29lLLmE3QV4Glg8x7WbFfHlFIebS/ANj2oDgX+CXwA9AMubmPNvuqX1SnqKGAT0BFoVE9UL1RH7nSCUjYAL6rntBdg2Q3AgcAo4HDgXeBAoC+wrZQyWS3AWcDSUsomtSswEtgXaAGWlVI2q32BI0spj9XpPww4EVic88vaC7iq5Hz1BvVf6v3qe+rb6ji1p3pWrmtQG9VD1Jn5br+Knmm70T9MfUh9JaPQZu7uLsR9gEsJb3QF9gOagO7AuUTom1LpCcAkoCcwQj0VmJregzaipA4GphNe7w/MBearB7QLYCmlGdiWSm4CfplTHwBDgPHAFmB+Ah8N9AE6EGkxHLhaHU2kRhXc+cByYCqROs05NQq4oR7Lnm5xE9AL+GYC2gZ0Jmjk8VLKO+pE4HvAyYRnOwOH5N7NhMd/WKf3beApYBWwAdgHuCLn+tatbRtgJv1awhtd838LEeq30/A7wN+AwcBt+bwpD9AdOAkYVkpZXtVdSnlc7QI8BlwOXFmZ3oXkdxfidwmPrQXeA+4GuuT08QSdALxC3OYNhBe/TtzON4EziZBXD36o+q082BxgQuqvyYL6wtBY2TyEyJ2DgAXAzcC1+Xxw3RlGqiuJ6vE6QS9VGZ/7H02DDwAvELTyMDAxbfQBvggMAAYR9LR9J2cluH7AmnzuBowFFhLJ/wi7yiJgGXBLPq8A7idy9kPgvAQPcC9wERHSVcDtCfYj4E7gr8BRqWMjcXmeB+4tpbyG2kG9Sl2tPqF2Uick8B+7szyfvDhR3Z7vvq/2yqpynnqNeoY6v7LvevUU9QN1fZ3OTeppWZmeyzRoVu+rhbaHOledmoQ7LRd3SzBVeUo9Wf1DPs9X90/jX8m/e9Rn1Mnqi7nuXXW5+rK6oU7n64mjszovxyvVh9WeDcTVnl5KmQNcCMwvpbQA1xE8VZXhwDXAz4FWIkfnAlcBAwl6+SjD2wTcmPtagZnAEuA3dTp7qyNKKe8DW9UeBCeuBsbsWKVOUPvn+MRKCLeq16lXqLPVFvXb6r25dlaGdUx6cITaJ8fnpo5WI4Wuzcjcqn5Y8eI/1F+n3XvUA1N3v4ZamIEtpZRX1Y6Z/DUK2g84GrgHuDqTehpBCYend94jbnJ34DDgNGArQT9bict3Y3p1ZCnlSoLQb0sbgwjCXpY2blc7llLW1UAMI3o5CD4bmuOlwHaC6xakgZ4Z+ibgSxnOgcAI4uavI27jEII7909dL5VSrimlPKgeQ6TJCZVQjwaOLaW8BfyWbPEa1SaiTH1VfSENd85NDxHt1plA71LKRvX4BDaAKFlTgLeALtliDUqPrSV6SQCBlypgFlbmIIrCDcAl6nPAawmYhlLKFuB6IrkXAadUNj6TXlhDcCNEB/Jn4FcE0f4UWEl0NyWNvZxGTs89z6ZnatIIrCdqcCtRJmcCPwCeSN3N1Iu6T4VaFhm9n+riypouBnepLsk9p6p35fzwvDSX5eVQvaDOzjnqzTl+1KC53+XzLINHd65O6lD1DnWbepPBhQ3q2jQyW+2oDkkAtdt5udpb7W+Q/OFGA7ol1zxu1tc8zNHqXercfDfQIOZm9fR815Cpt5PnVqsr1F51wI9QnzU63xZ1o/rdPPmt6enV6sXqHPVqdXOCe1rtrg5W7zNI+m712Ir+cer4POiqfHeJSVe1Raemwnm7xD3mD1E/Z3wIjcsTdlZnqO8bFeNB9c30zgVG2euYa69QJ+9G90lG+99bfdIoo5PU4w362xHePxl1slMab6tV72KUxDvzlAMT8G0ZohXq39VX1bNzzxij9K1Qb9lhdGe931B/kR6/zCwY9YvuytCsMlj+gbr5SemhqkyuzE8xau4MP865JvWNuj0b1YuqDkgvH2GkURfakly01Cg7Cw0+qyXxkjojq9Lw+vT2AUY+DlF/otYq1Ixc35re2V7R8aTRg2KUv7+ou3x/14PsUBn3NG51S0XpG0Z9PcOPKWSS0SKNUo9Rv2Mmt/G5WpPF6pHGra7Jv410OVsdaz217AbkAPX3ubkm240belCuudT4Rp5p/DyC2lf9mfq1iq5eFe8/lu+K0YrVp0uret4nAkwlB6vzjI/1PxrlrTp/oNHbzTJI92T1qAT+BfW49MhMg6JUp7ehY5a6Tl2jjmVvitF9fxo5Yq8CaAfAkzLMnySt6uz/1k6bPx59CpCNxGfoSKA30IPoH7cQXdArwCOllFX/i53P5P9a/gNkKpsCMFRuFAAAAABJRU5ErkJggg==)](https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/public-report/template-repository) -This template repository equips you with the default initial files required for a Ministry of Justice GitHub repository. +This template repository equips you with the default initial files required for an Analytical Platform Image Build Template GitHub repository. + +This repository is managed in Terraform [here](https://github.com/ministryofjustice/data-platform/blob/main/terraform/github/analytical-platform-repositories.tf#L286). ## Included Files The repository comes with the following preset files: - +- .GitHub + - workflows + - built-and-test.yml + - release.yml + - super-linter.yml + - dependency-review.yml +- scripts + - build-and-test.sh +- test + - container-structure-test.yml +- Dockerfile +- .EditorConfig - LICENSE - .gitignore - CODEOWNERS @@ -15,6 +28,10 @@ The repository comes with the following preset files: - GitHub Actions example files - Ministry of Justice Compliance Badge (public repositories only) +## Features + +The base container image is [Ubuntu 22.04 LTS](https://gallery.ecr.aws/ubuntu/ubuntu). + ## Setup Instructions Once you've created your repository using this template, ensure the following steps: @@ -64,3 +81,13 @@ Adapt the dependabot.yml file to match your project's [dependency manager](https ### Dependency Review If your repository is private with no GitHub Advanced Security license, remove the `.github/workflows/dependency-review.yml` file. + +### Dockerfile + +make sure to add your own build logic to the bottom of the `Dockerfile` + +### Tests + +please make sure to add any additional requirement tests needed to the `container-structure-test.yml` + +please note: No testing as been added to this template this is to be implemented by the developer as required diff --git a/scripts/build-and-test.sh b/scripts/build-and-test.sh new file mode 100755 index 0000000..66a17ed --- /dev/null +++ b/scripts/build-and-test.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +IMAGE_TAG="analytical-platform.service.justice.gov.uk/template-base:local" +CONTAINER_STRUCTURE_TEST_IMAGE="gcr.io/gcp-runtimes/container-structure-test:latest" + +if [[ "${REMOTE_CONTAINERS}" ]] && [[ "$(uname -m)" == "aarch64" ]]; then + echo "(⚠) Looks like you're running in a dev container on Apple Silicon." + echo "(⚠) This script builds linux/amd64 images which might take a long time or even fail." + export PLATFORM_FLAG="--platform linux/amd64" +fi +# shellcheck disable=SC2086 +# special case for PLATFORM_FLAG as it can't parse double quotes +docker build ${PLATFORM_FLAG} --file Dockerfile --tag "${IMAGE_TAG}" . + +echo "Running container structure test for [ ${IMAGE_TAG} ]" + +# shellcheck disable=SC2086 +# special case for PLATFORM_FLAG as it can't parse double quotes +docker run --rm ${PLATFORM_FLAG} \ + --volume /var/run/docker.sock:/var/run/docker.sock \ + --volume "${PWD}:/workspace" \ + --workdir /workspace \ + "${CONTAINER_STRUCTURE_TEST_IMAGE}" \ + test --image "${IMAGE_TAG}" --config "/workspace/test/container-structure-test.yml" diff --git a/test/container-structure-test.yml b/test/container-structure-test.yml new file mode 100644 index 0000000..8948a04 --- /dev/null +++ b/test/container-structure-test.yml @@ -0,0 +1,25 @@ +--- +schemaVersion: 2.0.0 + +containerRunOptions: + user: "analyticalplatform" + +commandTests: + - name: "ubuntu" + command: "grep" + args: ["DISTRIB_RELEASE", "/etc/lsb-release"] + expectedOutput: ["DISTRIB_RELEASE=22.04"] + + - name: "whoami" + command: "whoami" + expectedOutput: ["analyticalplatform"] + + - name: "user" + command: "id" + args: ["--user", "analyticalplatform"] + expectedOutput: ["1000"] + + - name: "groups" + command: "id" + args: ["--groups", "analyticalplatform"] + expectedOutput: ["100"]