Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish scancode-toolkit Docker image to ghcr.io #3026

Open
1 task done
robertlagrant opened this issue Jul 27, 2022 · 7 comments · May be fixed by #3027
Open
1 task done

Publish scancode-toolkit Docker image to ghcr.io #3026

robertlagrant opened this issue Jul 27, 2022 · 7 comments · May be fixed by #3027
Labels
new feature

Comments

@robertlagrant
Copy link

robertlagrant commented Jul 27, 2022
edited

Short Description

Prepackage the software as a Docker image, hosted here on ghcr.io.

Select Category

  • Packaging

Describe the Update

Build and upload the Docker image to ghcr.io

How This Feature will help you/your organization

It'll be much simpler to pull in without going through the build process.

Possible Solution/Implementation Details

Perform the automation triggered in Github Actions upon release.

Can you help with this Feature

#3027
robertlagrant added a commit to robertlagrant/scancode-toolkit that referenced this issue Jul 27, 2022
@robertlagrant
Add a docker build and push to ghcr.io nexB#3026
38cfee3 
Simplifying deployment/running locally.

Using an existing Github Action that works and has tests. It pushes to the current repo's ghcr.io repository and adds a latest tag. I'm not sure how the project would want to handle other tags, so I've not dived into that (yet).

Signed-off-by: Rob Grant <rob.grant@nanoporetech.com>
@robertlagrant robertlagrant linked a pull request Jul 27, 2022 that will close this issue
Open
4 tasks
@pombredanne
Copy link
Member

@robertlagrant Thanks... this sounds like a good idea ... one question though: is this a free service? Based on https://github.com/features/packages#pricing there seems to be a price tag attached not only to publishing but also to the mere pulling of images which is something we cannot control?

@robertlagrant
Copy link
Author

robertlagrant commented Jul 28, 2022
edited

@pombredanne that page design is very misleading! The prices on the right are for private repos. On the left, public repos, it's unlimited.

@elrayle
Copy link

elrayle commented Aug 15, 2023

I'd love to see an official image for the latest release as well. From the pricing page, this shows that public repos can put up images for free...

image

GitHub Packages Documentation

I have time to help work on this, if you like.

@hakandilek
Copy link

Any update/progress on this? I'd also love to help if someone can guide to the right direction.

@pombredanne
Copy link
Member

The work to do should be to ensure that we are not the proverbial cobbler's son and that we have a basic handle of the license and origin of the packages that go in the base image and collecting the source code.
This would mean scanning this is ScanCode.io (with scancode... how circular! )

The second thing would be to have a Ci/CD job that builds, runs smoke tests and publishes the image on each release, and ideally would also collect the source packages for the image (and stuff them in an image or layer to have them published handy)

The third thing would be to do run the job daily to get an updated image with the latest security fixes.

@pombredanne
Copy link
Member

@RomainPelletant let's use this instead of #3776

@pombredanne pombredanne mentioned this issue May 14, 2024
Closed
2 tasks
@RomainPelletant
Copy link

RomainPelletant commented May 14, 2024
edited

The main actions to publish docker image in the right way, based on that post (@pombredanne please correct me if I am wrong) are:

  • Create the docker image based on Dockerfile provided in scancode (based on slim-buster : Debian) : already done by @robertlagrant
  • Keep that image as an artifact, and run scancode by following this tutorial
    This run shall be done in a docker image, with scancode installed (with the latest version? the last release?)
  • Generate attribution by following this tutorial. Keep generated attribution as artifact.
  • Build the docker image still based on Dockerfile provided in scancode, but add a step to download packages using apt-get source
  • Keep that last image as an artifact, and run some smoke tests (do you see a minimum test scope?)
  • If tests succeed, published the image (with packages sources) : tag will depends on the trigger => next chapter

Two kind of images:

  • Release / tag images : do all the job on new release creation
  • Latest tag: do all the job daily based on main branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upon release, publish Docker image to ghcr.io robertlagrant/scancode-toolkit
5 participants
@pombredanne @hakandilek @robertlagrant @elrayle @RomainPelletant