Merge pull request #17 from bcgov/chore/security

Update Python base image to 3.12-alpine
bcgov · Mar 22, 2024 · 3ff2c95 · 3ff2c95
2 parents 302f43a + 500a356
commit 3ff2c95
Show file tree

Hide file tree

Showing 7 changed files with 160 additions and 18 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,4 @@
+# These users will be the default owners for everything in the repo.
+# Unless a later match takes precedence, the following users will be
+# requested for review when someone opens a pull request.
+@kyle1morel @TimCsaky @wilwong89 @jatindersingh93 @norrisng-bc
diff --git a/.github/actions/build-push-container/action.yaml b/.github/actions/build-push-container/action.yaml
@@ -0,0 +1,87 @@
+name: Build & Push Container
+description: Builds a container from a Dockerfile and pushes to registry
+
+inputs:
+  context:
+    description: Effective Working Directory
+    required: true
+    default: "./"
+  image_name:
+    description: Image Name
+    required: true
+  github_username:
+    description: Github Container Registry Username
+    required: true
+  github_token:
+    description: Github Container Registry Authorization Token
+    required: true
+  dockerhub_username:
+    description: Dockerhub Container Registry Username
+    required: false
+  dockerhub_organization:
+    description: Dockerhub Container Registry Organization
+    required: false
+    default: bcgovimages
+  dockerhub_token:
+    description: Dockerhub Container Registry Authorization Token
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Parse Input Values
+      shell: bash
+      run: |
+        echo "GH_USERNAME=$(tr '[:upper:]' '[:lower:]' <<< '${{ inputs.github_username }}')" >> $GITHUB_ENV
+        echo "HAS_DOCKERHUB=${{ fromJson(inputs.dockerhub_username != '' && inputs.dockerhub_token != '') }}" >> $GITHUB_ENV
+
+    - name: Login to Github Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ env.GH_USERNAME }}
+        password: ${{ inputs.github_token }}
+
+    - name: Login to Dockerhub Container Registry
+      if: env.HAS_DOCKERHUB == 'true'
+      uses: docker/login-action@v3
+      with:
+        registry: docker.io
+        username: ${{ inputs.dockerhub_username }}
+        password: ${{ inputs.dockerhub_token }}
+
+    - name: Prepare Container Metadata tags
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: |
+          ghcr.io/${{ env.GH_USERNAME }}/${{ inputs.image_name }}
+          docker.io/${{ inputs.dockerhub_organization }}/${{ inputs.image_name }},enable=${{ env.HAS_DOCKERHUB }}
+        # Always updates the 'latest' tag
+        flavor: |
+          latest=true
+        # Creates tags based off of branch names and semver tags
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{major}}
+          type=sha
+
+    - name: Build and Push to Container Registry
+      id: builder
+      uses: docker/build-push-action@v5
+      with:
+        context: ${{ inputs.context }}
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+
+    - name: Inspect Docker Image
+      shell: bash
+      run: |
+        docker image inspect ghcr.io/${{ env.GH_USERNAME }}/${{ inputs.image_name }}:latest
diff --git a/.github/workflows/docker-image.yaml b/.github/workflows/docker-image.yaml
diff --git a/.github/workflows/on-pr-opened.yaml b/.github/workflows/on-pr-opened.yaml
@@ -0,0 +1,34 @@
+name: Pull Request Opened
+
+env:
+  APP_NAME: clamav-mirror
+
+on:
+  pull_request:
+    branches:
+      - master
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build & Push
+    if: "! github.event.pull_request.head.repo.fork"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build & Push
+        uses: ./.github/actions/build-push-container
+        with:
+          context: ./docker
+          image_name: ${{ env.APP_NAME }}
+          github_username: ${{ github.repository_owner }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/on-push.yaml b/.github/workflows/on-push.yaml
@@ -0,0 +1,33 @@
+name: Push
+
+env:
+  APP_NAME: clamav-mirror
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - v*.*.*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build & Push
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build & Push
+        uses: ./.github/actions/build-push-container
+        with:
+          context: ./docker
+          image_name: ${{ env.APP_NAME }}
+          github_username: ${{ github.repository_owner }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/python:3.9-alpine
+FROM docker.io/python:3.12-alpine
 ENV PYTHONUNBUFFERED 1
 WORKDIR /opt/app-root/src
 

diff --git a/openshift/app.bc.yaml b/openshift/app.bc.yaml
@@ -53,7 +53,7 @@ parameters:
     description: Base Image to build from
     displayName: Base Image
     required: true
-    value: docker.io/python:3.9-alpine
+    value: docker.io/python:3.11-alpine
   - name: REPO_NAME
     description: Application repository name
     displayName: Repository Name