Skip to content
main

fix: Dockerfile to reduce vulnerabilities #84

Sign in to view logs

fix: Dockerfile to reduce vulnerabilities

fix: Dockerfile to reduce vulnerabilities #84

Workflow file for this run

.github/workflows/main.yaml at 8b0e83f
name: main
on:
push:
branches:
- '*'
schedule:
- cron: "0 23 * * 0" # weekly on Sunday evening
repository_dispatch:
jobs:
pdm:
name: Update PDM lockfile and requirements.txt (for security audit)
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
with:
ref: ${{github.ref_name}}
-
name: Setup PDM
uses: pdm-project/setup-pdm@v3
with:
python-version: 3.11 # Version range or exact version of a Python version to use, the same as actions/setup-python
-
name: Checking updates for pdm.lock
run: pdm update
-
name: Exporting requirements.txt
run: pdm export -o requirements.txt --without-hashes
-
name: add and commit changes for pdm.lock
uses: EndBug/add-and-commit@v9
with:
# The arguments for the `git add` command (see the paragraph below for more info)
# Default: '.'
add: 'pdm.lock requirements.txt'
# Additional arguments for the git commit command. The --message argument is already set by the message input.
# Default: ''
commit: --signoff
# Determines the way the action fills missing author name and email. Three options are available:
# - github_actor -> UserName <UserName@users.noreply.github.com>
# - user_info -> Your Display Name <your-actual@email.com>
# - github_actions -> github-actions <email associated with the github logo>
# Default: github_actor
default_author: github_actor
# The message for the commit.
# Default: 'Commit from GitHub Actions (name of the workflow)'
message: '[automatic] updated pdm.lock and requirements.txt'
# The way the action should handle pathspec errors from the add and remove commands. Three options are available:
# - ignore -> errors will be logged but the step won't fail
# - exitImmediately -> the action will stop right away, and the step will fail
# - exitAtEnd -> the action will go on, every pathspec error will be logged at the end, the step will fail.
# Default: ignore
pathspec_error_handling: ignore
test:
name: Run tests
runs-on: ubuntu-latest
needs: pdm
steps:
-
uses: actions/checkout@v3
with:
ref: ${{github.ref_name}}
# TODO: test before build
docker:
name: Build docker image
runs-on: ubuntu-latest
needs: test
if: github.ref_name == 'master'
steps:
-
name: Checkout
uses: actions/checkout@v3
with:
ref: ${{github.ref_name}}
-
name: Set up QEMU
uses: docker/setup-qemu-action@v2
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Get current date # for tagging the image, can go back in time if latest is problematic
id: date
run: echo "TODAY=$(date +'%Y-%m-%d')" >> $GITHUB_ENV
-
name: Build and push
uses: docker/build-push-action@v4
with:
context: .
platforms: linux/amd64,linux/arm64
file: ./Dockerfile
push: true
provenance: false # needed on KMi servers with old docker, for the manifest
tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:dev, ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:${{ env.TODAY }}
update-main-repo:
name: Update main repo
runs-on: ubuntu-latest
needs: docker
# if: github.ref_name == 'master' # already checked in docker job
permissions: write-all
steps:
-
name: Checkout
uses: actions/checkout@v3
with:
ref: ${{github.ref_name}}
-
name: Get current sha
id: sha
run: echo "SHA=$(git rev-parse HEAD)" >> $GITHUB_ENV
-
name: trigger main repo
uses: peter-evans/repository-dispatch@v2
with:
token: ${{ secrets.MISINFOME_GH_TOKEN }}
repository: MartinoMensio/MisinfoMe
event-type: 'Update: ${{ github.event.repository.name }}'
client-payload: '{ "submodule": "twitter-connector" , "repository": "${{ github.event.repository.name }}", "commit_sha": "${{ env.SHA }}" }'