diff --git a/.github/workflows/ecr-image-build-w-arm-runner.yml b/.github/workflows/ecr-image-build-w-arm-runner.yml index 60a6101210..c347d7d4d4 100644 --- a/.github/workflows/ecr-image-build-w-arm-runner.yml +++ b/.github/workflows/ecr-image-build-w-arm-runner.yml @@ -1,13 +1,15 @@ --- name: AWS ECR Build Image with ARM Runner -on: +on: # yamllint disable-line rule:truthy release: - types: - - "released" + types: + - "released" push: + branches: - "main" - "*-rc" + - "fix-arm-build" tags: - "v*" @@ -68,9 +70,18 @@ jobs: - name: Get the branch name id: get-branch-name - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + if: > + github.event_name == 'push' + || github.event_name == 'workflow_dispatch' run: echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV + - name: Get docker repository URL + id: get-repo-url + run: | + echo "docker_repo=${{ steps.login-ecr.outputs.registry }}\ + "/onaio/onadata:${{ env.version || github.ref_name }}"\ + >> $GITHUB_ENV + - name: (Ubuntu) Build and push id: docker-build-ubuntu uses: docker/build-push-action@v5 @@ -78,24 +89,30 @@ jobs: context: . file: ./docker/onadata-uwsgi/Dockerfile.ubuntu platforms: ${{ matrix.platforms[0] }} - cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ env.version || github.ref_name }} + cache-from: type=registry,ref=${{ env.docker_repo }} cache-to: type=inline ssh: | default=/tmp/ssh-agent.sock - build-args: | - optional_packages=PyYAML django-redis ${{ secrets.ECR_OPTIONAL_PACKAGES }} + build-args: > + optional_packages=PyYAML + django-redis + ${{ secrets.ECR_OPTIONAL_PACKAGES }} push: true labels: ${{ steps.meta.outputs.labels }} provenance: false - outputs: type=image,name=${{ steps.login-ecr.outputs.registry }}/onaio/onadata,push-by-digest=true,name-canonical=true,push=true - - - name: Export digest + outputs: > + type=image, + name=${{ steps.login-ecr.outputs.registry }}/onaio/onadata, + push-by-digest=true, + name-canonical=true, + push=true + + - name: Export digest run: | mkdir -p /tmp/digests digest="${{ steps.docker-build-ubuntu.outputs.digest }}" touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest + - name: Upload digest uses: actions/upload-artifact@v4 with: name: digests-${{ env.PLATFORM_PAIR }} @@ -141,17 +158,24 @@ jobs: - name: Create manifest list and push working-directory: /tmp/digests run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ steps.login-ecr.outputs.registry }}/onaio/onadata@sha256:%s ' *) + docker buildx imagetools create \ + $(jq -cr '.tags | map("-t " + .) | join(" ")' \ + <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ steps.login-ecr.outputs.registry }}\ + /onaio/onadata@sha256:%s ' *) - name: Inspect image run: | - docker buildx imagetools inspect ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }} + docker buildx imagetools inspect \ + ${{ steps.login-ecr.outputs.registry }}/onaio/onadata\ + :${{ steps.meta.outputs.version }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }} + image-ref: | + ${{ steps.login-ecr.outputs.registry }}\ + /onaio/onadata:${{ steps.meta.outputs.version }} format: 'sarif' output: 'trivy-results.sarif' @@ -164,13 +188,19 @@ jobs: - name: Run Trivy vulnerability scanner for Slack uses: aquasecurity/trivy-action@master with: - image-ref: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ steps.meta.outputs.version }} + image-ref: | + ${{ steps.login-ecr.outputs.registry }}\ + /onaio/onadata:${{ steps.meta.outputs.version }} format: json output: 'trivy-results.json' - name: Create summary of trivy issues run: | - summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') + summary=$(jq -r '.Results[] | select(.Vulnerabilities) \ + | .Vulnerabilities | group_by(.Severity) \ + | map({Severity: .