feat!: Docker CI - Security added & Tagging updates - 2 #1327
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jrmanes
added
app
CI
3 tasks
rach-id
reviewed
Feb 2, 2023
jrmanes
force-pushed
the
jose/docker-ci-images
branch
from
706910c
to
2339ae7
Compare
Bidon15
reviewed
Feb 2, 2023
evan-forbes
requested changes
Feb 2, 2023
There was a problem hiding this comment.
buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1327: unexpected status: 403 Forbidden
are we still seeing the issues that we saw with #1320 with the failed docker build CI?
besides fixing the linters, this LGTM
MSevey
reviewed
Feb 2, 2023
|
@jrmanes suggested me trying this since PR since I write permissions, so I'm closing here for now to let me open up a PR from the same branch |
5 tasks
|
I've added the changes that we discuss last Friday for fixing the issues with the forks and so far the CI looks better.
Let me know if you find anything that you would like to add :) thanks in advance! |
|
Yes, we'll build it alway, but only push the new images when the branch is |
Update:
|
jrmanes
force-pushed
the
jose/docker-ci-images
branch
from
70512d2
to
1da23e8
Compare
smuu
reviewed
Feb 9, 2023
Bidon15
approved these changes
Feb 9, 2023
smuu
approved these changes
Feb 9, 2023
evan-forbes
approved these changes
Feb 9, 2023
| # refer to it later | ||
| tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:local | ||
|
|
||
| - name: Run Trivy vulnerability scanner |
There was a problem hiding this comment.
can we run this locally if it fails?
There was a problem hiding this comment.
evan-forbes
pushed a commit
that referenced
this pull request
Feb 27, 2023
## Overview ℹ️ Same content as: [1320](#1320), I had an issue and the PR was closed... Hello team, Hope you’re doing well The following PR contains some changes in the Docker CI, build & publish. I’ve added some features: - File renamed: `amd64-docker-build.yml` -> `docker-build-publish.yml` *We will be able to use a matrix for building the container in different architectures.* - This CI is triggered when - When push to any branch - When creating `PRs` - When there's a new hotfix (when push to main branch) - When push tags `(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)` - Only push new Docker images when they are in `main` or `v*` (blocking forks for security) - Security: [Trivy](https://www.aquasec.com/products/trivy/) added to the CI, this is the first step during the build, it scans the image and provide us a table summary in case we have any CVE, if everything goes well, it continues with the next step. *It’s not going to block the CI in case of bugs, though I think it will be good for us, stop it and fix them.* - Docker tagging: - Git short SHA => for example: `a594b69` - Tag ID => for example: `0.0.1` - Provided some additional metadata to the images: - Maintainer => "maintainer": "CelestiaOrg" - Description => "CelestiaOrg repository celestiaorg/celestia-app" - URL to the specific commit => "commit_url": "a594b69" - Docker pull command => "docker_pull_command": "docker pull ghcr.io/celestiaorg/celestia-app:a594b691" --- ## Checklist - [x] Required CI checks are passing - [x] Linked issues closed with keywords --- ## Blockers Hello team! I'll need to add some permissions to allow the CI to have the access to the packages. This is an error that I'm having: [link](https://github.com/celestiaorg/celestia-app/actions/runs/4058197292/jobs/6984898432) ``` ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden ``` Thanks in advance! cc: @evan-forbes @rootulp @Bidon15 @sysrex Please, ping me when you'll going to merge it, just to check that everything goes fine 😊 Thank you team! --- Closes Issue: [37](celestiaorg/devops#37)
rach-id
pushed a commit
to rach-id/celestia-app
that referenced
this pull request
May 25, 2023
…1327) ## Overview ℹ️ Same content as: [1320](celestiaorg#1320), I had an issue and the PR was closed... Hello team, Hope you’re doing well The following PR contains some changes in the Docker CI, build & publish. I’ve added some features: - File renamed: `amd64-docker-build.yml` -> `docker-build-publish.yml` *We will be able to use a matrix for building the container in different architectures.* - This CI is triggered when - When push to any branch - When creating `PRs` - When there's a new hotfix (when push to main branch) - When push tags `(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)` - Only push new Docker images when they are in `main` or `v*` (blocking forks for security) - Security: [Trivy](https://www.aquasec.com/products/trivy/) added to the CI, this is the first step during the build, it scans the image and provide us a table summary in case we have any CVE, if everything goes well, it continues with the next step. *It’s not going to block the CI in case of bugs, though I think it will be good for us, stop it and fix them.