Merge branch 'release/6.04.06'

swissgrc · Feb 14, 2023 · e5e9caf · e5e9caf
2 parents 024157c + 95eaa1a
commit e5e9caf
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 158 deletions.
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -1,50 +1,12 @@
----
-#################################
-#################################
-## Super Linter GitHub Actions ##
-#################################
-#################################
 name: Lint Code Base
 
-# Documentation:
-# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
-#
-#################################################
-# Start the job on all pull requests on develop #
-#################################################
 on:
   pull_request:
     branches: [develop]
 
-###############
-# Set the Job #
-###############
 jobs:
-  build:
-    # Name the Job
+  lint-image:
     name: Lint Code Base
-    # Set the agent to run on
-    runs-on: ubuntu-latest
-
-    ##################
-    # Load all steps #
-    ##################
-    steps:
-      ##########################
-      # Checkout the code base #
-      ##########################
-      - name: Checkout Code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-        with:
-          # Full Git history is needed to get a proper list of changed files
-          fetch-depth: 0
-
-      ################################
-      # Run Linter against code base #
-      ################################
-      - name: Lint Code Base
-        uses: github/super-linter/slim@985ef206aaca4d560cb9ee2af2b42ba44adc1d55 # v4.10.0
-        env:
-          VALIDATE_ALL_CODEBASE: false
-          DEFAULT_BRANCH: develop
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    uses: swissgrc/.github/.github/workflows/lint-image.yml@main
+    secrets:
+      gh-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -9,73 +9,12 @@ on:
     branches: [develop]
 
 jobs:
-  build:
+  publish-image:
     name: Build and push Docker image
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-
-      # Extract metadata (tags, labels) for Docker
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # tag=v4.1.1
-        with:
-          images: swissgrc/azure-pipelines-dotnet
-          tags: |
-            type=ref,event=tag
-            type=ref,event=pr
-            # set unstable tag for develop branch
-            type=raw,value=unstable,enable=${{ github.ref == format('refs/heads/{0}', 'develop') }}
-
-      # Build Docker image with Buildx
-      - name: Build Docker image
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # tag=v3.2.0
-        with:
-          context: .
-          push: false
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-
-      # Scan Docker image (not for release builds since we will have multiple tags)
-      - name: Scan Docker image
-        if: github.event_name != 'release'
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # tag=0.8.0
-        with:
-          image-ref: ${{ steps.meta.outputs.tags }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      # Publish scan report to GitHub
-      - name: Publish scan report to GitHub
-        if: ${{ github.event_name != 'release' && always() }}
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
-        with:
-          sarif_file: trivy-results.sarif
-
-      # Login to Docker registry if not PR build
-      - name: Log in to Docker Hub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      # Publish Docker image for CI builds if not PR build
-      - name: Push container image
-        uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # tag=v3.2.0
-        if: github.event_name != 'pull_request'
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-
-      # Update Readme on Docker Hub
-      - name: Publish README to Docker Hub
-        if: github.event_name != 'pull_request'
-        uses: peter-evans/dockerhub-description@93b93397c27ed52b4055b8c6b2f8d92456ab3c56 # tag=v3.1.2
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-          repository: swissgrc/azure-pipelines-dotnet
+    uses: swissgrc/.github/.github/workflows/publish-image.yml@main
+    with:
+      image-name: swissgrc/azure-pipelines-dotnet
+    secrets:
+      gh-token: ${{ secrets.GITHUB_TOKEN }}
+      docker-username: ${{ secrets.DOCKER_USERNAME }}
+      docker-password: ${{ secrets.DOCKER_PASSWORD }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,50 @@
-FROM debian:11.6-slim
+# Base image containing dependencies used in builder and final image
+FROM debian:11.6-slim AS base
+
+# Make sure to fail due to an error at any stage in shell pipes
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# renovate: datasource=repology depName=debian_11/ca-certificates versioning=loose
+ENV CACERTIFICATES_VERSION=20210119
+
+RUN apt-get update -y && \
+  # Install necessary dependencies
+  apt-get install -y --no-install-recommends ca-certificates=${CACERTIFICATES_VERSION} && \
+  # Clean up
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/*
+
+
+# Builder image
+FROM base AS build
+
+# Make sure to fail due to an error at any stage in shell pipes
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# renovate: datasource=repology depName=debian_11/curl versioning=loose
+ENV CURL_VERSION=7.74.0-1.3+deb11u5
+# renovate: datasource=repology depName=debian_11/lsb-release versioning=loose
+ENV LSBRELEASE_VERSION=11.1.0
+# renovate: datasource=repology depName=debian_11/gnupg2 versioning=loose
+ENV GNUPG_VERSION=2.2.27-2+deb11u2
+
+RUN apt-get update -y && \
+  # Install necessary dependencies
+  apt-get install -y --no-install-recommends curl=${CURL_VERSION} lsb-release=${LSBRELEASE_VERSION} gnupg=${GNUPG_VERSION} && \
+  # Add Git LFS PPA
+  curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash && \
+  # Add Dockers public key
+  mkdir -p /etc/apt/keyrings && \
+  curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
+  # Add Dockers APT repository to the list of sources
+  echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
+  # Add .NET PPA
+  curl -o /tmp/packages-microsoft-prod.deb https://packages.microsoft.com/config/debian/11/packages-microsoft-prod.deb && \
+  dpkg -i /tmp/packages-microsoft-prod.deb && \
+  rm -rf /tmp/*
+
+# Final image
+FROM base AS final
 
