diff --git a/.github/workflows/barman-base-image.yml b/.github/workflows/barman-base-image.yml new file mode 100644 index 00000000..e3d9f756 --- /dev/null +++ b/.github/workflows/barman-base-image.yml @@ -0,0 +1,62 @@ +name: Barman Base Image +on: + pull_request: + workflow_dispatch: + schedule: + - cron: "0 0 * * 0" + +env: + IMAGE_NAME: "ghcr.io/cloudnative-pg/plugin-barman-cloud-base" + PLATFORMS: "linux/amd64,linux/arm64" + +permissions: + contents: write + packages: write + security-events: write + +jobs: + build: + runs-on: ubuntu-24.04 + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: ${{ env.PLATFORMS }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to the GitHub Container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build Docker Image + uses: docker/build-push-action@v6 + with: + platforms: ${{ env.PLATFORMS }} + context: . + file: ./containers/Dockerfile.barmanbase + push: true + tags: ${{ env.IMAGE_NAME }}:latest + + - name: Run Snyk to check Docker image for vulnerabilities + uses: snyk/actions/docker@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: "${{ env.IMAGE_NAME }}:latest" + args: --severity-threshold=high --file=./containers/Dockerfile.barmanbase + - + name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif diff --git a/containers/Dockerfile.barmanbase b/containers/Dockerfile.barmanbase new file mode 100644 index 00000000..4cd27fd6 --- /dev/null +++ b/containers/Dockerfile.barmanbase @@ -0,0 +1,6 @@ +FROM python:3.13-slim AS pythonbuilder +RUN apt-get update && \ + apt-get install -y postgresql-common build-essential && \ + /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \ + apt-get install -y libpq-dev && \ + pip install barman[azure,cloud,google,snappy]==3.11.1 setuptools diff --git a/containers/Dockerfile.sidecar b/containers/Dockerfile.sidecar index 5cd75039..3d52fe68 100644 --- a/containers/Dockerfile.sidecar +++ b/containers/Dockerfile.sidecar @@ -30,16 +30,10 @@ COPY ../internal/ internal/ RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build \ CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/manager/main.go -# Build barman-cloud +# Use plug-barman-cloud-base to get the dependencies # pip will build everything inside /usr/ since this is the case -# we should build and then copy every file into a destination that will -# then copy into the distroless container -FROM python:3.13-slim AS pythonbuilder -RUN apt-get update && \ - apt-get install -y postgresql-common build-essential && \ - /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \ - apt-get install -y libpq-dev && \ - pip install barman[azure,cloud,google,snappy]==3.11.1 setuptools +# Copy every file into a destination that will then copy into the distroless container +FROM ghcr.io/cloudnative-pg/plugin-barman-cloud-base:latest AS pythonbuilder # Prepare a new /usr/ directory with the files we'll need in the final image RUN mkdir /new-usr/ && \ cp -r --parents /usr/local/lib/ /usr/lib/*-linux-gnu/ /usr/local/bin/ \