From 0fae9e9ffcac139632a1f57fefc801d1a0b5e49e Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Tue, 18 Jan 2022 23:22:24 +0100 Subject: [PATCH 1/4] feat: add psql image --- psql/.env | 1 + psql/.github/AssemblyLine.dhall | 25 ++++++++++++++++++++ psql/.github/branches.workflow.dhall | 8 +++++++ psql/.github/main.workflow.dhall | 8 +++++++ psql/Dockerfile | 5 ++++ psql/Makefile | 19 +++++++++++++++ psql/README.md | 3 +++ psql/docker-compose.yml | 31 +++++++++++++++++++++++++ psql/tests/container-structure-test.yml | 11 +++++++++ 9 files changed, 111 insertions(+) create mode 100644 psql/.env create mode 100644 psql/.github/AssemblyLine.dhall create mode 100644 psql/.github/branches.workflow.dhall create mode 100644 psql/.github/main.workflow.dhall create mode 100644 psql/Dockerfile create mode 100644 psql/Makefile create mode 100644 psql/README.md create mode 100644 psql/docker-compose.yml create mode 100644 psql/tests/container-structure-test.yml diff --git a/psql/.env b/psql/.env new file mode 100644 index 000000000..8dd488f25 --- /dev/null +++ b/psql/.env @@ -0,0 +1 @@ +COMPOSE_PROJECT_NAME=socialgouv_docker_psql diff --git a/psql/.github/AssemblyLine.dhall b/psql/.github/AssemblyLine.dhall new file mode 100644 index 000000000..dce27b0ff --- /dev/null +++ b/psql/.github/AssemblyLine.dhall @@ -0,0 +1,25 @@ +let AssemblyLine = + ../../.github/dhall/workflows/AssemblyLine.dhall + sha256:2bab6cac12fe90f5a724f023c87129b3354a0103826aebb8013353bd3a7785a9 + +let InceptionJob = + ../../.github/dhall/jobs/Inception.dhall + sha256:037f4c6e58bcec39375d74afb5ded6db30caa1e372b399bf7f30da1d6c1cdc4f + +let GithubActions = + https://raw.githubusercontent.com/SocialGouv/.github/9fe59f60d6a941dd76df40d67b3428fdf85865aa/dhall/github-actions/package.dhall + sha256:61e7d862f54e9514379feaadbc80a85b7bd870dad5e31e2e83d8b3dd9eda8e1b + +let name = "psql" + +let version_test = + InceptionJob + { package = name } + { name = "Test Version" + , steps = [ GithubActions.Step::{ run = Some "psql --version" } ] + } + + + +in AssemblyLine.Worklflow + { name, jobs = toMap { version_test } } diff --git a/psql/.github/branches.workflow.dhall b/psql/.github/branches.workflow.dhall new file mode 100644 index 000000000..4e409f773 --- /dev/null +++ b/psql/.github/branches.workflow.dhall @@ -0,0 +1,8 @@ +let On = + ../../.github/dhall/workflows/On.dhall + sha256:d1cce9f45a9ccada3c6152cc684d23678d27bb58410c642b7396c13c3f7f99c9 + +in ./AssemblyLine.dhall + sha256:211dc7ab432c05fbe6ad7f2b48eaa803b6830b8e363a60bfcb17ae6376baec89 + with on = On.match On.Event.FeatureBranches "psql" + with name = "psql (branch)" diff --git a/psql/.github/main.workflow.dhall b/psql/.github/main.workflow.dhall new file mode 100644 index 000000000..56dd1c694 --- /dev/null +++ b/psql/.github/main.workflow.dhall @@ -0,0 +1,8 @@ +let On = + ../../.github/dhall/workflows/On.dhall + sha256:d1cce9f45a9ccada3c6152cc684d23678d27bb58410c642b7396c13c3f7f99c9 + +in ./AssemblyLine.dhall + sha256:211dc7ab432c05fbe6ad7f2b48eaa803b6830b8e363a60bfcb17ae6376baec89 + with on = On.match On.Event.ReleasesBranches "psql" + with name = "psql (main)" diff --git a/psql/Dockerfile b/psql/Dockerfile new file mode 100644 index 000000000..62bfaff94 --- /dev/null +++ b/psql/Dockerfile @@ -0,0 +1,5 @@ +FROM alpine:3.14 + +RUN apk --no-cache add postgresql-client=13.5-r0 jq=1.6-r1 + +ENTRYPOINT [] diff --git a/psql/Makefile b/psql/Makefile new file mode 100644 index 000000000..3ff6f22fd --- /dev/null +++ b/psql/Makefile @@ -0,0 +1,19 @@ +# + +DOCKER_COMPOSE = docker-compose +BATS_BIN = $$(yarn bin)/bats + +all: test build lint + +lint: + $(DOCKER_COMPOSE) run --rm lint + +build: lint + $(DOCKER_COMPOSE) build + +test: build test_structure + +test_structure: + $(DOCKER_COMPOSE) run --rm test + + diff --git a/psql/README.md b/psql/README.md new file mode 100644 index 000000000..d9f17e2be --- /dev/null +++ b/psql/README.md @@ -0,0 +1,3 @@ +# psql + +Image with `psql` and `jq` diff --git a/psql/docker-compose.yml b/psql/docker-compose.yml new file mode 100644 index 000000000..027f9d403 --- /dev/null +++ b/psql/docker-compose.yml @@ -0,0 +1,31 @@ +services: + alpine: + build: + context: . + deploy: + replicas: 0 + # + + lint: + image: ghcr.io/hadolint/hadolint:v2.8.0-alpine + entrypoint: hadolint + command: Dockerfile + volumes: + - .:/home/socialgouv + working_dir: /home/socialgouv + + # + + test: + image: gcr.io/gcp-runtimes/container-structure-test:v1.11.0 + depends_on: + - alpine + command: > + test + --config tests/container-structure-test.yml + --image ${COMPOSE_PROJECT_NAME}_alpine + -v debug + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - .:/home/socialgouv + working_dir: /home/socialgouv diff --git a/psql/tests/container-structure-test.yml b/psql/tests/container-structure-test.yml new file mode 100644 index 000000000..bb08f1fca --- /dev/null +++ b/psql/tests/container-structure-test.yml @@ -0,0 +1,11 @@ +schemaVersion: "2.0.0" + +commandTests: + - name: "psql version" + command: "psql" + args: ["--version"] + expectedOutput: ["psql (PostgreSQL) \\d+\\.\\d+"] + - name: "jq version" + command: "jq" + args: ["--version"] + expectedOutput: ["jq-master-v\\d+\\.\\d+\\..*"] From ce562e28a342aa70e001e359781336d8a79b83fc Mon Sep 17 00:00:00 2001 From: Social Groovy Bot <45039513+SocialGroovyBot@users.noreply.github.com> Date: Tue, 18 Jan 2022 22:23:17 +0000 Subject: [PATCH 2/4] chore(:robot:): dhall update --- .github/workflows/psql.branches.workflow.yaml | 116 ++++++++++++++++++ .github/workflows/psql.main.workflow.yaml | 115 +++++++++++++++++ psql/.github/AssemblyLine.dhall | 5 +- psql/.github/branches.workflow.dhall | 2 +- psql/.github/main.workflow.dhall | 2 +- 5 files changed, 234 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/psql.branches.workflow.yaml create mode 100644 .github/workflows/psql.main.workflow.yaml diff --git a/.github/workflows/psql.branches.workflow.yaml b/.github/workflows/psql.branches.workflow.yaml new file mode 100644 index 000000000..84393c54a --- /dev/null +++ b/.github/workflows/psql.branches.workflow.yaml @@ -0,0 +1,116 @@ +concurrency: + cancel-in-progress: true + group: "psql-${{ github.ref }}" +jobs: + build: + name: Build + needs: + - Lint + outputs: + digest: "${{ steps.docker_push.outputs.digest }}" + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - id: docker_meta + uses: "crazy-max/ghaction-docker-meta@f6efe56d565add159ad605568120f5b22712a870" + with: + images: ghcr.io/socialgouv/docker/psql + labels: | + org.opencontainers.image.title=psql + org.opencontainers.image.documentation=https://github.com/SocialGouv/docker/tree/${{ github.sha }}/psql + tags: | + type=sha + type=raw,value=sha-${{ github.sha }} + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + - id: docker_buildx + name: Set up Docker Buildx + uses: "docker/setup-buildx-action@abe5d8f79a1606a2d3e218847032f3f2b1726ab0" + with: {} + - if: "${{ github.event_name != 'pull_request' }}" + name: Login to ghcr.io/socialgouv