 LABEL org.opencontainers.image.vendor="Swiss GRC AG"
 LABEL org.opencontainers.image.authors="Swiss GRC AG <[email protected]>"
@@ -8,26 +54,49 @@ LABEL org.opencontainers.image.documentation="https://github.com/swissgrc/docker
 # Make sure to fail due to an error at any stage in shell pipes
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+WORKDIR /
+# Copy Docker & Git LFS keyring
+COPY --from=build /etc/apt/keyrings/ /etc/apt/keyrings
+# Copy .NET keyring
+COPY --from=build /etc/apt/trusted.gpg.d/ /etc/apt/trusted.gpg.d
+COPY --from=build /etc/apt/sources.list.d/ /etc/apt/sources.list.d
+
+# renovate: datasource=repology depName=debian_11_backports/git versioning=loose
+ENV GIT_VERSION=1:2.39.1-0.1~bpo11+1
+
+RUN echo "deb http://deb.debian.org/debian bullseye-backports main" | tee /etc/apt/sources.list.d/bullseye-backports.list && \
+  apt-get update -y && \
+  # Install Git
+  apt-get install -y --no-install-recommends -t bullseye-backports git=${GIT_VERSION} && \
+  # Clean up
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/* && \
+  # Smoke test
+  git version
+
+# Install Git LFS
+
+# renovate: datasource=github-tags depName=git-lfs/git-lfs extractVersion=^v(?<version>.*)$
+ENV GITLFS_VERSION=3.3.0
+
+RUN apt-get update -y && \
+  # Install Git LFS
+  apt-get install -y --no-install-recommends git-lfs=${GITLFS_VERSION}  && \
+  # Clean up
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/* && \
+  # Smoke test
+  git lfs version
+
 # Install Docker CLI
 
 # renovate: datasource=github-tags depName=docker/cli extractVersion=^v(?<version>.*)$
-ENV DOCKERCLI_VERSION=20.10.22
-#Disabled renovate: datasource=repology depName=debian_11/curl versioning=loose
-ENV CURL_VERSION=7.74.0-1.3+deb11u3
-#Disabled renovate: datasource=repology depName=debian_11/ca-certificates versioning=loose
-ENV CACERTIFICATES_VERSION=20210119
-#Disabled renovate: datasource=repology depName=debian_11/lsb-release versioning=loose
-ENV LSBRELEASE_VERSION=11.1.0
-#Disabled renovate: datasource=repology depName=debian_11/gnupg2 versioning=loose
-ENV GNUPG_VERSION=2.2.27-2+deb11u2
+ENV DOCKERCLI_VERSION=23.0.1
 
 RUN apt-get update -y && \
-  apt-get install -y --no-install-recommends ca-certificates=${CACERTIFICATES_VERSION} curl=${CURL_VERSION} lsb-release=${LSBRELEASE_VERSION} gnupg=${GNUPG_VERSION} && \
-  mkdir -p /etc/apt/keyrings && \
-  curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
-  echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
-  apt-get update -y && \
-  apt-get install -y --no-install-recommends docker-ce-cli=5:${DOCKERCLI_VERSION}~3-0~debian-bullseye && \
+  # Install Docker CLI
+  apt-get install -y --no-install-recommends docker-ce-cli=5:${DOCKERCLI_VERSION}-1~debian.11~bullseye && \
+  # Clean up
   apt-get clean && \
   rm -rf /var/lib/apt/lists/* && \
   # Smoke test
@@ -36,7 +105,7 @@ RUN apt-get update -y && \
 # Install .NET 6
 
 # renovate: datasource=github-tags depName=dotnet/sdk extractVersion=^v(?<version>.*)$
-ENV DOTNET_VERSION=6.0.405
+ENV DOTNET_VERSION=6.0.406
 
 ENV \
     # Do not show first run text
@@ -49,10 +118,10 @@ ENV \
     # Skip extraction of XML docs - generally not useful within an image/container - helps performance
     NUGET_XMLDOC_MODE=skip
 
-RUN curl -o /tmp/packages-microsoft-prod.deb https://packages.microsoft.com/config/debian/11/packages-microsoft-prod.deb && \
-  dpkg -i /tmp/packages-microsoft-prod.deb && \
-  rm -rf /tmp/* && \
-  apt-get update && apt-get install -y --no-install-recommends dotnet-sdk-6.0=${DOTNET_VERSION}-1 && \
+RUN apt-get update -y && \
+  # Install .NET 6
+  apt-get install -y --no-install-recommends dotnet-sdk-6.0=${DOTNET_VERSION}-1 && \
+  # Clean up
   apt-get clean && \
   rm -rf /var/lib/apt/lists/* && \
   # Smoke test