Merge pull request #5 from mhitza/container-changes

Tweaks for devcontainer and GitHub actions changes
linkorb · Sep 11, 2023 · 24107f5 · 24107f5
2 parents 9b915b2 + 2b8ff74
commit 24107f5
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 34 deletions.
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
@@ -9,7 +9,7 @@ on:
   - cron: 00 4 * * *
 
 jobs:
-  ghcr:
+  php7:
     runs-on: ubuntu-latest
 
     steps:
@@ -44,49 +44,81 @@ jobs:
         severity: 'CRITICAL,HIGH'
 
     - name: Retag new image with latest tag so we can push the scanned version
-      run: docker image tag php-docker-base:trivytemp ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:latest
+      run: docker image tag php-docker-base:trivytemp ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:latest
 
     - name: Push with latest tag
-      run: docker push ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:latest
+      run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:latest
     - name: Retag new image with commit hash
-      run: docker image tag ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:latest ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:$(echo ${GITHUB_SHA} | cut -c1-8)
+      run: docker image tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:latest ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:$(echo ${GITHUB_SHA} | cut -c1-8)
     - name: Push with commit hash tag
-      run: docker push ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:$(echo ${GITHUB_SHA} | cut -c1-8)
+      run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:$(echo ${GITHUB_SHA} | cut -c1-8)
     - name: Retag new image with php7 tag
-      run: docker image tag ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:latest ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php7
+      run: docker image tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:latest ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php7
     - name: Push with commit php7 tag
-      run: docker push ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php7
+      run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php7
 
     #php7-review
     - name: Build the PHP7 review container image
-      run: docker build . --tag ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php7-review --file Dockerfile.php7-review
+      run: docker build . --tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php7-review --file Dockerfile.php7-review
     - name: Push with commit php7-review tag
-      run: docker push ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php7-review
+      run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php7-review
+
+  php8:
+    runs-on: ubuntu-latest
+    steps:
+    - name: GitHub Environment Variables Action
+      uses: FranzDiebold/github-env-vars-action@v2
+
+    - name: Shallow clone code
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: Login to Container Registry ghcr.io
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
     #php8
     - name: Build the container image
-      run: docker build . --tag ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php8 --file Dockerfile.php8
+      run: docker build . --tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8 --file Dockerfile.php8
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@master
       with:
-        image-ref: ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php8
+        image-ref: ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8
         format: 'table'
         exit-code: '1'
         ignore-unfixed: true
         vuln-type: 'os,library'
         severity: 'CRITICAL,HIGH'
     - name: Push with php8 tag
-      run: docker push ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php8
+      run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8
     - name: Retag new image with commit hash
-      run: docker image tag ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php8 ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php8-$(echo ${GITHUB_SHA} | cut -c1-8)
+      run: docker image tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8 ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8-$(echo ${GITHUB_SHA} | cut -c1-8)
     - name: Push with commit hash tag and php8 tag
-      run: docker push ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php8-$(echo ${GITHUB_SHA} | cut -c1-8)
+      run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8-$(echo ${GITHUB_SHA} | cut -c1-8)
 
     #php8-review
     - name: Build the PHP8 review container image
-      run: docker build . --tag ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php8-review --file Dockerfile.php8-review
+      run: docker build . --tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8-review --file Dockerfile.php8-review
     - name: Push with commit php8-review tag
-      run: docker push ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:php8-review
+      run: docker push ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:php8-review
+
+  cleanup:
+    needs: [php7, php8]
+    runs-on: ubuntu-latest
+    steps:
+    - name: GitHub Environment Variables Action
+      uses: FranzDiebold/github-env-vars-action@v2
+
+    - name: Login to Container Registry ghcr.io
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Delete old versions of the package, keeping a few of the newest
       uses: actions/delete-package-versions@v4

diff --git a/Dockerfile.php7 b/Dockerfile.php7
@@ -32,18 +32,20 @@ RUN apt-get update \
       unzip \
       vim \
       zip \
+      ca-certificates \
+      gnupg \
   && apt-get autoremove \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
 
