IT-3421: Matrix build; ReadMe

Sage-Bionetworks · Jul 31, 2024 · 3cc5085 · 3cc5085
1 parent 0c08bea
commit 3cc5085
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
@@ -39,7 +39,7 @@ jobs:
           context: .
           push: false
           outputs: type=tar,dest=${{ env.TARFILE_NAME }}
-          tags: ${{ steps.meta.outputs.tags }}
+          meta_json: ${{ steps.meta.outputs.json }}
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Upload tarball for use by Trivy job
@@ -49,15 +49,15 @@ jobs:
           path: ${{ env.TARFILE_NAME }}
 
     outputs:
-      tags: ${{ steps.meta.outputs.tags }}
+      meta_json: ${{ steps.meta.outputs.json }}
       tarfile_artifact: ${{ env.TARFILE_NAME }}
 
   trivy-scan:
     needs: tests
     uses: "./.github/workflows/trivy.yml"
     with:
       SOURCE_TYPE: tar
-      IMAGE_NAME: ${{ needs.tests.outputs.tags }}
+      IMAGE_NAME: image-name
       TARFILE_NAME: ${{ needs.tests.outputs.tarfile_artifact }}
       EXIT_CODE: 1
 
@@ -68,6 +68,9 @@ jobs:
     permissions:
       contents: read
       packages: write
+    strategy:
+      matrix:
+        value: ${{ fromJSON(needs.build.outputs.meta_json).tags }}
 
     steps:
       - name: Download tar file
@@ -80,7 +83,7 @@ jobs:
       - name: Load Docker image from tar
         run: cat
           ${{ steps.tar-download.outputs.download-path}}/${{ env.TARFILE_NAME}}
-          | docker import - ${{ needs.tests.outputs.tags }}
+          | docker import - ${{ matrix.value }}
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
@@ -90,5 +93,5 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push Docker image
-        run: docker push ${{ needs.tests.outputs.tags }}
+        run: docker push ${{ matrix.value }}
 ...
diff --git a/README.md b/README.md
@@ -4,3 +4,28 @@ Base Docker image for Shiny applications
 Note that this is built on the free version of Shiny Server.
 For an industrial strength version, consider [Posit/R-Studio Connect](https://posit.co/products/enterprise/connect/),
 available as a [Docker container](https://hub.docker.com/r/rstudio/rstudio-connect).
+
+
+
+## Versioning
+
+Semantic versioning is used and containers are tagged based on GitHub tags: If a tag,
+v1.2.3 is pushed to GitHub then a container image is built with tags `1.2.3` as well as `1.2`.
+Thus the `major.minor` tag is overwritten when the repo' is patched.
+
+
+## Security
+
+Trivy is run on each built container and they will not be published
+to `ghcr.io` if any CRITICAL or HIGH
+vulnerabilites are found.  Trivy is also run daily to check for new
+vulnerabilities in existing images.  So periodic review of new findings
+is needed:  Go to the Security tab in GitHub, select Code Scanning at left,
+and then select Branch > Main to check for new findings.  To suppress
+false positives, either:
+
+- Enter the CVE in `.trivyignore`, or
+
+- Enter the file to skip while scanning in the `trivy.yml` workflow.
+
+In either case, add a comment justifying why the finding is suppressed.