From 0c6107444690275187e97e79c8844060d8e6bbb5 Mon Sep 17 00:00:00 2001 From: Arnfinn Hykkerud Steindal Date: Fri, 11 Oct 2024 16:05:26 +0200 Subject: [PATCH] Dytt image opp til NHN (#43) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bruker i tillegg base-r:main som basis-image for å unngå sårbarheter. Oppdaterte ellers actions med slik den er satt opp ellers. La blant annet til concurrency, slik at jobber stopper hvis det kommer ny commit --- .github/workflows/docker.yml | 4 ++ .github/workflows/harbor.yaml | 55 ++++++++++++++++++++ .github/workflows/lint.yml | 51 +++++++------------ .github/workflows/r-cmd-check.yml | 78 +++++++---------------------- .github/workflows/vulnerability.yml | 49 +++++++++--------- Dockerfile | 4 +- 6 files changed, 124 insertions(+), 117 deletions(-) create mode 100644 .github/workflows/harbor.yaml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 42410cc..0819a26 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -9,6 +9,10 @@ on: schedule: - cron: '0 21 * * 6' # run every Saturday at 21 +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: push_to_registries: name: Push Docker image to docker hub diff --git a/.github/workflows/harbor.yaml b/.github/workflows/harbor.yaml new file mode 100644 index 0000000..fddb094 --- /dev/null +++ b/.github/workflows/harbor.yaml @@ -0,0 +1,55 @@ +name: Publish Docker image to Harbor +on: + release: + types: [published] + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + build: + runs-on: ubuntu-latest + env: + IMAGE_NAME: ${{ github.repository }} + steps: + - name: Check out the repo + uses: actions/checkout@v4 + - name: Lint Dockerfile + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: "Dockerfile" + - name: R setup + uses: r-lib/actions/setup-r@v2 + - name: Build package (tarball) + run: R CMD build . + - name: Prepare tags + id: docker_meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=schedule,pattern=weekly + type=semver,pattern={{version}} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to Harbor + run: | + echo ${{ secrets.HARBOR_PASSWORD }} | docker login --username ${{ secrets.HARBOR_USERNAME }} --password-stdin ${{ secrets.HARBOR_REGISTRY }} + - name: Build image and push to Harbor + uses: docker/build-push-action@v6 + with: + context: . + file: ./Dockerfile + tags: ${{ secrets.HARBOR_REGISTRY }}/${{ steps.docker_meta.outputs.tags }} + push: ${{ github.event_name != 'pull_request' }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cd35170..1fb9c15 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,49 +1,36 @@ on: push: - branches: [ "main" ] + branches: + - main pull_request: - branches: [ "main" ] + branches: + - main -name: lint +name: lintr + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: lint: runs-on: ubuntu-latest env: - GITHUB_PAT: ${{ secrets.GH_TOKEN }} + GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v3 - - - name: Install unmet sys deps - run: | - sudo apt update - sudo apt install -y --no-install-recommends libcurl4-openssl-dev libgit2-dev libharfbuzz-dev libfribidi-dev + - uses: actions/checkout@v4 - uses: r-lib/actions/setup-r@v2 - - - name: Query dependencies - run: | - install.packages('remotes') - saveRDS(remotes::dev_package_deps(dependencies = TRUE), ".github/depends.Rds", version = 2) - writeLines(sprintf("R-%i.%i", getRversion()$major, getRversion()$minor), ".github/R-version") - shell: Rscript {0} - - - name: Cache R packages - uses: actions/cache@v3 with: - path: ${{ env.R_LIBS_USER }} - key: ${{ runner.os }}-${{ hashFiles('.github/R-version') }}-1-${{ hashFiles('.github/depends.Rds') }} - restore-keys: ${{ runner.os }}-${{ hashFiles('.github/R-version') }}-1- + use-public-rspm: true - - name: Install dependencies - run: | - install.packages(c("remotes", "devtools")) - remotes::install_deps(dependencies = TRUE) - remotes::install_cran("lintr") - shell: Rscript {0} + - uses: r-lib/actions/setup-r-dependencies@v2 + with: + extra-packages: any::lintr, local::. + needs: lint - name: Lint - run: | - devtools::load_all() - lintr::lint_package() + run: lintr::lint_package() shell: Rscript {0} + env: + LINTR_ERROR_ON_LINT: false diff --git a/.github/workflows/r-cmd-check.yml b/.github/workflows/r-cmd-check.yml index f18254d..1a0ffcc 100644 --- a/.github/workflows/r-cmd-check.yml +++ b/.github/workflows/r-cmd-check.yml @@ -1,32 +1,33 @@ on: push: - branches: [ "main" ] + branches: + - main pull_request: - branches: [ "main" ] + branches: + - main name: R-CMD-check +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: R-CMD-check: runs-on: ${{ matrix.config.os }} - name: ${{ matrix.config.os }} (${{ matrix.config.r }}) - strategy: fail-fast: false matrix: config: - - {os: windows-latest, r: 'release'} - - {os: macOS-latest, r: 'release'} - - {os: ubuntu-latest, r: 'release'} + - {os: ubuntu-24.04, r: 