build for arm64 targets

OWASP · Jul 8, 2024 · b1390f6 · b1390f6
2 parents a186542 + 0569a80
commit b1390f6
Show file tree

Hide file tree

Showing 18 changed files with 118 additions and 344 deletions.
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -106,7 +106,7 @@ jobs:
         run: npm clean-install
 
       - name: Desktop lint
-        run: npm run lint
+        run: npm run lint:desktop
 
       - name: Run unit tests
         run: npm run test:desktop
@@ -170,7 +170,7 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Build and push
+      - name: Build and push amd64 to Docker Hub
         id: docker_build
         uses: docker/build-push-action@v6.3.0
         with:
@@ -233,7 +233,7 @@ jobs:
         with:
           name: e2e_vids.zip
           path: td.vue/tests/e2e/videos
-        if: ${{ always() }}
+        if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }}
 
   e2e_tests:
     name: Site e2e tests
@@ -284,10 +284,10 @@ jobs:
         with:
           name: e2e_vids.zip
           path: td.vue/tests/e2e/videos
-        if: ${{ always() }}
+        if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }}
 
-  zap_scan_web:
-    name: Site zap scan
+  zap_scan_web_app:
+    name: Local site zap scan
     runs-on: ubuntu-24.04
     needs: build_docker_image
 

diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -118,7 +118,7 @@ jobs:
         run: npm clean-install
 
       - name: lint
-        run: npm run lint
+        run: npm run lint:desktop
 
       - name: Unit test
         run: npm run test:desktop
@@ -162,6 +162,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4.1.1
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v3.4.0
@@ -182,8 +185,9 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Build and push
-        id: docker_build
+      # platform manifests not (yet) supported, so split out architectures
+      - name: Build and push amd64 to Docker Hub
+        id: docker_build_amd64
         uses: docker/build-push-action@v6.3.0
         with:
           context: ./
@@ -196,10 +200,24 @@ jobs:
           platforms: linux/amd64
           load: true
 
+      - name: Build and push arm64 to Docker Hub
+        id: docker_build_arm64
+        uses: docker/build-push-action@v6.3.0
+        with:
+          context: ./
+          file: ./Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          tags:  ${{ env.IMAGE_NAME }}-arm64
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+          platforms: linux/arm64
+          load: true
+
       - name: fetch app SBOMs
         run: docker run --rm --entrypoint tar "$IMAGE_ID" -c boms | tar -xv
         env:
-          IMAGE_ID: ${{ steps.docker_build.outputs.imageid }}
+          IMAGE_ID: ${{ steps.docker_build_amd64.outputs.imageid }}
 
       - name: Save SBOM artifact
         uses: actions/upload-artifact@v4.3.0
@@ -310,7 +328,7 @@ jobs:
         with:
           name: e2e_vids.zip
           path: td.vue/tests/e2e/videos
-        if: ${{ always() }}
+        if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }}
 
   e2e_tests:
     name: Site e2e tests
@@ -361,10 +379,10 @@ jobs:
         with:
           name: e2e_vids.zip
           path: td.vue/tests/e2e/videos
-        if: ${{ always() }}
+        if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }}
 
-  zap_scan_web:
-    name: Site zap scan
+  zap_scan_web_app:
+    name: Local site zap scan
     runs-on: ubuntu-24.04
     needs: build_docker_image
 
@@ -442,14 +460,9 @@ jobs:
       - name: Install packages
         run: npm install
 
-      # Build Windows installer
       - name: Build Windows executable
         run: npm run build:desktop -- --windows --publish never
 
-      - name: Print logs on error
-        if: ${{ failure() }}
-        run: find . -name "*.log" -exec cat '{}' \;
-
       - name: Save SBOM artifact
         uses: actions/upload-artifact@v4.3.0
         with:
@@ -485,31 +498,11 @@ jobs:
       - name: Install packages
         run: npm install
 
-      - name: Prepare for MacOS notarization
-        # Import Apple API key for app notarization on macOS
-        # see github.com/samuelmeuli/action-electron-builder#notarization
-        run: |
-          mkdir -p ~/private_keys/
-          echo '${{ secrets.API_KEY }}' > ~/private_keys/AuthKey_${{ secrets.API_KEY_ID }}.p8
-
       - name: Build MacOS disk image
         env:
-          # MacOS signing certificate and password
-          # see github.com/samuelmeuli/action-electron-builder#code-signing
-          CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTS_PASSWORD }}
-          CSC_LINK:  ${{ secrets.MAC_CERTS }}
-          # MacOS notarization API IDs
-          # see github.com/samuelmeuli/action-electron-builder#notarization
-          API_KEY_ID: ${{ secrets.API_KEY_ID }}
-          API_KEY_ISSUER_ID: ${{ secrets.API_KEY_ISSUER_ID }}
-          # github token is automatically provided to the action
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: npm run build:desktop -- --mac --publish never
 
-      - name: Print logs on error
-        if: ${{ failure() }}
-        run: find . -name "*.log" -exec cat '{}' \; -print
-
       - name: Save SBOM artifact
         uses: actions/upload-artifact@v4.3.0
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -117,12 +117,13 @@ jobs:
         run: npm clean-install
 
