Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Action + Docker tag suffix #16

Merged
merged 8 commits into from
Dec 11, 2023
Merged

GitHub Action + Docker tag suffix #16

merged 8 commits into from
Dec 11, 2023

Conversation

ysbaddaden
Copy link
Contributor

@ysbaddaden ysbaddaden commented Jan 26, 2023
edited
Loading

Rebased from the new main branch and updated with tests for the new -t and -o build options.

  • -t 'suffix' allows to set an optional suffix to the docker image tag (but not to latest). For example -t '-next' will create & push a tag-next image instead of tag.
  • -o 'options' will pass custom options to the docker build command. For example -o "--build-args gemfile=Gemfile.next".

Both arguments are require to build alternate images when we dual boot a Ruby on Rails application for example: we can build a regular image build.sh as well as an alternate image using updated dependencies with build.sh -t '-next' -o '--build-arg gemfile=Gemfile.next' and then deploy the version we want.

Also provides a GitHub action, that will install ci-docker-builder and build the docker image with the options we want right from a GHA workflow. For example:

steps:
  - uses: action/checkout@v3
  - uses: manastech/ci-docker-builder@<commit> # NOTE: fix commit
    with:
      tag-suffix: "-next"
      build-options: "--build-arg gemfile=Gemfile.next"

Supersedes #13

@ysbaddaden
Metadata to make a GitHub Action
2d7694b
@ysbaddaden
Add options to suffix a tag and pass docker build options
095db0e
@ysbaddaden
GHA: use a JavaScript action
5efa342 
The composite action didn't work as expected (the action's
`action.sh` and `build.sh` weren't accessible), so I replaced the
shell script with a tiny JavaScript bootstrap, that will properly
collect the action inputs and generate a simple local build.sh and
calls it.

Note that we couldn't use a Docker container action, because we
couldn't access the host docker ending, and would need to add both
docker cli and docker server to the docker container...
@ysbaddaden ysbaddaden added the enhancement New feature or request label Jan 26, 2023
@ysbaddaden ysbaddaden self-assigned this Jan 26, 2023
@ysbaddaden ysbaddaden marked this pull request as ready for review January 26, 2023 12:00
@ysbaddaden ysbaddaden mentioned this pull request Jan 26, 2023
Closed
@ysbaddaden ysbaddaden mentioned this pull request Mar 14, 2023
Open
matiasgarciaisaia
matiasgarciaisaia reviewed Dec 1, 2023
View reviewed changes
Copy link
Member

@matiasgarciaisaia matiasgarciaisaia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's been quite a while, but I've just got to review this one.

Generating the script (and running it) looks scary, but I think we're good.

I'm updating some stuff regarding the now-removed latest flag - we're good to merge after that 👍

README.md Outdated Show resolved Hide resolved
action.js Outdated Show resolved Hide resolved
action.js
Comment on lines +22 to +31
// generate a local build.sh script:
fs.writeFileSync("build.sh", `#! bash
source ${__dirname}/build.sh
dockerSetup ${setupOpts.join(" ")}
echo $VERSION > VERSION
dockerBuildAndPush ${buildOpts.join(" ")}
`)

// execute it:
const build = spawn("bash", ["build.sh"], { maxBuffer: 100 * 1024 * 1024 })
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Woa. Wasn't expecting that.

Don't we need more escaping here? We can discover that along the way, though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean that:

  1. someone can sneak something like $SOME_SECRET into build.sh which might be a security issue (but might be legit);
  2. we should quote the params (probably not possible for build-options);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's mostly fear (with no concrete issue spotted) of generating a bash script and executing it.

I'm wondering if the __dirname could be abused to source another script, or somthing like that.

But maybe not think that much about an attacker (it should be trusted people the ones that could configure the Action), but about accidental issues with corner values (a directory name with a whitespace?).

But, once again: it's mostly unfounded fear. I'd say we merge 👍

action.yml Outdated Show resolved Hide resolved
@matiasgarciaisaia
Remove already removed latest flag
6459017 
See 5d99055
@matiasgarciaisaia
Use current action/checkout version
d2613cd 
The old one was depracted due to its base NodeJS version
@ysbaddaden ysbaddaden merged commit 0084f2b into manastech:main Dec 11, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matiasgarciaisaia matiasgarciaisaia matiasgarciaisaia left review comments

Assignees

@ysbaddaden ysbaddaden

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ysbaddaden @matiasgarciaisaia