From 0134e3133d1611c631334bccd968ea175b85b5f4 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 9 Jan 2026 17:31:40 +0900 Subject: [PATCH 01/12] feat: add Dockerfile for snapshot build --- deployment/snapshot/Dockerfile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 deployment/snapshot/Dockerfile diff --git a/deployment/snapshot/Dockerfile b/deployment/snapshot/Dockerfile new file mode 100644 index 000000000..a890be2e5 --- /dev/null +++ b/deployment/snapshot/Dockerfile @@ -0,0 +1,15 @@ +FROM node:20-slim + +WORKDIR /app + +COPY package*.json ./ +RUN npm ci + +COPY . . + +RUN npm run build + +RUN npm prune --production + +EXPOSE 8000 8080 +CMD ["npm", "run", "start"] From 5bfbdf276b4a1d36384a10573efbda6780df8d42 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 9 Jan 2026 21:22:36 +0900 Subject: [PATCH 02/12] feat: add docker-publish.yml --- .github/workflows/docker-publish.yml | 42 ++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/docker-publish.yml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 000000000..bf1a9e781 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,42 @@ +name: Build and Publish Docker Image + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + docker-build-publish: + name: Build and Publish Docker Image + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v6 + + - name: Build Docker Image + shell: bash + run: | + docker build -f ./Dockerfile -t finos/git-proxy:latest . + + - name: Scan Image with Trivy + uses: aquasecurity/trivy-action@v0.28.0 + with: + image-ref: finos/git-proxy:latest + format: table + exit-code: '1' + severity: HIGH,CRITICAL + + - name: Log in to Docker Hub + if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + uses: docker/login-action@v3 + with: + username: finos + password: $${{ secrets.DOCKER_PASSWORD }} + + - name: Publish Docker Image + if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + shell: bash + run: | + docker push finos/git-proxy:latest From 0c2ec19ccd56beb987895509850232c66ab80218 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 9 Jan 2026 21:23:58 +0900 Subject: [PATCH 03/12] chore: remove unused Dockerfile --- deployment/snapshot/Dockerfile | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 deployment/snapshot/Dockerfile diff --git a/deployment/snapshot/Dockerfile b/deployment/snapshot/Dockerfile deleted file mode 100644 index a890be2e5..000000000 --- a/deployment/snapshot/Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -FROM node:20-slim - -WORKDIR /app - -COPY package*.json ./ -RUN npm ci - -COPY . . - -RUN npm run build - -RUN npm prune --production - -EXPOSE 8000 8080 -CMD ["npm", "run", "start"] From 6de4850003bc3c4cf8f1929d8c66fdc2effdda15 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 9 Jan 2026 21:32:00 +0900 Subject: [PATCH 04/12] fix: typo in trivy action version --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index bf1a9e781..a1c80f604 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -21,7 +21,7 @@ jobs: docker build -f ./Dockerfile -t finos/git-proxy:latest . - name: Scan Image with Trivy - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: image-ref: finos/git-proxy:latest format: table From 576224bd71c29ae6e85f9b824814e560ea96b530 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 9 Jan 2026 22:09:42 +0900 Subject: [PATCH 05/12] chore: skip trivy vulnerability scan before publish --- .github/workflows/docker-publish.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index a1c80f604..2c05d7b2e 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -20,13 +20,13 @@ jobs: run: | docker build -f ./Dockerfile -t finos/git-proxy:latest . - - name: Scan Image with Trivy - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: finos/git-proxy:latest - format: table - exit-code: '1' - severity: HIGH,CRITICAL + # - name: Scan Image with Trivy + # uses: aquasecurity/trivy-action@0.28.0 + # with: + # image-ref: finos/git-proxy:latest + # format: table + # exit-code: '1' + # severity: HIGH,CRITICAL - name: Log in to Docker Hub if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' From 0a6891376a2054f4839d262ae8c3376857a8b33f Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 9 Jan 2026 22:13:53 +0900 Subject: [PATCH 06/12] chore: try removing check for main branch before image upload --- .github/workflows/docker-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 2c05d7b2e..2eb33db10 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -29,14 +29,14 @@ jobs: # severity: HIGH,CRITICAL - name: Log in to Docker Hub - if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + # if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' uses: docker/login-action@v3 with: username: finos password: $${{ secrets.DOCKER_PASSWORD }} - name: Publish Docker Image - if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + # if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' shell: bash run: | docker push finos/git-proxy:latest From 2d72a26dca5daa3be0e093d36353fa01c1527c60 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 9 Jan 2026 22:17:45 +0900 Subject: [PATCH 07/12] fix: typo in password variable --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 2eb33db10..e82fca6f5 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -33,7 +33,7 @@ jobs: uses: docker/login-action@v3 with: username: finos - password: $${{ secrets.DOCKER_PASSWORD }} + password: ${{ secrets.DOCKER_PASSWORD }} - name: Publish Docker Image # if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' From 55c50312d24e3d04801b82c36e5b71bea28c8628 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Sat, 10 Jan 2026 23:54:34 +0900 Subject: [PATCH 08/12] fix: permissions error on build and run --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0bb59e9bb..934ba0563 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,8 +31,8 @@ RUN apt-get update && apt-get install -y \ git tini \ && rm -rf /var/lib/apt/lists/* -RUN chown 1000:1000 /app/dist/build \ - && chmod g+w /app/dist/build +RUN mkdir -p /app/.data /app/.tmp \ + && chown 1000:1000 /app/dist/build /app/.data /app/.tmp USER 1000 From 6bba9e66afde83ab6bb51c3d27e73cf6218ece51 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 14 Jan 2026 18:25:53 +0900 Subject: [PATCH 09/12] chore: add checks to publish Docker image only after merge to main --- .github/workflows/docker-publish.