From 6e822f5b39e3901897c27a9d8619cc27dfb6c27e Mon Sep 17 00:00:00 2001 From: Ri-go Date: Thu, 13 Apr 2023 14:16:32 +0800 Subject: [PATCH 1/3] feat: nonroot dockerfile --- Dockerfile.nonroot | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 Dockerfile.nonroot diff --git a/Dockerfile.nonroot b/Dockerfile.nonroot new file mode 100644 index 00000000..ea51761b --- /dev/null +++ b/Dockerfile.nonroot @@ -0,0 +1,35 @@ +#install packages for build layer +FROM golang:1.19-alpine as builder +RUN apk add --no-cache git gcc make perl jq libc-dev linux-headers + +#build binary +WORKDIR /src +COPY . . +RUN go mod download + +#install binary +RUN make install + +#build main container +FROM alpine:latest + +# Add the "injective" non-root user and group +RUN addgroup -S injective && adduser -S -G injective injective + +# Install dependencies +RUN apk add --update --no-cache ca-certificates curl + +# Copy the peggo binary +COPY --from=builder /go/bin/* /usr/local/bin/ + +# Set ownership and permissions +RUN chown -R injective:injective /usr/local/bin + +# Configure container +USER injective +VOLUME /apps/data +WORKDIR /home/injective/.injectived/peggo + +# Default command +CMD peggo orchestrator + From 944f0aac61df6b71dfad95411d078177ec5fce0a Mon Sep 17 00:00:00 2001 From: Ri-go Date: Thu, 13 Apr 2023 14:17:01 +0800 Subject: [PATCH 2/3] feat: multiarch docker buildx workflow --- .github/workflows/docker.yml | 79 ++++++++++++++++++++++++------------ 1 file changed, 52 insertions(+), 27 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 88e75053..1e694389 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,40 +1,65 @@ -name: docker - +name: Docker Release +defaults: + run: + shell: bash -leo pipefail {0} on: push: - branches: - - 'master' tags: - - 'v*' + - v** +env: + ECR_ENABLED: false + ECR_REPO: public.ecr.aws/l9h3g6c6/peggo + GHCR_ENABLED: true + GHCR_REPO: ghcr.io/InjectiveLabs/peggo jobs: - docker: + docker-release: runs-on: ubuntu-latest + timeout-minutes: 120 steps: + - name: Checkout peggo + uses: actions/checkout@master + with: + repository: InjectiveLabs/peggo + fetch-depth: 0 + ref: ${{ github.ref_name }} + token: ${{ secrets.GH_TOKEN }} + path: ./peggo - - name: Checkout - uses: actions/checkout@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} + platforms: linux/amd64,linux/arm64 - - name: Docker meta - id: meta - uses: docker/metadata-action@v4 - with: - images: ghcr.io/${{ github.repository }} - tags: | - type=raw,value=latest - type=semver,pattern=v{{version}} + - name: Log-in to ghcr.io + if: env.GHCR_ENABLED == 'true' + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin - - name: Build and push - uses: docker/build-push-action@v3 + - name: Login to Public ECR + if: env.ECR_ENABLED == 'true' + uses: docker/login-action@v2 with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + registry: public.ecr.aws + username: ${{ secrets.AWS_KEY }} + password: ${{ secrets.AWS_SECRET }} + env: + AWS_REGION: us-east-1 + + - name: Build image and push + run: | + cd peggo/ + TAG=$(echo ${GITHUB_REF#refs/heads/} | cut -d '/' -f 2) + echo $TAG + [[ $ECR_ENABLED == "false" ]] || docker buildx build --tag $ECR_REPO:$TAG --platform linux/amd64,linux/arm64 --push . + [[ $GHCR_ENABLED == "false" ]] || docker buildx build --tag $GHCR_REPO:$TAG --platform linux/amd64,linux/arm64 --push . + + - name: NONROOT Build image and push + run: | + cd peggo/ + TAG=$(echo ${GITHUB_REF#refs/heads/} | cut -d '/' -f 2)-nonroot + echo $TAG + [[ $ECR_ENABLED == "false" ]] || docker buildx build -f Dockerfile.nonroot --tag $ECR_REPO:$TAG --platform linux/amd64,linux/arm64 --push . + [[ $GHCR_ENABLED == "false" ]] || docker buildx build -f Dockerfile.nonroot --tag $GHCR_REPO:$TAG --platform linux/amd64,linux/arm64 --push . From 9b0680ce6f99328ebc1e1061888b34d5fc4d95f4 Mon Sep 17 00:00:00 2001 From: Ri-go Date: Tue, 18 Apr 2023 10:21:33 +0800 Subject: [PATCH 3/3] fix: push to ecr and disable ghcr --- .github/workflows/docker.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 1e694389..46eb5b4f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,9 +7,9 @@ on: tags: - v** env: - ECR_ENABLED: false + ECR_ENABLED: true ECR_REPO: public.ecr.aws/l9h3g6c6/peggo - GHCR_ENABLED: true + GHCR_ENABLED: false GHCR_REPO: ghcr.io/InjectiveLabs/peggo jobs: