CI improvements

.github/actions/docker-vscan/action.yml

@@ -0,0 +1,44 @@
+name: Docker image security scan
+description: Run trivy security scan for the selected docker image
+
+inputs:
+  TRIVY_DOCKER_IMAGE:
+    description: Trivy docker image
+    default: aquasec/trivy:0.42.1
+    required: false
+  GITHUB_TOKEN:
+    description: GitHub token passed as input to be used in action.yml # https://github.com/orgs/community/discussions/27054#discussioncomment-3254450
+    required: true
+  dockerfile: 
+    description: Dockerfile to build the image
+    required: true
+  docker_image_name:
+    description: Dockerimage name to analyze it
+    required: true
+  pyversion:
+    description: Python version to build the image
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Build image ${{ inputs.docker_image_name }}
+      uses: docker/build-push-action@v3
+      with:
+        context: .
+        file: ${{ inputs.dockerfile }}
+        push: false
+        tags: ${{ inputs.docker_image_name }}
+        build-args:
+          IMAGE_PY_VERSION=${{ inputs.pyversion }}
+    - name: Run vscan on ${{ inputs.docker_image_name }}
+      shell: bash
+      run: |
+        docker run --rm --name=trivy \
+        --env ${{ inputs.GITHUB_TOKEN }} \
+        --volume /var/run/docker.sock:/var/run/docker.sock \
+        ${{ inputs.TRIVY_DOCKER_IMAGE }} image --no-progress \
+        --exit-code 1 \
+        --scanners vuln \
+        --severity CRITICAL \
+        --ignore-unfixed ${{ inputs.docker_image_name }}

.github/actions/icr-build-and-push-images/action.yml

@@ -13,7 +13,7 @@ runs:
         context: .
         file: ./infrastructure/docker/Dockerfile-ray-qiskit
         push: true
-        tags: icr.io/quantum-public/quantum-serverless-ray-node:${{inputs.tag}}-py38
+        tags: icr.io/quantum-public/quantum-serverless-ray-node:${{inputs.tag}}-py38,icr.io/quantum-public/quantum-serverless-ray-node:latest-py38
         build-args:
           IMAGE_PY_VERSION=py38
     - name: Build and push node image [3.9]
@@ -23,7 +23,7 @@ runs:
         context: .
         file: ./infrastructure/docker/Dockerfile-ray-qiskit
         push: true
-        tags: icr.io/quantum-public/quantum-serverless-ray-node:${{inputs.tag}}-py39
+        tags: icr.io/quantum-public/quantum-serverless-ray-node:${{inputs.tag}}-py39,icr.io/quantum-public/quantum-serverless-ray-node:latest-py39
         build-args:
           IMAGE_PY_VERSION=py39
     - name: Build and push node image [3.10]
@@ -32,7 +32,7 @@ runs:
         context: .
         file: ./infrastructure/docker/Dockerfile-ray-qiskit
         push: true
-        tags: icr.io/quantum-public/quantum-serverless-ray-node:${{inputs.tag}}-py310
+        tags: icr.io/quantum-public/quantum-serverless-ray-node:${{inputs.tag}}-py310,icr.io/quantum-public/quantum-serverless-ray-node:latest-py310
         build-args:
           IMAGE_PY_VERSION=py310
     - name: Build and push jupyter [3.8]
@@ -41,7 +41,7 @@ runs:
         context: .
         file: ./infrastructure/docker/Dockerfile-notebook
         push: true
-        tags: icr.io/quantum-public/quantum-serverless-notebook:${{inputs.tag}}-py38
+        tags: icr.io/quantum-public/quantum-serverless-notebook:${{inputs.tag}}-py38,icr.io/quantum-public/quantum-serverless-notebook:latest-py38
         build-args:
           IMAGE_PY_VERSION=3.8
     - name: Build and push jupyter [3.9]
@@ -51,7 +51,7 @@ runs:
         context: .
         file: ./infrastructure/docker/Dockerfile-notebook
         push: true
-        tags: icr.io/quantum-public/quantum-serverless-notebook:${{inputs.tag}}-py39
+        tags: icr.io/quantum-public/quantum-serverless-notebook:${{inputs.tag}}-py39,icr.io/quantum-public/quantum-serverless-notebook:latest-py39
         build-args:
           IMAGE_PY_VERSION=3.9
     - name: Build and push jupyter [3.10]
@@ -60,7 +60,7 @@ runs:
         context: .
         file: ./infrastructure/docker/Dockerfile-notebook
         push: true
-        tags: icr.io/quantum-public/quantum-serverless-notebook:${{inputs.tag}}-py310
+        tags: icr.io/quantum-public/quantum-serverless-notebook:${{inputs.tag}}-py310,icr.io/quantum-public/quantum-serverless-notebook:latest-py310
         build-args:
           IMAGE_PY_VERSION=3.10
     - name: Build and push repository server
@@ -70,12 +70,12 @@ runs:
         context: .
         file: ./infrastructure/docker/Dockerfile-repository-server
         push: true
-        tags: icr.io/quantum-public/quantum-repository-server:${{inputs.tag}}
+        tags: icr.io/quantum-public/quantum-repository-server:${{inputs.tag}},icr.io/quantum-public/quantum-repository-server:latest
     - name: Build and push gateway
       uses: docker/build-push-action@v3
       with:
         platforms: linux/amd64,linux/arm64
         context: .
         file: ./infrastructure/docker/Dockerfile-gateway
         push: true
-        tags: icr.io/quantum-public/quantum-serverless-gateway:${{inputs.tag}}
+        tags: icr.io/quantum-public/quantum-serverless-gateway:${{inputs.tag}},icr.io/quantum-public/quantum-serverless-gateway:latest

