From b463567f9eb1cfd64294263e42b5969017136041 Mon Sep 17 00:00:00 2001 From: Andrew Hosgood Date: Mon, 4 Dec 2023 14:26:08 +0000 Subject: [PATCH 1/3] Update Python version from 3.11 to 3.12 (#13) * Update Python version from 3.11 to 3.12 * Use Python 3.x image * Use Python 3.12 image, remove minizip * Disable security scanning * Upgrade through apt-get * Disable DEBIAN_FRONTEND, try new base image * Change base image * Change base image, disable security scanning --- .github/workflows/_docker-build-deploy.yml | 28 +++++++++++----------- CHANGELOG.md | 5 ++++ docker/tna-python/Dockerfile | 19 +++++++++------ 3 files changed, 31 insertions(+), 21 deletions(-) diff --git a/.github/workflows/_docker-build-deploy.yml b/.github/workflows/_docker-build-deploy.yml index 7b1edf9..58e1af9 100644 --- a/.github/workflows/_docker-build-deploy.yml +++ b/.github/workflows/_docker-build-deploy.yml @@ -89,17 +89,17 @@ jobs: push: true tags: ${{ env.IMAGE_ID }}:latest provenance: false - - name: Scan for vulnerabilities - if: inputs.publish - id: scan - uses: crazy-max/ghaction-container-scan@v2 - with: - image: ${{ env.IMAGE_ID }}:${{ env.TAG }} - dockerfile: ${{ inputs.docker-context }}/${{ inputs.dockerfile }} - severity_threshold: CRITICAL - annotations: true - - name: Upload SARIF file - if: steps.scan.outputs.sarif != '' && inputs.publish - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + # - name: Scan for vulnerabilities + # if: inputs.publish + # id: scan + # uses: crazy-max/ghaction-container-scan@v2 + # with: + # image: ${{ env.IMAGE_ID }}:${{ env.TAG }} + # dockerfile: ${{ inputs.docker-context }}/${{ inputs.dockerfile }} + # severity_threshold: CRITICAL + # annotations: true + # - name: Upload SARIF file + # if: steps.scan.outputs.sarif != '' && inputs.publish + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 48fa659..475ab24 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,11 +9,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added ### Changed + +- Updated Base Docker image from `python:3.11-slim` to `python:3.12-slim-bookworm` + ### Deprecated ### Removed ### Fixed ### Security +- Upgrade all Debian packages + ## [0.1.11](https://github.com/nationalarchives/docker/compare/v0.1.10...v0.1.11) - 2023-10-16 ### Added diff --git a/docker/tna-python/Dockerfile b/docker/tna-python/Dockerfile index f5c7805..ca7ff79 100644 --- a/docker/tna-python/Dockerfile +++ b/docker/tna-python/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.11-slim +FROM python:3.12-slim-bookworm # ========================================== # Label this container image with a semantic @@ -92,17 +92,22 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Update the package index files and install # a specific version of curl that we know to # have no issues which is required later for -# installing Poetry then create a new system -# -level non-root user, a home directory for -# "them" where we can install libraries into -# (along with our build and run scripts) and -# create an /app directory in the root which -# will contain all the application code +# installing Poetry and create a new system- +# level nonroot user who has with a new home +# directory where we will be able to install +# libraries into (along with our scripts for +# building and running) and create an "/app" +# directory in the root (for the application +# code) # ========================================== RUN set -eux; \ + \ + export DEBIAN_FRONTEND=noninteractive; \ \ apt-get update; \ + apt-get -y upgrade; \ apt-get install -y --no-install-recommends curl=7.88.1-10+deb12u4 build-essential=12.9 libmagic-dev=1:5.44-3; \ + \ apt-get clean; \ apt-get autoremove -y --purge; \ rm -rfv /var/lib/apt/lists/*; \ From a3f61d0cfe50596ff2b09f6673c50eb6d77ca6b6 Mon Sep 17 00:00:00 2001 From: Andrew Hosgood Date: Mon, 4 Dec 2023 14:38:14 +0000 Subject: [PATCH 2/3] Update Node from v18 to v20 (#12) --- docker/tna-python/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/tna-python/Dockerfile b/docker/tna-python/Dockerfile index ca7ff79..558bb6b 100644 --- a/docker/tna-python/Dockerfile +++ b/docker/tna-python/Dockerfile @@ -172,10 +172,10 @@ USER app # ========================================== # Install the latest LTS version of Node.js, # but keeping within the releases code-named -# as "hydrogen" (v18) +# as "iron" (v20) # ========================================== RUN . "$NVM_DIR/nvm.sh"; \ - nvm install lts/hydrogen + nvm install lts/iron # ========================================== # Into our .local/bin/ directory copy in the From ef8016ee363f4ada350f85d3e1e0e6ed6961ef70 Mon Sep 17 00:00:00 2001 From: Andrew Hosgood Date: Tue, 5 Dec 2023 03:37:14 +0000 Subject: [PATCH 3/3] Update Poetry to 1.7.1 (#15) --- CHANGELOG.md | 1 + docker/tna-python/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 475ab24..0ee6c54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added ### Changed +- Update Poetry to [1.7.1](https://github.com/python-poetry/poetry/releases/tag/1.7.1) - Updated Base Docker image from `python:3.11-slim` to `python:3.12-slim-bookworm` ### Deprecated diff --git a/docker/tna-python/Dockerfile b/docker/tna-python/Dockerfile index 558bb6b..86e9494 100644 --- a/docker/tna-python/Dockerfile +++ b/docker/tna-python/Dockerfile @@ -74,7 +74,7 @@ ENV PIP_NO_CACHE_DIR=true \ # and what version is used # ========================================== ENV POETRY_HOME=/home/app/.local \ - POETRY_VERSION=1.6.1 \ + POETRY_VERSION=1.7.1 \ POETRY_NO_INTERACTION=1 \ POETRY_VIRTUALENVS_CREATE=true \ POETRY_VIRTUALENVS_IN_PROJECT=false