       - name: lint
-        run: npm run lint
+        run: npm run lint:desktop
 
       - name: Unit test
         run: npm run test:desktop
 
   desktop_windows:
+    # Build and publish Windows installer to github Release Draft
     name: Windows installer
     runs-on: windows-latest
     needs: [desktop_unit_tests, site_unit_tests]
@@ -150,10 +151,7 @@ jobs:
       - name: Install clean packages
         run: npm clean-install
 
-      # Build and publish Windows installer to github Release Draft
       - name: Publish Windows executable
-        # follow Comodo signing instructions
-        # comodosslstore.com/resources/comodo-code-signing-certificate-instructions
         env:
           # Windows signing certificate and password
           CSC_KEY_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD}}
@@ -173,10 +171,9 @@ jobs:
           if-no-files-found: error
 
   desktop_macos:
+    # Build and publish MacOS installer to github Release Draft
+    # the draft name uses version and is created if it does not already exist
     name: MacOS installer
-    # refer to:
-    # github.com/simonw/til/blob/main/electron/sign-notarize-electron-macos.md
-    # github.com/karaggeorge/electron-builder-notarize
     runs-on: macos-latest
     needs: [desktop_unit_tests, site_unit_tests]
     defaults:
@@ -203,28 +200,22 @@ jobs:
       - name: Install clean packages
         run: npm clean-install
 
-      # Build and publish MacOS installer to github Release Draft
-      # the draft name uses version and is created if it does not already exist
       - name: Prepare for MacOS notarization
         # Import Apple API key for app notarization on macOS
-        # see github.com/samuelmeuli/action-electron-builder#notarization
         run: |
           mkdir -p ~/private_keys/
           echo '${{ secrets.API_KEY }}' > ~/private_keys/AuthKey_${{ secrets.API_KEY_ID }}.p8
 
       - name: Publish MacOS disk image
         env:
-          # MacOS signing certificate and password
-          # see github.com/samuelmeuli/action-electron-builder#code-signing
-          # see www.electron.build/code-signing
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # MacOS signing certificate and password, see electron.build/code-signing
           CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTS_PASSWORD }}
           CSC_LINK:  ${{ secrets.MAC_CERTS }}
-          # MacOS notarization API IDs
-          # see github.com/samuelmeuli/action-electron-builder#notarization
+          # MacOS notarization, see electron.build/configuration/mac.html
+          # see also github.com/samuelmeuli/action-electron-builder#notarization
           API_KEY_ID: ${{ secrets.API_KEY_ID }}
           API_KEY_ISSUER_ID: ${{ secrets.API_KEY_ISSUER_ID }}
-          # github token is automatically provided to the action
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: npm run build:desktop -- --mac --publish always
 
       - name: Print logs on error
@@ -373,8 +364,9 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Build and push to Docker Hub
-        id: docker_build
+      # platform manifests not (yet) supported, so split out architectures
+      - name: Build and push amd64 to Docker Hub
+        id: docker_build_amd64
         uses: docker/build-push-action@v6.3.0
         with:
           context: ./
@@ -384,13 +376,27 @@ jobs:
           tags: ${{ env.IMAGE_NAME }}:${{ github.ref_name }},${{ env.IMAGE_NAME }}:stable
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
+          load: true
+
+      - name: Build and push arm64 to Docker Hub
+        id: docker_build_arm64
+        uses: docker/build-push-action@v6.3.0
+        with:
+          context: ./
+          file: ./Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          push: ${{ startsWith(github.ref, 'refs/tags/v') }}
+          tags: ${{ env.IMAGE_NAME }}:${{ github.ref_name }}-arm64
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+          platforms: linux/arm64
           load: true
 
       - name: fetch app SBOM
         run: docker run --rm --entrypoint tar "$IMAGE_ID" -c boms | tar -xv
         env:
-          IMAGE_ID: ${{ steps.docker_build.outputs.imageid }}
+          IMAGE_ID: ${{ steps.docker_build_amd64.outputs.imageid }}
 
       - name: Save SBOM artifact
         uses: actions/upload-artifact@v4.3.0

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 ARG         NODE_VERSION=20.14
 
 # The base image with updates applied
-FROM        node:$NODE_VERSION-alpine as base-node
+FROM        node:$NODE_VERSION-alpine AS base-node
 RUN         apk -U upgrade
 WORKDIR     /app
 RUN         npm i -g npm@latest
@@ -12,7 +12,7 @@ USER        node
 
 # Build the front and back-end.  This needs devDependencies which do not
 # need to be included in the final image
-FROM        base-node as build
+FROM        base-node AS build
 RUN         mkdir boms
 
 COPY        package-lock.json package.json /app/
@@ -36,7 +36,7 @@ RUN         cp td.server/sbom.json        boms/threat-dragon-server-bom.json &&
             cp td.vue/dist/.sbom/bom.xml  boms/threat-dragon-site-bom.xml
 
 # Builds the docs
-FROM        imoshtokill/jekyll-bundler as build-docs
+FROM        imoshtokill/jekyll-bundler AS build-docs
 WORKDIR     /td.docs
 COPY        ./docs/Gemfile* ./
 RUN         bundle install

diff --git a/td.vue/package-lock.json b/td.vue/package-lock.json