* - Docker tagging: - Git short SHA => for example: `a594b69` - Tag ID => for example: `0.0.1` - Provided some additional metadata to the images: - Maintainer => "maintainer": "CelestiaOrg" - Description => "CelestiaOrg repository celestiaorg/celestia-app" - URL to the specific commit => "commit_url": "celestiaorg@a594b69" - Docker pull command => "docker_pull_command": "docker pull ghcr.io/celestiaorg/celestia-app:a594b691" --- ## Checklist - [x] Required CI checks are passing - [x] Linked issues closed with keywords --- ## Blockers Hello team! I'll need to add some permissions to allow the CI to have the access to the packages. This is an error that I'm having: [link](https://github.com/celestiaorg/celestia-app/actions/runs/4058197292/jobs/6984898432) ``` ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden ``` Thanks in advance! cc: @evan-forbes @rootulp @Bidon15 @sysrex Please, ping me when you'll going to merge it, just to check that everything goes fine 😊 Thank you team! --- Closes Issue: [37](celestiaorg/devops#37) (cherry picked from commit 67c90ed)
evan-forbes
pushed a commit
that referenced
this pull request
May 26, 2023
## Overview ℹ️ Same content as: [1320](#1320), I had an issue and the PR was closed... Hello team, Hope you’re doing well The following PR contains some changes in the Docker CI, build & publish. I’ve added some features: - File renamed: `amd64-docker-build.yml` -> `docker-build-publish.yml` *We will be able to use a matrix for building the container in different architectures.* - This CI is triggered when - When push to any branch - When creating `PRs` - When there's a new hotfix (when push to main branch) - When push tags `(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)` - Only push new Docker images when they are in `main` or `v*` (blocking forks for security) - Security: [Trivy](https://www.aquasec.com/products/trivy/) added to the CI, this is the first step during the build, it scans the image and provide us a table summary in case we have any CVE, if everything goes well, it continues with the next step. *It’s not going to block the CI in case of bugs, though I think it will be good for us, stop it and fix them.* - Docker tagging: - Git short SHA => for example: `a594b69` - Tag ID => for example: `0.0.1` - Provided some additional metadata to the images: - Maintainer => "maintainer": "CelestiaOrg" - Description => "CelestiaOrg repository celestiaorg/celestia-app" - URL to the specific commit => "commit_url": "a594b69" - Docker pull command => "docker_pull_command": "docker pull ghcr.io/celestiaorg/celestia-app:a594b691" --- ## Checklist - [x] Required CI checks are passing - [x] Linked issues closed with keywords --- ## Blockers Hello team! I'll need to add some permissions to allow the CI to have the access to the packages. This is an error that I'm having: [link](https://github.com/celestiaorg/celestia-app/actions/runs/4058197292/jobs/6984898432) ``` ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden ``` Thanks in advance! cc: @evan-forbes @rootulp @Bidon15 @sysrex Please, ping me when you'll going to merge it, just to check that everything goes fine 😊 Thank you team! --- Closes Issue: [37](celestiaorg/devops#37) (cherry picked from commit 67c90ed)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
ℹ️ Same content as: 1320, I had an issue and the PR was closed...
Hello team,
Hope you’re doing well
The following PR contains some changes in the Docker CI, build & publish.
I’ve added some features:
File renamed:
amd64-docker-build.yml->docker-build-publish.ymlWe will be able to use a matrix for building the container in different architectures.
This CI is triggered when
PRs(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)mainorv*(blocking forks for security)Security:
Trivy added to the CI, this is the first step during the build, it scans the image and provide us a table summary in case we have any CVE, if everything goes well, it continues with the next step.
It’s not going to block the CI in case of bugs, though I think it will be good for us, stop it and fix them.
Docker tagging:
a594b690.0.1Provided some additional metadata to the images:
Checklist
Blockers
Hello team!
I'll need to add some permissions to allow the CI to have the access to the packages.
This is an error that I'm having: link
Thanks in advance!
cc: @evan-forbes @rootulp @Bidon15 @sysrex
Please, ping me when you'll going to merge it, just to check that everything goes fine 😊
Thank you team!
Closes Issue: 37