Registry + uses: "docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9" + with: + password: "${{ secrets.GHCR_REGISTRY_TOKEN }}" + registry: ghcr.io + username: "${{ secrets.SOCIALGROOVYBOT_NAME }}" + - id: docker_push + name: Push + uses: "docker/build-push-action@1bc1040caef9e604eb543693ba89b5bf4fc80935" + with: + builder: "${{ steps.docker_buildx.outputs.name }}" + cache-from: type=gha + cache-to: "type=gha,mode=max" + context: "./psql" + labels: "${{ steps.docker_meta.outputs.labels }}" + push: 'true' + tags: "${{ steps.docker_meta.outputs.tags }}" + - name: Image digest + run: | + echo "${{ steps.docker_push.outputs.digest }}" + container_test: + name: Container Test + needs: + - Build + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - name: Container structure test + uses: "docker://gcr.io/gcp-runtimes/container-structure-test:v1.10.0@sha256:78c0abfdc3696ec9fb35840d62342cf28f65d890d56beceb2113638d59f2cce8" + with: + args: "test --config psql/tests/container-structure-test.yml -v debug --image ghcr.io/socialgouv/docker/psql@${{ needs.Build.outputs.digest }} --pull" + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - uses: "docker://ghcr.io/hadolint/hadolint:2.4.0@sha256:ed22c9de9b884383094edb8930696a256c4450335945c68153d8fc8fbb27bf03" + with: + args: hadolint ./psql/Dockerfile + security_scan: + name: Vulnerability Scanner + needs: + - Build + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - run: "docker pull ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + - name: Run Trivy vulnerability scanner + uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b" + with: + image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + - name: Export Trivy Results as sarif + uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b" + with: + format: template + image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + output: trivy-results.sarif + template: "@/contrib/sarif.tpl" + - name: Change hardcoded Dockerfile path + run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"psql\\/Dockerfile\"/' trivy-results.sarif" + - uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412" + with: + sarif_file: trivy-results.sarif + version_test: + container: "docker://ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + name: Test Version + needs: + - Build + runs-on: ubuntu-latest + steps: + - run: psql --version +name: "psql (branch)" +on: + push: + branches-ignore: + - master + - next + - next-major + - beta + - alpha + - "+([0-9])?(.{+([0-9]),x}).x" + paths: + - "psql/**" + - ".github/workflows/psql.branches.workflow.yaml" diff --git a/.github/workflows/psql.main.workflow.yaml b/.github/workflows/psql.main.workflow.yaml new file mode 100644 index 000000000..665c66ca3 --- /dev/null +++ b/.github/workflows/psql.main.workflow.yaml @@ -0,0 +1,115 @@ +concurrency: + cancel-in-progress: true + group: "psql-${{ github.ref }}" +jobs: + build: + name: Build + needs: + - Lint + outputs: + digest: "${{ steps.docker_push.outputs.digest }}" + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - id: docker_meta + uses: "crazy-max/ghaction-docker-meta@f6efe56d565add159ad605568120f5b22712a870" + with: + images: ghcr.io/socialgouv/docker/psql + labels: | + org.opencontainers.image.title=psql + org.opencontainers.image.documentation=https://github.com/SocialGouv/docker/tree/${{ github.sha }}/psql + tags: | + type=sha + type=raw,value=sha-${{ github.sha }} + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + - id: docker_buildx + name: Set up Docker Buildx + uses: "docker/setup-buildx-action@abe5d8f79a1606a2d3e218847032f3f2b1726ab0" + with: {} + - if: "${{ github.event_name != 'pull_request' }}" + name: Login to ghcr.io/socialgouv Registry + uses: "docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9" + with: + password: "${{ secrets.GHCR_REGISTRY_TOKEN }}" + registry: ghcr.io + username: "${{ secrets.SOCIALGROOVYBOT_NAME }}" + - id: docker_push + name: Push + uses: "docker/build-push-action@1bc1040caef9e604eb543693ba89b5bf4fc80935" + with: + builder: "${{ steps.docker_buildx.outputs.name }}" + cache-from: type=gha + cache-to: "type=gha,mode=max" + context: "./psql" + labels: "${{ steps.docker_meta.outputs.labels }}" + push: 'true' + tags: "${{ steps.docker_meta.outputs.tags }}" + - name: Image digest + run: | + echo "${{ steps.docker_push.outputs.digest }}" + container_test: + name: Container Test + needs: + - Build + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - name: Container structure test + uses: "docker://gcr.io/gcp-runtimes/container-structure-test:v1.10.0@sha256:78c0abfdc3696ec9fb35840d62342cf28f65d890d56beceb2113638d59f2cce8" + with: + args: "test --config psql/tests/container-structure-test.yml -v debug --image ghcr.io/socialgouv/docker/psql@${{ needs.Build.outputs.digest }} --pull" + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - uses: "docker://ghcr.io/hadolint/hadolint:2.4.0@sha256:ed22c9de9b884383094edb8930696a256c4450335945c68153d8fc8fbb27bf03" + with: + args: hadolint ./psql/Dockerfile + security_scan: + name: Vulnerability Scanner + needs: + - Build + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v2" + - run: "docker pull ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + - name: Run Trivy vulnerability scanner + uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b" + with: + image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + - name: Export Trivy Results as sarif + uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b" + with: + format: template + image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + output: trivy-results.sarif + template: "@/contrib/sarif.tpl" + - name: Change hardcoded Dockerfile path + run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"psql\\/Dockerfile\"/' trivy-results.sarif" + - uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412" + with: + sarif_file: trivy-results.sarif + version_test: + container: "docker://ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}" + name: Test Version + needs: + - Build + runs-on: ubuntu-latest + steps: + - run: psql --version +name: "psql (main)" +on: + push: + branches: + - master + - next + - next-major + - beta + - alpha + - "+([0-9])?(.{+([0-9]),x}).x" + tags: + - "v*" diff --git a/psql/.github/AssemblyLine.dhall b/psql/.github/AssemblyLine.dhall index dce27b0ff..072c266b8 100644 --- a/psql/.github/AssemblyLine.dhall +++ b/psql/.github/AssemblyLine.dhall @@ -19,7 +19,4 @@ let version_test = , steps = [ GithubActions.Step::{ run = Some "psql --version" } ] } - - -in AssemblyLine.Worklflow - { name, jobs = toMap { version_test } } +in AssemblyLine.Worklflow { name, jobs = toMap { version_test } } diff --git a/psql/.github/branches.workflow.dhall b/psql/.github/branches.workflow.dhall index 4e409f773..7044a26d8 100644 --- a/psql/.github/branches.workflow.dhall +++ b/psql/.github/branches.workflow.dhall @@ -3,6 +3,6 @@ let On = sha256:d1cce9f45a9ccada3c6152cc684d23678d27bb58410c642b7396c13c3f7f99c9 in ./AssemblyLine.dhall - sha256:211dc7ab432c05fbe6ad7f2b48eaa803b6830b8e363a60bfcb17ae6376baec89 + sha256:91d7d10f27ce446fabf02d690abc68e90c3da668c129280043cc58628c92da43 with on = On.match On.Event.FeatureBranches "psql" with name = "psql (branch)" diff --git a/psql/.github/main.workflow.dhall b/psql/.github/main.workflow.dhall index 56dd1c694..f5d08050c 100644 --- a/psql/.github/main.workflow.dhall +++ b/psql/.github/main.workflow.dhall @@ -3,6 +3,6 @@ let On = sha256:d1cce9f45a9ccada3c6152cc684d23678d27bb58410c642b7396c13c3f7f99c9 in ./AssemblyLine.dhall - sha256:211dc7ab432c05fbe6ad7f2b48eaa803b6830b8e363a60bfcb17ae6376baec89 + sha256:91d7d10f27ce446fabf02d690abc68e90c3da668c129280043cc58628c92da43 with on = On.match On.Event.ReleasesBranches "psql" with name = "psql (main)" From ce1c77b8ef32c4c72f013cb16c5e483953bc2f25 Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Tue, 18 Jan 2022 23:36:49 +0100 Subject: [PATCH 3/4] test --- CONTRIBUTING.md | 2 +- README.md | 1 + psql/tests/container-structure-test.yml | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index aafac9d52..836e26a93 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -65,7 +65,7 @@ $ docker run --rm -i ghcr.io/hadolint/hadolint < .//Dockerfile $ docker run --rm -i ghcr.io/hadolint/hadolint < ./helm/Dockerfile ``` -## Generate GitLab Workflow +## Generate GitHub Workflow ### Lint Dockerfiles diff --git a/README.md b/README.md index 35ecadee3..696c2524a 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ $ docker pull ghcr.io/socialgouv/docker/ | **dhall** | `docker pull ghcr.io/socialgouv/docker/dhall:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./dhall/README.md) | | **nginx** | `docker pull ghcr.io/socialgouv/docker/nginx:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./nginx/README.md) | | **nginx4spa** | `docker pull ghcr.io/socialgouv/docker/nginx4spa:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./nginx4spa/README.md) | +| **psql** | `docker pull ghcr.io/socialgouv/docker/psql:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./psql/README.md) | | **wait-for-http** | `docker pull ghcr.io/socialgouv/docker/wait-for-http:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./wait-for-http/README.md) | | **wait-for-postgres** | `docker pull ghcr.io/socialgouv/docker/wait-for-postgres:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./wait-for-postgres/README.md) | diff --git a/psql/tests/container-structure-test.yml b/psql/tests/container-structure-test.yml index bb08f1fca..cebf79be0 100644 --- a/psql/tests/container-structure-test.yml +++ b/psql/tests/container-structure-test.yml @@ -4,8 +4,8 @@ commandTests: - name: "psql version" command: "psql" args: ["--version"] - expectedOutput: ["psql (PostgreSQL) \\d+\\.\\d+"] + expectedOutput: ["psql \\(PostgreSQL\\) \\d+\\.\\d+"] - name: "jq version" command: "jq" args: ["--version"] - expectedOutput: ["jq-master-v\\d+\\.\\d+\\..*"] + expectedOutput: ["jq-master-v.*"] From 3a35632dab605fb4784ce436f62266d52312ab5a Mon Sep 17 00:00:00 2001 From: Julien Bouquillon Date: Wed, 19 Jan 2022 09:50:15 +0100 Subject: [PATCH 4/4] add bash --- psql/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/psql/Dockerfile b/psql/Dockerfile index 62bfaff94..990d80ba9 100644 --- a/psql/Dockerfile +++ b/psql/Dockerfile @@ -1,5 +1,5 @@ FROM alpine:3.14 -RUN apk --no-cache add postgresql-client=13.5-r0 jq=1.6-r1 +RUN apk --no-cache add bash=5.1.4-r0 postgresql-client=13.5-r0 jq=1.6-r1 ENTRYPOINT []