norcalipa · norcalipa · Nov 16, 2024 · Nov 16, 2024
diff --git a/.github/workflows/build-base-image.yml b/.github/workflows/build-base-image.yml
@@ -0,0 +1,81 @@
+# Copyright (c) 2024 Isaac Adams
+# Licensed under the MIT License. See LICENSE file in the project root for full license information.
+name: Build Base Image
+
+on:
+  push:
+    paths-ignore:
+      - '.github/**'
+      - 'seeds/**'
+      - 'dump/**'
+      - 'k8s/**'
+      - '!Base.Dockerfile'
+      - '!requirements.txt'
+      - '!package-lock.json'
+      - '.gitignore'
+
+concurrency:
+  group: deployment
+
+env:
+  PROJECT_ID: crank-404520
+  SERVICE: crank
+  REGION: us-west1
+  ARTIFACT_REPO: crank-repository
+
+jobs:
+  build-base-image:
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      packages: 'write'
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check if last commit was a merge commit
+        id: check
+        run: |
+          if [[ "$(git log --merges -1 --pretty=%H)" != "$(git log -1 --pretty=%H)" ]]; then
+            echo "This was not a merge commit. Exiting..."
+            exit 1
+          fi
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Install Node.js dependencies
+        run: npm install
+
+      - name: Authenticate with GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Copy Base.Dockerfile to Dockerfile
+        run: |
+          cp Base.Dockerfile Dockerfile
+
+      - name: Build and Push Container to GitHub Container Registry
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ghcr.io/${{ github.repository }}/crank-base:${{ github.sha }}
+
+      - name: Tag and Push Image as Latest
+        run: |
+          docker tag ghcr.io/${{ github.repository }}/crank-base:${{ github.sha }} ghcr.io/${{ github.repository }}/crank-base:latest
+          docker push ghcr.io/${{ github.repository }}/crank-base:latest
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -43,11 +43,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip

diff --git a/.github/workflows/check-license.yml b/.github/workflows/check-license.yml
@@ -23,11 +23,6 @@ jobs:
         with:
           python-version: 3.13
 
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt
-
       - name: Check for license headers
         run: |
           python check_license.py
diff --git a/.github/workflows/deploy-home.yml b/.github/workflows/deploy-home.yml
@@ -19,10 +19,6 @@ jobs:
         with:
           ref: main
 
-      - name: Get latest commit SHA from main branch
-        id: get-sha
-        run: echo "GITHUB_SHA=$(git rev-parse HEAD)" >> $GITHUB_ENV
-
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
@@ -57,7 +53,7 @@ jobs:
 
           # Apply the copied crank.yml
           ssh -o ProxyCommand='cloudflared access ssh --hostname %h' -o StrictHostKeyChecking=no ${{ secrets.SSH_USERNAME }}@${{ secrets.SSH_HOST }} <<EOF
-          export GITHUB_SHA=${{ env.GITHUB_SHA }}
+          export GITHUB_SHA=${{ github.sha }}
           envsubst < /tmp/crank.yml | k3s kubectl apply -f -
           envsubst < /tmp/crank-configmap.yml | k3s kubectl apply -f -
           EOF
diff --git a/Base.Dockerfile b/Base.Dockerfile
@@ -0,0 +1,30 @@
+# Use an official Python runtime as a parent image
+FROM python:3.13.0-alpine3.20
+
+# create a non-root user to run the app as
+RUN addgroup -S appgroup -g 10000
+RUN adduser -S appuser -u 10000 -G appgroup
+
+# Set the working directory in the container to /app
+WORKDIR /app
+
+# Add current directory code to /app in container
+ADD . /app
+
+COPY .env-prod .env
+
+# fixing busybox vulnerabilities identified by synk
+RUN apk add --no-cache --upgrade busybox
+RUN apk add --no-cache busybox-extras
+
+RUN apk add --no-cache --virtual build-deps gcc musl-dev libffi-dev pkgconf mariadb-dev
+RUN apk add --no-cache mariadb-connector-c-dev
+RUN pip install --no-cache-dir -r requirements.txt
+RUN apk del build-deps
+
+# Install Node.js and npm
+RUN apk update
+RUN apk add nodejs npm
+
+# Install npm dependencies
+RUN npm install
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Use an official Python runtime as a parent image
-FROM python:3.13.0-alpine3.20
+FROM ghcr.io/norcalipa/crank/crank-base:latest
 
 # create a non-root user to run the app as
 RUN addgroup -S appgroup -g 10000