diff --git a/.github/workflows/build_docker.yml b/.github/workflows/build_docker.yml new file mode 100644 index 000000000..614639a70 --- /dev/null +++ b/.github/workflows/build_docker.yml @@ -0,0 +1,22 @@ +name: Build and publish a 🛢️ container + +on: + push: + paths-ignore: + - '.github/**' + branches: + - 'main' + tags: + - '*' + +jobs: + build-and-push-container: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: voxpupuli/gha-build-and-publish-a-container@v2 + with: + build_arch: linux/amd64,linux/arm64 + buildfile: puppetdb/Dockerfile diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 000000000..72882aa63 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,51 @@ +--- + +on: + pull_request: {} + push: + branches: + - main + +name: CI + +jobs: + build_docker_image: + name: 'Built test Docker image' + runs-on: ubuntu-latest + defaults: + run: + working-directory: 'puppetdb' + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Build Docker image + uses: docker/build-push-action@v5 + with: + context: puppetdb + tags: 'ci/puppdb:${{ github.sha }}' + push: false + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ci/puppdb:${{ github.sha }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + tests: + needs: + - build_docker_image + runs-on: ubuntu-latest + name: Test suite + steps: + - run: echo Test suite completed diff --git a/puppetdb/Dockerfile b/puppetdb/Dockerfile index 79bdd7b8c..c493e0f49 100644 --- a/puppetdb/Dockerfile +++ b/puppetdb/Dockerfile @@ -68,10 +68,12 @@ ADD https://raw.githubusercontent.com/puppetlabs/wtfc/6aa5eef89728cc2903490a6184 COPY docker-entrypoint.d /docker-entrypoint.d # hadolint ignore=DL3009 -RUN apt-get update && \ - apt-get install --no-install-recommends -y ca-certificates curl dnsutils netcat && \ +ENV DEBIAN_FRONTEND noninteractive +RUN apt update && \ + apt install --no-install-recommends -y ca-certificates curl dnsutils netcat && \ chmod +x /ssl.sh /wtfc.sh /docker-entrypoint.sh /healthcheck.sh /docker-entrypoint.d/*.sh && \ - dpkg -i dumb-init_"$DUMB_INIT_VERSION"_amd64.deb + dpkg -i dumb-init_"$DUMB_INIT_VERSION"_amd64.deb && \ + rm dumb-init_"$DUMB_INIT_VERSION"_amd64.deb ###################################################### # release (build from packages) @@ -81,7 +83,6 @@ FROM base as release ARG version ARG UBUNTU_CODENAME -ARG install_path=puppetdb="$version"-1"$UBUNTU_CODENAME" ARG deb_uri=https://apt.puppetlabs.com/puppet7-release-$UBUNTU_CODENAME.deb ###################################################### @@ -96,7 +97,6 @@ ARG vcs_ref ARG version ARG build_date ARG build_type -ARG install_path ARG deb_uri # used by entrypoint to submit metrics to Google Analytics; # published images should use "production" for this build_arg @@ -108,9 +108,9 @@ ADD $deb_uri /puppet.deb RUN dpkg -i /puppet.deb && \ rm /puppet.deb && \ - apt-get update && \ - apt-get install --no-install-recommends -y $install_path && \ - apt-get clean && \ + apt update && \ + apt install --no-install-recommends -y puppetdb && \ + apt autoremove && \ rm -rf /var/lib/apt/lists/* && \ mkdir -p "$LOGDIR" && \ # We want to use the HOCON database.conf and config.conf files, so get rid