set a non-root user for containers (#2496)

* change root user in dockerfile * build container on push/pr * grab docker build params from env * consolidate container build * rm unused container build workflow/script * cleanup ci * set user for earthly container build * rm ci docker build for develop branch * checkout full repo for docker builds * read earthly push from env * cleanup ci * rm unsupported option for actions/checkout@v3 * check dockerfile in ci * add dockerfile build to earthfile * authenticate to GH only on schedule builds * accurate name for dev container builder script * add note to the dockerfile about earthfile * document dev build process more clearly
2023-01-04 23:15:12 +01:00
parent e748d8f765
commit 2c6fd67276
10 changed files with 134 additions and 121 deletions
--- a/.github/workflows/container-lint.yml
+++ b/.github/workflows/container-lint.yml
@@ -0,0 +1,28 @@
+name: Lint
+
+on:
+  push:
+    branches:
+      - webv2
+    paths:
+      - 'Dockerfile'
+  pull_request:
+    branches:
+      - webv2
+    paths:
+      - 'Dockerfile'
+
+jobs:
+  trivy:
+    name: Dockerfile
+    runs-on: ubuntu-latest
+    container:
+      image: aquasec/trivy
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Check critical issues
+        run: trivy config --exit-code 1 --severity "HIGH,CRITICAL" ./Dockerfile
+
+      - name: Check non-critical issues
+        run: trivy config --severity "LOW,MEDIUM" ./Dockerfile
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -0,0 +1,56 @@
+# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
+# for details.
+
+name: Build development container
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+  push:
+    branches:
+      - webv2
+  pull_request:
+    branches:
+      - webv2
+
+jobs:
+  Earthly:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Earthly
+        uses: earthly/actions-setup@v1
+        with:
+          version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
+
+      - name: Log Earthly version
+        run: earthly --version
+
+      - name: Authenticate to GitHub Container Registry
+        if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
+        env:
+          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
+        run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Build and push
+        if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
+        env:
+          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
+          EARTHLY_BUILD_TAG: 'webv2'
+          EARTHLY_BUILD_BRANCH: 'webv2'
+          EARTHLY_PUSH: true
+        run: ./build/develop/container.sh
+
+      - name: Build
+        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
+        run: ./build/develop/container.sh
--- a/.github/workflows/docker-nightly.yaml
+++ b/.github/workflows/docker-nightly.yaml
@@ -1,41 +0,0 @@
-# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
-# for details.
-
-name: Build nightly docker
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 2 * * *'
-
-jobs:
-  Docker:
-    runs-on: ubuntu-latest
-    if: github.repository == 'owncast/owncast'
-    steps:
-      - uses: earthly/actions-setup@v1
-        with:
-          version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
-
-      - name: Earthly version
-        run: earthly --version
-
-      - name: Log into GitHub Container Registry
-        env:
-          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
-        run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
-        if: env.GH_CR_PAT != null
-
-      - name: Set up QEMU
-        id: qemu
-        uses: docker/setup-qemu-action@v2
-        with:
-          image: tonistiigi/binfmt:latest
-          platforms: all
-
-      - uses: actions/checkout@v3
-      - name: Checkout and build
-        if: env.GH_CR_PAT != null
-        env:
-          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
-        run: cd build/release && ./docker-nightly.sh
--- a/.github/workflows/docker-webv2.yaml
+++ b/.github/workflows/docker-webv2.yaml
@@ -1,43 +0,0 @@
-# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
-# for details.
-
-name: Build webv2 docker
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *'
-
-jobs:
-  Docker:
-    runs-on: ubuntu-latest
-    if: github.repository == 'owncast/owncast'
-    steps:
-      - uses: earthly/actions-setup@v1
-        with:
-          version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
-
-      - name: Earthly version
-        run: earthly --version
-
-      - name: Log into GitHub Container Registry
-        env:
-          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
-        run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
-        if: env.GH_CR_PAT != null
-
-      - name: Set up QEMU
-        id: qemu
-        uses: docker/setup-qemu-action@v2
-        with:
-          image: tonistiigi/binfmt:latest
-          platforms: all
-
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Checkout and build
-        if: env.GH_CR_PAT != null
-        env:
-          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
-        run: cd build/release && ./docker-webv2.sh
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -18,7 +18,7 @@ jobs:
    env:
      LANG: C.UTF-8
    container:
-      image: docker.io/ubuntu:22.10
+      image: docker.io/ubuntu:22.04
    steps:
      - uses: actions/checkout@v3