From 110e74227c872dc167ffc1d26c86dba63ca8f513 Mon Sep 17 00:00:00 2001 From: Niall Byrne <9848926+niall-byrne@users.noreply.github.com> Date: Thu, 16 Nov 2023 15:20:56 -0500 Subject: [PATCH] ci(GITHUB): integrate container workflows --- .github/workflows/workflow-push.yml | 60 ++++++++++++++++++++++++++++- Dockerfile | 24 ++++++------ providers/aws.bash | 2 +- providers/cloudflare.bash | 2 +- 4 files changed, 72 insertions(+), 16 deletions(-) diff --git a/.github/workflows/workflow-push.yml b/.github/workflows/workflow-push.yml index 116ee63..ab74317 100644 --- a/.github/workflows/workflow-push.yml +++ b/.github/workflows/workflow-push.yml @@ -90,6 +90,14 @@ jobs: REV_RANGE: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_commit_spelling_rev_range }} VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }} + docker_container_lint: + needs: [configuration] + secrets: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + uses: cicd-tools-org/cicd-tools/.github/workflows/.github/workflows/job-80-container-dockerfile_linter.yml@master + with: + VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }} + json_schema_lint: needs: [configuration] secrets: @@ -195,15 +203,63 @@ jobs: create_release: permissions: contents: write - needs: [commit_lint, commit_spell_check, configuration, json_schema_lint, markdown_links, markdown_lint, markdown_spelling, pre-commit_hooks, security, shell_lint, start, toml_lint, workflow_lint, yaml_lint] + needs: [commit_lint, commit_spell_check, configuration, docker_container_lint, json_schema_lint, markdown_links, markdown_lint, markdown_spelling, pre-commit_hooks, security, shell_lint, start, toml_lint, workflow_lint, yaml_lint] secrets: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} uses: cicd-tools-org/cicd-tools/.github/workflows/job-99-poetry-create_release.yml@master with: JSON_APPENDED_CONTENT: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_extra_release_content) }} + scan_container_aws: + permissions: + security-events: write + needs: [configuration, create_release] + secrets: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + uses: cicd-tools-org/cicd-tools/.github/workflows/job-10-container-security_scan_container.yml@master + with: + BUILD_ARGS: "aws" + IMAGE_NAME: "ghcr.io/niallbyrne_ca/smtp-aws" + VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }} + + scan_container_cloudflare: + permissions: + security-events: write + needs: [configuration, create_release] + secrets: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + uses: cicd-tools-org/cicd-tools/.github/workflows/job-10-container-security_scan_container.yml@master + with: + BUILD_ARGS: "cloudflare" + IMAGE_NAME: "ghcr.io/niallbyrne_ca/smtp-cloudflare" + VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }} + + push_container_aws: + needs: [configuration, scan_container_aws] + permissions: + packages: write + secrets: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-container-push.yml@master + with: + BUILD_ARGS: "aws" + IMAGE_NAME: "ghcr.io/niallbyrne_ca/smtp-aws" + VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }} + + push_container_cloudflare: + needs: [configuration, scan_container_cloudflare] + permissions: + packages: write + secrets: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-container-push.yml@master + with: + BUILD_ARGS: "cloudflare" + IMAGE_NAME: "ghcr.io/niallbyrne_ca/smtp-cloudflare" + VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.COOKIECUTTER_CONFIGURATION)._GITHUB_CI_DEFAULT_VERBOSE_NOTIFICATIONS }} + success: - needs: [create_release] + needs: [push_container_aws, push_container_cloudflare] secrets: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-notification.yml@master diff --git a/Dockerfile b/Dockerfile index 368ce06..7e42bc9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/cisagov/postfix:latest +FROM docker.io/cisagov/postfix:0.1.1 ENV ENV_FILE "" ENV DKIM_DELAY "30" @@ -12,22 +12,22 @@ RUN mkdir -p certbot /usr/local/share/certs/providers /usr/local/share/certs/scr COPY providers/"${PROVIDER}".bash /usr/local/share/certs/providers COPY scripts/*.bash /usr/local/share/certs/scripts -RUN apt-get update \ - && \ - apt install -y \ - certbot \ - jq \ - procps \ - psmisc \ - && \ - bash -c " \ +RUN apt-get update \ + && \ + apt-get install -y --no-install-recommends \ + certbot \ + jq \ + && \ + bash -c " \ source /usr/local/share/certs/providers/${PROVIDER}.bash \ && \ provider_dependencies \ - " \ - && \ + " \ + && \ rm -rf /var/lib/apt/lists/* +WORKDIR /root + COPY entrypoint.sh entrypoint.sh RUN chmod +x entrypoint.sh diff --git a/providers/aws.bash b/providers/aws.bash index 19986be..cff0b52 100644 --- a/providers/aws.bash +++ b/providers/aws.bash @@ -5,7 +5,7 @@ provider_create() { } provider_dependencies() { - apt install -y awscli python3-certbot-dns-route53 + apt-get install -y --no-install-recommends awscli python3-certbot-dns-route53 } provider_dkim() { diff --git a/providers/cloudflare.bash b/providers/cloudflare.bash index ee4e4af..0bd0d0a 100644 --- a/providers/cloudflare.bash +++ b/providers/cloudflare.bash @@ -6,7 +6,7 @@ provider_create() { } provider_dependencies() { - apt install -y curl python3-certbot-dns-cloudflare + apt-get install -y --no-install-recommends curl python3-certbot-dns-cloudflare } provider_dkim() {