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index e82fca6f5..5dc5fb8b8 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -3,8 +3,6 @@ name: Build and Publish Docker Image on: push: branches: [main] - pull_request: - branches: [main] jobs: docker-build-publish: @@ -29,14 +27,14 @@ jobs: # severity: HIGH,CRITICAL - name: Log in to Docker Hub - # if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' uses: docker/login-action@v3 with: username: finos password: ${{ secrets.DOCKER_PASSWORD }} - name: Publish Docker Image - # if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' shell: bash run: | docker push finos/git-proxy:latest From d73b4dfde2e3f04237775f9e662d709fa0eabb78 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Sat, 24 Jan 2026 08:33:08 +0900 Subject: [PATCH 10/12] feat: add attestation for published image --- .../workflows/docker-publish-attestation.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/docker-publish-attestation.yml diff --git a/.github/workflows/docker-publish-attestation.yml b/.github/workflows/docker-publish-attestation.yml new file mode 100644 index 000000000..a79243ef8 --- /dev/null +++ b/.github/workflows/docker-publish-attestation.yml @@ -0,0 +1,37 @@ +name: Build and Publish Docker Image + +on: + push: + branches: [main] + # For testing + pull_request: + branches: [main] + +jobs: + docker-build-publish: + name: Build and Publish Docker Image + runs-on: ubuntu-latest + + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Checkout Repository + uses: actions/checkout@v6 + + - name: Log in to Docker Hub + if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + uses: docker/login-action@v3 + with: + username: finos + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Build and Publish Docker Image + if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + uses: docker/build-push-action@v6 + with: + context: . + file: Dockerfile + push: true + tags: finos/git-proxy:latest + provenance: true From 691b925b2cbcf7dfe3967a75ec60f2cac7d8644c Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Sat, 24 Jan 2026 09:09:58 +0900 Subject: [PATCH 11/12] chore: add attestation to regular docker publish action, remove extra test action --- .../workflows/docker-publish-attestation.yml | 37 ------------------- .github/workflows/docker-publish.yml | 28 ++++++-------- 2 files changed, 11 insertions(+), 54 deletions(-) delete mode 100644 .github/workflows/docker-publish-attestation.yml diff --git a/.github/workflows/docker-publish-attestation.yml b/.github/workflows/docker-publish-attestation.yml deleted file mode 100644 index a79243ef8..000000000 --- a/.github/workflows/docker-publish-attestation.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: Build and Publish Docker Image - -on: - push: - branches: [main] - # For testing - pull_request: - branches: [main] - -jobs: - docker-build-publish: - name: Build and Publish Docker Image - runs-on: ubuntu-latest - - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Checkout Repository - uses: actions/checkout@v6 - - - name: Log in to Docker Hub - if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' - uses: docker/login-action@v3 - with: - username: finos - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Build and Publish Docker Image - if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' - uses: docker/build-push-action@v6 - with: - context: . - file: Dockerfile - push: true - tags: finos/git-proxy:latest - provenance: true diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 5dc5fb8b8..c5273bfc8 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -10,22 +10,12 @@ jobs: runs-on: ubuntu-latest steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Checkout Repository uses: actions/checkout@v6 - - name: Build Docker Image - shell: bash - run: | - docker build -f ./Dockerfile -t finos/git-proxy:latest . - - # - name: Scan Image with Trivy - # uses: aquasecurity/trivy-action@0.28.0 - # with: - # image-ref: finos/git-proxy:latest - # format: table - # exit-code: '1' - # severity: HIGH,CRITICAL - - name: Log in to Docker Hub if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' uses: docker/login-action@v3 @@ -33,8 +23,12 @@ jobs: username: finos password: ${{ secrets.DOCKER_PASSWORD }} - - name: Publish Docker Image + - name: Build and Publish Docker Image if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' - shell: bash - run: | - docker push finos/git-proxy:latest + uses: docker/build-push-action@v6 + with: + context: . + file: Dockerfile + push: true + tags: finos/git-proxy:latest + provenance: true From 2265b2b7ddc2cfeb691de6bd66984bf43324b7d9 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Sat, 24 Jan 2026 10:31:29 +0900 Subject: [PATCH 12/12] feat: add publish on release and proper tags --- .github/workflows/docker-publish.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index c5273bfc8..b8e24346f 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -3,6 +3,8 @@ name: Build and Publish Docker Image on: push: branches: [main] + release: + types: [published] jobs: docker-build-publish: @@ -17,18 +19,27 @@ jobs: uses: actions/checkout@v6 - name: Log in to Docker Hub - if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + if: github.repository == 'finos/git-proxy' uses: docker/login-action@v3 with: username: finos password: ${{ secrets.DOCKER_PASSWORD }} + - name: Set Docker Image Tag + id: tags + run: | + if [ "${{ github.event_name }}" = "release" ]; then + echo "tags=finos/git-proxy:${{ github.ref_name }},finos/git-proxy:latest" >> $GITHUB_OUTPUT + else + echo "tags=finos/git-proxy:main" >> $GITHUB_OUTPUT + fi + - name: Build and Publish Docker Image - if: github.ref == 'refs/heads/main' && github.repository == 'finos/git-proxy' + if: github.repository == 'finos/git-proxy' uses: docker/build-push-action@v6 with: context: . file: Dockerfile push: true - tags: finos/git-proxy:latest + tags: ${{ steps.tags.outputs.tags }} provenance: true