From 942a1b3fc6a40a03918878b357d50bac031ce81d Mon Sep 17 00:00:00 2001 From: "Igor J. Santos" Date: Mon, 2 Oct 2023 01:12:19 +1100 Subject: [PATCH] project setup --- .dockerignore | 3 ++ .github/CODEOWNERS | 3 ++ .github/workflows/anchore.yml | 51 ++++++++++++++++++ .github/workflows/hadolint.yml | 39 ++++++++++++++ .github/workflows/publish.yml | 96 ++++++++++++++++++++++++++++++++++ .hadolint.yaml | 3 ++ Dockerfile | 28 ++++++++++ LICENSE | 21 ++++++++ Makefile | 7 +++ README.md | 36 +++++++++++++ 10 files changed, 287 insertions(+) create mode 100644 .dockerignore create mode 100644 .github/CODEOWNERS create mode 100644 .github/workflows/anchore.yml create mode 100644 .github/workflows/hadolint.yml create mode 100644 .github/workflows/publish.yml create mode 100644 .hadolint.yaml create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 Makefile create mode 100644 README.md diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..d5b8cd6 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,3 @@ +.github/ +.hadolint.yaml +Makefile \ No newline at end of file diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..d6c7be6 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,3 @@ +# Default reviewers/codeowners for all code changes + +* @igorjs diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml new file mode 100644 index 0000000..77b71da --- /dev/null +++ b/.github/workflows/anchore.yml @@ -0,0 +1,51 @@ +name: Anchore Container Scan + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + schedule: + - cron: '0 0 * * 1' + +jobs: + scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + + - name: Scan image + uses: anchore/scan-action@v3 + id: scan + with: + image: "localbuild/testimage:latest" + fail-build: false + severity-cutoff: critical + + - name: Inspect action SARIF report + run: cat ${{ steps.scan.outputs.sarif }} + + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml new file mode 100644 index 0000000..fec884b --- /dev/null +++ b/.github/workflows/hadolint.yml @@ -0,0 +1,39 @@ +name: Hadolint + +on: [push] + +jobs: + lint: + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + + steps: + - name: Checkout the code + uses: actions/checkout@v3 + + - name: Hadolint + uses: hadolint/hadolint-action@v2.0.0 + with: + dockerfile: Dockerfile + + - name: Add comments to Pull Request + uses: actions/github-script@v6 + if: github.event_name == 'pull_request' + with: + script: | + const output = ` + #### Hadolint: \`${{ steps.hadolint.outcome }}\` + \`\`\` + ${process.env.HADOLINT_RESULTS} + \`\`\` + `; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..3872036 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,96 @@ +name: Publish Docker Image + +on: + workflow_dispatch: + schedule: + - cron: '0 0 1 * *' # At 00:00 on day-of-month 1. + +env: + DOCKER_CLI_EXPERIMENTAL: enabled + PLATFORMS: linux/amd64,linux/arm32v6,linux/arm32v7,linux/arm64v8,linux/ppc64le,linux/s390x + +jobs: + publish: + runs-on: ubuntu-latest + timeout-minutes: 120 + + strategy: + matrix: + version: [16, 18, 20] + + permissions: + packages: write + contents: write + pull-requests: write + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: 'main' + fetch-depth: 0 + + - name: Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ github.repository_owner }}/node +# ghcr.io/${{ github.repository_owner }}/node +# public.ecr.aws/${{ github.repository_owner }}/node + labels: | + org.opencontainers.image.authors=${{ github.repository_owner }} + tags: | + type=raw,value=${{ matrix.version }}-alpine + flavor: | + latest=false + + - name: Set up QEMU + id: qemu + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + with: + install: true + driver-opts: image=moby/buildkit:master + + - name: Login to DockerHub + id: login-dockerhub + uses: docker/login-action@v3 + with: + logout: false + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + # - name: Login to GitHub Container Registry + # uses: docker/login-action@v3 + # with: + # registry: ghcr.io + # # username: ${{ github.repository_owner }} + # username: ${{ github.actor }} + # password: ${{ github.token }} + + # - name: Login to Public ECR + # uses: docker/login-action@v3 + # with: + # registry: public.ecr.aws + # username: ${{ secrets.AWS_ECR_ACCESS_KEY_ID }} + # password: ${{ secrets.AWS_ECR_SECRET_ACCESS_KEY }} + # env: + # AWS_REGION: us-east-1 + + - name: Build and push Docker images + id: build-and-push + uses: docker/build-push-action@v5 + continue-on-error: true + with: + push: ${{ github.event_name != 'pull_request' }} + context: . + platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/arm/v6,linux/ppc64le,linux/s390x + build-args: NODE_VERSION=${{ matrix.version }} + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/.hadolint.yaml b/.hadolint.yaml new file mode 100644 index 0000000..a504ff7 --- /dev/null +++ b/.hadolint.yaml @@ -0,0 +1,3 @@ +ignored: + - DL3013 + - DL3018 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..1772a4e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,28 @@ +ARG NODE_VERSION=lts +FROM node:${NODE_VERSION}-alpine + +WORKDIR /work + +RUN apk --no-cache update && \ + apk --no-cache add \ + ca-certificates \ + python3-dev \ + python3 \ + py-pip \ + docker \ + groff \ + less \ + bash \ + make \ + jq \ + curl \ + wget \ + g++ \ + zip \ + git \ + openssh && \ + pip --no-cache-dir install awscli virtualenv && \ + update-ca-certificates && \ + rm -rf /var/cache/apk/* + +ENTRYPOINT [ "/bin/sh", "-c" ] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c6585a2 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2022 ZeroConfigIO + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..ec89e41 --- /dev/null +++ b/Makefile @@ -0,0 +1,7 @@ +IMAGE_NAME?=zeroconfigio/node:latest + +build: + docker build -t $(IMAGE_NAME) . + +lint: + docker run --rm -i -v $(PWD)/.hadolint.yaml:/root/.config/hadolint.yaml hadolint/hadolint:latest-alpine < Dockerfile diff --git a/README.md b/README.md new file mode 100644 index 0000000..2f3face --- /dev/null +++ b/README.md @@ -0,0 +1,36 @@ +# docker-node (alpine linux) + +![Security](https://github.com/ZeroConfigIO/docker-node/workflows/Anchore%20Container%20Scan/badge.svg) +![Build](https://github.com/ZeroConfigIO/docker-node/workflows/Publish%20Docker%20Image/badge.svg) +![Lint](https://github.com/ZeroConfigIO/docker-node/workflows/Hadolint/badge.svg) + +## Unofficial Docker image for NodeJS (alpine linux) deployments + +### Contents + +- alpine linux +- python3 +- nodejs +- awscli + +## Usage + +Command: + +```bash +docker run -it --rm zeroconfigio/node:16-alpine "node --version" +``` + +Output Example: + +```bash +v16.20.0 +``` + +## Author + +[ZeroConfig.io](https://github.com/ZeroConfigIO) + +## License + +MIT Licensed. See [LICENSE](https://github.com/ZeroConfigIO/docker-node/blob/master/LICENSE) for full details.