[0].Severity, Count: length}) \ + | .[] | [.Severity, .Count] | join(": ")' trivy-results.json \ + | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') if [ -z $summary ] then summary="0 Issues" @@ -182,7 +212,8 @@ jobs: with: payload: | { - "text": "Trivy scan results for ${{ steps.meta.outputs.version }}", + "text": + "Trivy scan results for ${{ steps.meta.outputs.version }}", "blocks": [ { "type": "section", @@ -195,7 +226,11 @@ jobs: "type": "section", "text": { "type": "mrkdwn", - "text": "View scan results: https://github.com/${{ github.repository }}/security/code-scanning?query=branch:${{ env.version || github.ref_name }}+is:open++" + "text": "View scan results: \ + https://github.com/${{ github.repository }}\ + /security/code-scanning\ + ?query=branch:${{ env.version || github.ref_name }}\ + +is:open++" } } ] diff --git a/docker/onadata-uwsgi/Dockerfile.ubuntu b/docker/onadata-uwsgi/Dockerfile.ubuntu index c35d1dd2a7..18823135ca 100644 --- a/docker/onadata-uwsgi/Dockerfile.ubuntu +++ b/docker/onadata-uwsgi/Dockerfile.ubuntu @@ -1,13 +1,13 @@ -FROM onaio/python-deps:3.10.14 as base +FROM onaio/python-deps:3.10.14 AS base ARG optional_packages # Silence configuration prompts -ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_FRONTEND=noninteractive -ENV PYTHONUNBUFFERED 1 +ENV PYTHONUNBUFFERED=1 -ENV DJANGO_SETTINGS_MODULE onadata.settings.docker +ENV DJANGO_SETTINGS_MODULE=onadata.settings.docker USER root @@ -35,10 +35,10 @@ RUN python -m pip install --no-cache-dir -U pip && \ python -m pip install --no-cache-dir -r requirements/azure.pip && \ python -m pip install --no-cache-dir pyyaml==6.0.1 uwsgitop==0.12 supervisor==4.2.5 -FROM base as docs +FROM base AS docs ENV PYENV_ROOT="$HOME/.pyenv" -ENV PATH $PYENV_ROOT/versions/3.10.14/bin:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH +ENV PATH=$PYENV_ROOT/versions/3.10.14/bin:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH COPY --from=base /home/appuser/.pyenv/ /home/appuser/.pyenv/ COPY --from=base /srv/onadata/ /srv/onadata/ @@ -53,9 +53,9 @@ RUN python -m pip install --no-cache-dir -r requirements/docs.pip && \ make -C docs html -FROM ubuntu:jammy-20240405 as runtime +FROM ubuntu:jammy-20240405 AS runtime -ENV DEBIAN_FRONTEND noninteractive +ENV DEBIAN_FRONTEND=noninteractive # Install prerequisite packages RUN apt-get update -q && \ @@ -63,8 +63,8 @@ RUN apt-get update -q && \ # # Generate and set en_US.UTF-8 locale RUN locale-gen en_US.UTF-8 -ENV LC_ALL en_US.UTF-8 -ENV LC_CTYPE en_US.UTF-8 +ENV LC_ALL=en_US.UTF-8 +ENV LC_CTYPE=en_US.UTF-8 RUN dpkg-reconfigure locales @@ -93,9 +93,9 @@ RUN chown -R appuser:appuser /srv/onadata /home/appuser/.pyenv USER appuser WORKDIR /srv/onadata -ENV HOME /home/appuser -ENV PYTHON_VERSION 3.10.14 +ENV HOME=/home/appuser +ENV PYTHON_VERSION=3.10.14 ENV PYENV_ROOT="$HOME/.pyenv" -ENV PATH $PYENV_ROOT/versions/3.10.14/bin:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH +ENV PATH=$PYENV_ROOT/versions/3.10.14/bin:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PATH CMD ["uwsgi", "--ini", "uwsgi.ini"]