diff --git a/.github/workflows/psql.branches.workflow.yaml b/.github/workflows/psql.branches.workflow.yaml new file mode 100644 index 000000000..84393c54a --- /dev/null +++ b/.github/workflows/psql.branches.workflow.yaml @@ -0,0 +1,116 @@ +concurrency: + cancel-in-progress: true + group: "psql-${{ github.ref }}" +jobs: + build: + name: Build + needs: + - Lint + outputs: + digest: "${{ steps.docker_push.outputs.digest }}" + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - id: docker_meta + uses: "crazy-max/ghaction-docker-meta@f6efe56d565add159ad605568120f5b22712a870" + with: + images: ghcr.io/socialgouv/docker/psql + labels: | + org.opencontainers.image.title=psql + org.opencontainers.image.documentation=https://github.com/SocialGouv/docker/tree/${{ github.sha }}/psql + tags: | + type=sha + type=raw,value=sha-${{ github.sha }} + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + - id: docker_buildx + name: Set up Docker Buildx + uses: "docker/setup-buildx-action@abe5d8f79a1606a2d3e218847032f3f2b1726ab0" + with: {} + - if: "${{ github.event_name != 'pull_request' }}" + name: Login to ghcr.io/socialgouv Registry + uses: "docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9" + with: + password: "${{ secrets.GHCR_REGISTRY_TOKEN }}" + registry: ghcr.io + username: "${{ secrets.SOCIALGROOVYBOT_NAME }}" + - id: docker_push + name: Push + uses: "docker/build-push-action@1bc1040caef9e604eb543693ba89b5bf4fc80935" + with: + builder: "${{ steps.docker_buildx.outputs.name }}" + cache-from: type=gha + cache-to: "type=gha,mode=max" + context: "./psql" + labels: "${{ steps.docker_meta.outputs.labels }}" + push: 'true' + tags: "${{ steps.docker_meta.outputs.tags }}" + - name: Image digest + run: | + echo "${{ steps.docker_push.outputs.digest }}" + container_test: + name: Container Test + needs: + - Build + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - name: Container structure test + uses: "docker://gcr.io/gcp-runtimes/container-structure-test:v1.10.0@sha256:78c0abfdc3696ec9fb35840d62342cf28f65d890d56beceb2113638d59f2cce8" + with: + args: "test --config psql/tests/container-structure-test.yml -v debug --image ghcr.io/socialgouv/docker/psql@${{ needs.Build.outputs.digest }} --pull" + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - uses: "docker://ghcr.io/hadolint/hadolint:2.4.0@sha256:ed22c9de9b884383094edb8930696a256c4450335945c68153d8fc8fbb27bf03" + with: + args: hadolint ./psql/Dockerfile + security_scan: + name: Vulnerability Scanner + needs: + - Build + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - run: "docker pull ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + - name: Run Trivy vulnerability scanner + uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b" + with: + image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + - name: Export Trivy Results as sarif + uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b" + with: + format: template + image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + output: trivy-results.sarif + template: "@/contrib/sarif.tpl" + - name: Change hardcoded Dockerfile path + run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"psql\\/Dockerfile\"/' trivy-results.sarif" + - uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412" + with: + sarif_file: trivy-results.sarif + version_test: + container: "docker://ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + name: Test Version + needs: + - Build + runs-on: ubuntu-latest + steps: + - run: psql --version +name: "psql (branch)" +on: + push: + branches-ignore: + - master + - next + - next-major + - beta + - alpha + - "+([0-9])?(.{+([0-9]),x}).x" + paths: + - "psql/**" + - ".github/workflows/psql.branches.workflow.yaml" diff --git a/.github/workflows/psql.main.workflow.yaml b/.github/workflows/psql.main.workflow.yaml new file mode 100644 index 000000000..665c66ca3 --- /dev/null +++ b/.github/workflows/psql.main.workflow.yaml @@ -0,0 +1,115 @@ +concurrency: + cancel-in-progress: true + group: "psql-${{ github.ref }}" +jobs: + build: + name: Build + needs: + - Lint + outputs: + digest: "${{ steps.docker_push.outputs.digest }}" + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - id: docker_meta + uses: "crazy-max/ghaction-docker-meta@f6efe56d565add159ad605568120f5b22712a870" + with: + images: ghcr.io/socialgouv/docker/psql + labels: | + org.opencontainers.image.title=psql + org.opencontainers.image.documentation=https://github.com/SocialGouv/docker/tree/${{ github.sha }}/psql + tags: | + type=sha + type=raw,value=sha-${{ github.sha }} + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + - id: docker_buildx + name: Set up Docker Buildx + uses: "docker/setup-buildx-action@abe5d8f79a1606a2d3e218847032f3f2b1726ab0" + with: {} + - if: "${{ github.event_name != 'pull_request' }}" + name: Login to ghcr.io/socialgouv Registry + uses: "docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9" + with: + password: "${{ secrets.GHCR_REGISTRY_TOKEN }}" + registry: ghcr.io + username: "${{ secrets.SOCIALGROOVYBOT_NAME }}" + - id: docker_push + name: Push + uses: "docker/build-push-action@1bc1040caef9e604eb543693ba89b5bf4fc80935" + with: + builder: "${{ steps.docker_buildx.outputs.name }}" + cache-from: type=gha + cache-to: "type=gha,mode=max" + context: "./psql" + labels: "${{ steps.docker_meta.outputs.labels }}" + push: 'true' + tags: "${{ steps.docker_meta.outputs.tags }}" + - name: Image digest + run: | + echo "${{ steps.docker_push.outputs.digest }}" + container_test: + name: Container Test + needs: + - Build + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - name: Container structure test + uses: "docker://gcr.io/gcp-runtimes/container-structure-test:v1.10.0@sha256:78c0abfdc3696ec9fb35840d62342cf28f65d890d56beceb2113638d59f2cce8" + with: + args: "test --config psql/tests/container-structure-test.yml -v debug --image ghcr.io/socialgouv/docker/psql@${{ needs.Build.outputs.digest }} --pull" + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - uses: "docker://ghcr.io/hadolint/hadolint:2.4.0@sha256:ed22c9de9b884383094edb8930696a256c4450335945c68153d8fc8fbb27bf03" + with: + args: hadolint ./psql/Dockerfile + security_scan: + name: Vulnerability Scanner + needs: + - Build + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - run: "docker pull ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + - name: Run Trivy vulnerability scanner + uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b" + with: + image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + - name: Export Trivy Results as sarif + uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b" + with: + format: template + image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + output: trivy-results.sarif + template: "@/contrib/sarif.tpl" + - name: Change hardcoded Dockerfile path + run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"psql\\/Dockerfile\"/' trivy-results.sarif" + - uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412" + with: + sarif_file: trivy-results.sarif + version_test: + container: "docker://ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + name: Test Version + needs: + - Build + runs-on: ubuntu-latest + steps: + - run: psql --version +name: "psql (main)" +on: + push: + branches: + - master + - next + - next-major + - beta + - alpha + - "+([0-9])?(.{+([0-9]),x}).x" + tags: + - "v*" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index aafac9d52..836e26a93 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -65,7 +65,7 @@ $ docker run --rm -i ghcr.io/hadolint/hadolint < .//Dockerfile $ docker run --rm -i ghcr.io/hadolint/hadolint < ./helm/Dockerfile ``` -## Generate GitLab Workflow +## Generate GitHub Workflow ### Lint Dockerfiles diff --git a/README.md b/README.md index 35ecadee3..696c2524a 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ $ docker pull ghcr.io/socialgouv/docker/ | **dhall** | `docker pull ghcr.io/socialgouv/docker/dhall:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./dhall/README.md) | | **nginx** | `docker pull ghcr.io/socialgouv/docker/nginx:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./nginx/README.md) | | **nginx4spa** | `docker pull ghcr.io/socialgouv/docker/nginx4spa:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./nginx4spa/README.md) | +| **psql** | `docker pull ghcr.io/socialgouv/docker/psql:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./psql/README.md) | | **wait-for-http** | `docker pull ghcr.io/socialgouv/docker/wait-for-http:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./wait-for-http/README.md) | | **wait-for-postgres** | `docker pull