.github/workflows/docker-verify.yaml

@@ -10,7 +10,6 @@ on:
 env:
   HADOLINT_DOCKER_IMAGE: hadolint/hadolint:v2.12.0
   OPENPOLICYAGENT_DOCKER_IMAGE: openpolicyagent/conftest:v0.43.1
-  TRIVY_DOCKER_IMAGE: aquasec/trivy:0.42.1
 
 jobs:
   lint:
@@ -95,23 +94,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: Build image ${{ matrix.image }}
-        uses: docker/build-push-action@v3
+      - name: Scan image ${{ matrix.image }}
+        uses: ./.github/actions/docker-vscan
         with:
-          context: .
-          file: ${{ matrix.dockerfile }}
-          push: false
-          tags: ${{ matrix.image }}
-          build-args:
-            IMAGE_PY_VERSION=${{ matrix.pyversion }}
-      - name: Run vscan on ${{ matrix.image }}
-        shell: bash
-        run: |
-          docker run --rm --name=trivy \
-          --env ${{ secrets.GITHUB_TOKEN }} \
-          --volume /var/run/docker.sock:/var/run/docker.sock \
-          ${{ env.TRIVY_DOCKER_IMAGE }} image --no-progress \
-          --exit-code 1 \
-          --scanners vuln \
-          --severity CRITICAL \
-          --ignore-unfixed ${{ matrix.image }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          dockerfile: ${{ matrix.dockerfile }}
+          docker_image_name: ${{ matrix.image }}
+          pyversion: ${{ matrix.pyversion }}

.github/workflows/icr-image-build-and-push.yml

@@ -8,9 +8,6 @@ on:
         required: true
   release:
     types: [published]
-  push:
-    branches:
-      - main
 
 jobs:
   icr_build_and_push:
@@ -30,11 +27,6 @@ jobs:
           platforms: 'arm64,amd64'
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: Build and push latest
-        if : github.event_name == 'push'
-        uses: ./.github/actions/icr-build-and-push-images
-        with:
-          tag: latest
       - name: Build and push on dispatch
         if : github.event_name == 'workflow_dispatch'
         uses: ./.github/actions/icr-build-and-push-images

.github/workflows/publish-docs.yml

@@ -5,7 +5,6 @@ on:
   push:
     branches:
       - main
-      - 'stable/**'
 
 jobs:
   build_and_deploy_docs:

.github/workflows/release-pull-request.yml

@@ -0,0 +1,57 @@
+name: Docker verify process
+
+on:
+  pull_request:
+    types: [labeled]
+
+jobs:
+  vscan:
+    if: ${{ github.event.label.name == 'release' }}
+    strategy:
+      matrix:
+        image:
+          [
+            "quantum-serverless-gateway:latest",
+            "quantum-serverless-notebook:latest-py38",
+            "quantum-serverless-notebook:latest-py39",
+            "quantum-serverless-notebook:latest-py310",
+            "quantum-serverless-ray-node:latest-py38",
+            "quantum-serverless-ray-node:latest-py39",
+            "quantum-serverless-ray-node:latest-py310",
+            "quantum-repository-server:latest",
+          ]
+        include:
+          - image: "quantum-serverless-gateway:latest"
+            dockerfile: "./infrastructure/docker/Dockerfile-gateway"
+            pyversion: "3.9"
+          - image: "quantum-serverless-notebook:latest-py38"
+            dockerfile: "./infrastructure/docker/Dockerfile-notebook"
+            pyversion: "3.8"
+          - image: "quantum-serverless-notebook:latest-py39"
+            dockerfile: "./infrastructure/docker/Dockerfile-notebook"
+            pyversion: "3.9"
+          - image: "quantum-serverless-notebook:latest-py310"
+            dockerfile: "./infrastructure/docker/Dockerfile-notebook"
+            pyversion: "3.10"
+          - image: "quantum-serverless-ray-node:latest-py38"
+            dockerfile: "./infrastructure/docker/Dockerfile-ray-qiskit"
+            pyversion: "py38"
+          - image: "quantum-serverless-ray-node:latest-py39"
+            dockerfile: "./infrastructure/docker/Dockerfile-ray-qiskit"
+            pyversion: "py39"
+          - image: "quantum-serverless-ray-node:latest-py310"
+            dockerfile: "./infrastructure/docker/Dockerfile-ray-qiskit"
+            pyversion: "py310"
+          - image: "quantum-repository-server:latest"
+            dockerfile: "./infrastructure/docker/Dockerfile-repository-server"
+            pyversion: "3.9"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Scan image ${{ matrix.image }}
+        uses: ./.github/actions/docker-vscan
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          dockerfile: ${{ matrix.dockerfile }}
+          docker_image_name: ${{ matrix.image }}
+          pyversion: ${{ matrix.pyversion }}