-RUN curl https://deb.nodesource.com/setup_18.x -o install_node.sh \
-  && chmod +x install_node.sh \
-  && ./install_node.sh \
-  && apt install -y nodejs make \
-  && apt-get autoremove \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
+# Based on nodesource installation instructions https://github.com/nodesource/distributions#installation-instructions
+RUN mkdir -p /etc/apt/keyrings \
+  && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+  | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+  && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_18.x nodistro main" > /etc/apt/sources.list.d/nodesource.list \
+  && apt-get update \
+  && apt-get install nodejs -y
 
 RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg \
     | gpg --dearmor >> /usr/share/keyrings/yarnkey.gpg \

diff --git a/Dockerfile.php7-review b/Dockerfile.php7-review
@@ -5,6 +5,10 @@ RUN mkdir -p /opt
 
 WORKDIR /opt/
 
+# Do not run Composer as root/super user! See https://getcomposer.org/root for details
+# Aborting as no plugin should be loaded if running as super user is not explicitly allowed
+ENV COMPOSER_ALLOW_SUPERUSER=1
+
 # install php-tools
 RUN git clone https://github.com/linkorb/php-tools.git
 RUN cd php-tools &&  COMPOSER_MEMORY_LIMIT=-1 /usr/bin/composer install
@@ -13,7 +17,7 @@ RUN cd php-tools &&  COMPOSER_MEMORY_LIMIT=-1 /usr/bin/composer install
 RUN curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s
 RUN mv /opt/bin/reviewdog /usr/local/bin
 
-# add php-tools to search path
-RUN echo "export PATH=$PATH:/opt/php-tools/bin" >> /root/.bashrc
+# add php-tools to search path globally
+RUN echo "export PATH=$PATH:/opt/php-tools/bin" >> /etc/bash.bashrc
 
 ENTRYPOINT ["apache2-foreground"]
diff --git a/Dockerfile.php8 b/Dockerfile.php8
@@ -32,18 +32,20 @@ RUN apt-get update \
       unzip \
       vim \
       zip \
+      ca-certificates \
+      gnupg \
   && apt-get autoremove \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
 
-RUN curl https://deb.nodesource.com/setup_18.x -o install_node.sh \
-  && chmod +x install_node.sh \
-  && ./install_node.sh \
-  && apt install -y nodejs make \
-  && apt-get autoremove \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
+# Based on nodesource installation instructions https://github.com/nodesource/distributions#installation-instructions
+RUN mkdir -p /etc/apt/keyrings \
+  && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+  | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+  && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_18.x nodistro main" > /etc/apt/sources.list.d/nodesource.list \
+  && apt-get update \
+  && apt-get install nodejs -y
 
 RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg \
     | gpg --dearmor >> /usr/share/keyrings/yarnkey.gpg \

diff --git a/Dockerfile.php8-review b/Dockerfile.php8-review
@@ -5,6 +5,10 @@ RUN mkdir -p /opt
 
 WORKDIR /opt/
 
+# Do not run Composer as root/super user! See https://getcomposer.org/root for details
+# Aborting as no plugin should be loaded if running as super user is not explicitly allowed
+ENV COMPOSER_ALLOW_SUPERUSER=1
+
 # install php-tools
 RUN git clone https://github.com/linkorb/php-tools.git
 RUN cd php-tools &&  COMPOSER_MEMORY_LIMIT=-1 /usr/bin/composer install
@@ -13,10 +17,16 @@ RUN cd php-tools &&  COMPOSER_MEMORY_LIMIT=-1 /usr/bin/composer install
 RUN curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s
 RUN mv /opt/bin/reviewdog /usr/local/bin
 
-# add php-tools to search path
-RUN echo "export PATH=$PATH:/opt/php-tools/bin" >> /root/.bashrc
+# add php-tools to search path globally
+RUN echo "export PATH=$PATH:/opt/php-tools/bin" >> /etc/bash.bashrc
 
 RUN composer global require icanhazstring/composer-unused \
   && ln -s /root/.config/composer/vendor/bin/composer-unused /usr/local/bin/composer-unused
 
+RUN apt-get update && apt-get install -y python3-pip && python3 -m pip install yamllint --break-system-packages
+
+# Caused the appearance of a git untracked index.html file within the GitHub codespace (when image used as
+# the base of a devcontainer)
+RUN rm /app/index.html
+
 ENTRYPOINT ["apache2-foreground"]