ghcr.io/socialgouv/docker/wait-for-postgres:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./wait-for-postgres/README.md) | diff --git a/psql/.env b/psql/.env new file mode 100644 index 000000000..8dd488f25 --- /dev/null +++ b/psql/.env @@ -0,0 +1 @@ +COMPOSE_PROJECT_NAME=socialgouv_docker_psql diff --git a/psql/.github/AssemblyLine.dhall b/psql/.github/AssemblyLine.dhall new file mode 100644 index 000000000..072c266b8 --- /dev/null +++ b/psql/.github/AssemblyLine.dhall @@ -0,0 +1,22 @@ +let AssemblyLine = + ../../.github/dhall/workflows/AssemblyLine.dhall + sha256:2bab6cac12fe90f5a724f023c87129b3354a0103826aebb8013353bd3a7785a9 + +let InceptionJob = + ../../.github/dhall/jobs/Inception.dhall + sha256:037f4c6e58bcec39375d74afb5ded6db30caa1e372b399bf7f30da1d6c1cdc4f + +let GithubActions = + https://raw.githubusercontent.com/SocialGouv/.github/9fe59f60d6a941dd76df40d67b3428fdf85865aa/dhall/github-actions/package.dhall + sha256:61e7d862f54e9514379feaadbc80a85b7bd870dad5e31e2e83d8b3dd9eda8e1b + +let name = "psql" + +let version_test = + InceptionJob + { package = name } + { name = "Test Version" + , steps = [ GithubActions.Step::{ run = Some "psql --version" } ] + } + +in AssemblyLine.Worklflow { name, jobs = toMap { version_test } } diff --git a/psql/.github/branches.workflow.dhall b/psql/.github/branches.workflow.dhall new file mode 100644 index 000000000..7044a26d8 --- /dev/null +++ b/psql/.github/branches.workflow.dhall @@ -0,0 +1,8 @@ +let On = + ../../.github/dhall/workflows/On.dhall + sha256:d1cce9f45a9ccada3c6152cc684d23678d27bb58410c642b7396c13c3f7f99c9 + +in ./AssemblyLine.dhall + sha256:91d7d10f27ce446fabf02d690abc68e90c3da668c129280043cc58628c92da43 + with on = On.match On.Event.FeatureBranches "psql" + with name = "psql (branch)" diff --git a/psql/.github/main.workflow.dhall b/psql/.github/main.workflow.dhall new file mode 100644 index 000000000..f5d08050c --- /dev/null +++ b/psql/.github/main.workflow.dhall @@ -0,0 +1,8 @@ +let On = + ../../.github/dhall/workflows/On.dhall + sha256:d1cce9f45a9ccada3c6152cc684d23678d27bb58410c642b7396c13c3f7f99c9 + +in ./AssemblyLine.dhall + sha256:91d7d10f27ce446fabf02d690abc68e90c3da668c129280043cc58628c92da43 + with on = On.match On.Event.ReleasesBranches "psql" + with name = "psql (main)" diff --git a/psql/Dockerfile b/psql/Dockerfile new file mode 100644 index 000000000..990d80ba9 --- /dev/null +++ b/psql/Dockerfile @@ -0,0 +1,5 @@ +FROM alpine:3.14 + +RUN apk --no-cache add bash=5.1.4-r0 postgresql-client=13.5-r0 jq=1.6-r1 + +ENTRYPOINT [] diff --git a/psql/Makefile b/psql/Makefile new file mode 100644 index 000000000..3ff6f22fd --- /dev/null +++ b/psql/Makefile @@ -0,0 +1,19 @@ +# + +DOCKER_COMPOSE = docker-compose +BATS_BIN = $$(yarn bin)/bats + +all: test build lint + +lint: + $(DOCKER_COMPOSE) run --rm lint + +build: lint + $(DOCKER_COMPOSE) build + +test: build test_structure + +test_structure: + $(DOCKER_COMPOSE) run --rm test + + diff --git a/psql/README.md b/psql/README.md new file mode 100644 index 000000000..d9f17e2be --- /dev/null +++ b/psql/README.md @@ -0,0 +1,3 @@ +# psql + +Image with `psql` and `jq` diff --git a/psql/docker-compose.yml b/psql/docker-compose.yml new file mode 100644 index 000000000..027f9d403 --- /dev/null +++ b/psql/docker-compose.yml @@ -0,0 +1,31 @@ +services: + alpine: + build: + context: . + deploy: + replicas: 0 + # + + lint: + image: ghcr.io/hadolint/hadolint:v2.8.0-alpine + entrypoint: hadolint + command: Dockerfile + volumes: + - .:/home/socialgouv + working_dir: /home/socialgouv + + # + + test: + image: gcr.io/gcp-runtimes/container-structure-test:v1.11.0 + depends_on: + - alpine + command: > + test + --config tests/container-structure-test.yml + --image ${COMPOSE_PROJECT_NAME}_alpine + -v debug + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - .:/home/socialgouv + working_dir: /home/socialgouv diff --git a/psql/tests/container-structure-test.yml b/psql/tests/container-structure-test.yml new file mode 100644 index 000000000..cebf79be0 --- /dev/null +++ b/psql/tests/container-structure-test.yml @@ -0,0 +1,11 @@ +schemaVersion: "2.0.0" + +commandTests: + - name: "psql version" + command: "psql" + args: ["--version"] + expectedOutput: ["psql \\(PostgreSQL\\) \\d+\\.\\d+"] + - name: "jq version" + command: "jq" + args: ["--version"] + expectedOutput: ["jq-master-v.*"]