From 6052667d36382029e73b80983cb01d9f331fea86 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Tue, 24 May 2022 20:17:04 -0400 Subject: [PATCH] image: Build the `scorecard` command from source instead of copying This is another step in getting rid of the bash-based entrypoint. By building from the scorecard-action source, we're ensuring a few things: - The existing entrypoint leverages the wrapper code - We only track the scorecard dependency in a single location (go.mod) Signed-off-by: Stephen Augustus --- .dockerignore | 1 + .gitignore | 1 + Dockerfile | 29 ++++++++++++++++------------- docs/development.md | 15 +++++++++++++++ 4 files changed, 33 insertions(+), 13 deletions(-) create mode 120000 .dockerignore create mode 100644 docs/development.md diff --git a/.dockerignore b/.dockerignore new file mode 120000 index 00000000..3e4e48b0 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +.gitignore \ No newline at end of file diff --git a/.gitignore b/.gitignore index e5e4f68b..dad4cc3d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ # Testing unit-coverage.out scorecard-action +output/ diff --git a/Dockerfile b/Dockerfile index 774a8b9a..1337ffc3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,16 +12,19 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Testing: docker run -e GITHUB_REF=refs/heads/main \ -# -e GITHUB_EVENT_NAME=branch_protection_rule \ -# -e INPUT_RESULTS_FORMAT=sarif \ -# -e INPUT_RESULTS_FILE=results.sarif \ -# -e GITHUB_WORKSPACE=/ \ -# -e INPUT_POLICY_FILE="/policy.yml" \ -# -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \ -# -e GITHUB_REPOSITORY="ossf/scorecard" \ -# laurentsimon/scorecard-action:latest -FROM gcr.io/openssf/scorecard:v4.2.0@sha256:86666488851413a52fa4dee05df503aa0ed8e93fbf71b1f4c96b2539bd9e4306 as base +# See docs/development.md for details on how to test this image. + +# TODO: Prefer SHA for builder image. +# TODO: Upgrade to go1.18 once this repo is compatible. +FROM golang:1.17-bullseye as builder + +WORKDIR /workspace + +# TODO: Revisit directory structure to make this a more lightweight copy. +COPY ./ ./ + +# Copied from make build target +RUN CGO_ENABLED=0 go build -o scorecard -trimpath -a -tags netgo -ldflags '-w -extldflags' # Build our image and update the root certs. # TODO: use distroless. @@ -30,11 +33,11 @@ RUN apt-get update && \ apt-get install -y --no-install-recommends \ jq ca-certificates curl -# Copy the scorecard binary from the official scorecard image. -COPY --from=base /scorecard /scorecard +# Copy the scorecard binary from the intermediate builder image. +COPY --from=builder /workspace/scorecard /scorecard # Copy a test policy for local testing. -COPY policies/template.yml /policy.yml +COPY --from=builder /workspace/policies/template.yml /policy.yml # Our entry point. # Note: the file is executable in the repo diff --git a/docs/development.md b/docs/development.md new file mode 100644 index 00000000..4027431f --- /dev/null +++ b/docs/development.md @@ -0,0 +1,15 @@ +# Developing + +## Testing container images + +```shell +docker run -e GITHUB_REF=refs/heads/main \ + -e GITHUB_EVENT_NAME=branch_protection_rule \ + -e INPUT_RESULTS_FORMAT=sarif \ + -e INPUT_RESULTS_FILE=results.sarif \ + -e GITHUB_WORKSPACE=/ \ + -e INPUT_POLICY_FILE="/policy.yml" \ + -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \ + -e GITHUB_REPOSITORY="ossf/scorecard" \ + laurentsimon/scorecard-action:latest +```