'release'} env: R_REMOTES_NO_ERRORS_FROM_WARNINGS: true - RSPM: ${{ matrix.config.rspm }} - GITHUB_PAT: ${{ secrets.GH_TOKEN }} + GITHUB_PAT: ${{ github.token }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: r-lib/actions/setup-r@v2 with: @@ -34,65 +35,22 @@ jobs: - uses: r-lib/actions/setup-pandoc@v2 - - uses: r-lib/actions/setup-tinytex@v2 - - - name: Db unit tests in ubuntu/linux only - if: runner.os != 'Windows' - run: | - if [[ ${{ runner.os }} == Linux ]]; then - echo "GITHUB_ACTIONS_RUN_DB_UNIT_TESTS=true" >> $GITHUB_ENV - else - echo "GITHUB_ACTIONS_RUN_DB_UNIT_TESTS=false" >> $GITHUB_ENV - fi - - - name: Set up MySQL, ubuntu only - if: runner.os == 'Linux' - run: | - sudo /etc/init.d/mysql start - mysql -e 'CREATE DATABASE IF NOT EXISTS testdb;' -uroot -proot - - - name: Set up system fonts, macOS only - if: runner.os == 'macOS' - run: brew install --cask xquartz - - - name: Query dependencies - run: | - install.packages('remotes') - saveRDS(remotes::dev_package_deps(dependencies = TRUE), ".github/depends.Rds", version = 2) - writeLines(sprintf("R-%i.%i", getRversion()$major, getRversion()$minor), ".github/R-version") - shell: Rscript {0} - - - name: Cache R packages - if: runner.os != 'Windows' - uses: actions/cache@v3 + - uses: r-lib/actions/setup-r-dependencies@v2 with: - path: ${{ env.R_LIBS_USER }} - key: ${{ runner.os }}-${{ hashFiles('.github/R-version') }}-1-${{ hashFiles('.github/depends.Rds') }} - restore-keys: ${{ runner.os }}-${{ hashFiles('.github/R-version') }}-1- - - - name: Install system dependencies - if: runner.os == 'Linux' - run: | - while read -r cmd - do - eval sudo $cmd - done < <(Rscript -e 'writeLines(remotes::system_requirements("ubuntu", "22.04"))') - - - name: Install dependencies - run: | - remotes::install_deps(dependencies = TRUE) - remotes::install_cran("rcmdcheck") - shell: Rscript {0} + extra-packages: any::rcmdcheck + needs: check - name: Check env: _R_CHECK_CRAN_INCOMING_REMOTE_: false - run: rcmdcheck::rcmdcheck(args = c("--no-manual", "--as-cran"), error_on = "error", check_dir = "check") + run: | + options(crayon.enabled = TRUE) + rcmdcheck::rcmdcheck(args = c("--no-manual", "--as-cran"), error_on = "warning", check_dir = "check") shell: Rscript {0} - name: Upload check results if: failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@main with: name: ${{ runner.os }}-r${{ matrix.config.r }}-results path: check diff --git a/.github/workflows/vulnerability.yml b/.github/workflows/vulnerability.yml index 6863277..f66392d 100644 --- a/.github/workflows/vulnerability.yml +++ b/.github/workflows/vulnerability.yml @@ -1,35 +1,29 @@ -name: Vulnerability by snyk.io +name: Snyk Container + on: push: branches: [ "main" ] pull_request: branches: [ "main" ] schedule: - - cron: '0 21 * * 1' # run every Monday at 21 + - cron: '30 22 * * 5' -permissions: - contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest - env: - IMAGE_NAME: ${{ github.repository }} + name: rapadm-snyk steps: - - uses: actions/checkout@v3 - - name: downcase repository name for image - run: | - echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + - uses: actions/checkout@v4 - name: R setup uses: r-lib/actions/setup-r@v2 - - name: Build R package (tarball) + - name: Build package (tarball) run: R CMD build . - - name: Build a Docker image - run: docker build -t ${IMAGE_NAME} --build-arg GH_PAT=${{ secrets.GITHUB_TOKEN}} . + - name: Build docker image + run: docker build -t rapadm-snyk . - name: Run Snyk to check Docker image for vulnerabilities # Snyk can be used to break the build when it detects vulnerabilities. # In this case we want to upload the issues to GitHub Code Scanning @@ -38,17 +32,26 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: ${IMAGE_NAME} - args: --file=Dockerfile --severity-threshold=critical + image: rapadm-snyk + args: --file=Dockerfile --severity-threshold=high - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif - - name: Accept only vulnerability levels below critical + - name: Monitor image in Snyk UI + continue-on-error: true + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor + image: rapadm-snyk + args: --file=Dockerfile --severity-threshold=high --org=b034af62-43be-40c7-95e8-fdc56d6f3092 + - name: Accept only vulnerability levels below high continue-on-error: false uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: ${IMAGE_NAME} - args: --file=Dockerfile --severity-threshold=critical + image: rapadm-snyk + args: --file=Dockerfile --severity-threshold=high diff --git a/Dockerfile b/Dockerfile index e5f870e..b29a2df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -FROM rapporteket/base-r:4.2.2 +FROM rapporteket/base-r:main -LABEL maintainer "Are Edvardsen " +LABEL maintainer "Arnfinn Hykkerud Steindal " LABEL no.rapporteket.cd.enable="true" ARG GH_PAT