Merge pull request #82 from mjanez/ckan-2.9.9

Update Dockerfiles with hadolint and actions
mjanez · Oct 2, 2023 · 36db0e9 · 36db0e9
2 parents 19debfe + b1ef0b7
commit 36db0e9
Show file tree

Hide file tree

Showing 10 changed files with 266 additions and 47 deletions.
diff --git a/.github/workflows/build-master.yml → .github/.old/build-master.yml b/.github/workflows/build-master.yml → .github/.old/build-master.yml
diff --git a/.github/workflows/build-tags.yml → .github/.old/build-tags.yml b/.github/workflows/build-tags.yml → .github/.old/build-tags.yml
diff --git a/.github/workflows/docker-master.yml → .github/.old/docker-master.yml b/.github/workflows/docker-master.yml → .github/.old/docker-master.yml
@@ -20,17 +20,17 @@ jobs:
     steps:
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       -
         name: Login to registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -43,7 +43,7 @@ jobs:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
       -
         name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}

diff --git a/.github/workflows/docker-tags.yml → .github/.old/docker-tags.yml b/.github/workflows/docker-tags.yml → .github/.old/docker-tags.yml
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,80 @@
+name: Build and push ckan-docker image from PR Merge
+
+on:
+  pull_request:
+    types:
+        - closed
+    branches:
+        - master
+        - 'ckan-*.*.*'
+        - '!dev/ckan-*.*.*'
+        - '!feature/*'
+        - '!fix/*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }}
+  CONTEXT: .
+  BRANCH: ${{ github.head_ref }}
+  DOCKERFILE_PATH: /ckan
+  DOCKERFILE: Dockerfile
+
+jobs:
+  docker:
+    name: runner/build-docker-push:${{ github.head_ref }}
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
+
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
+            org.opencontainers.image.version=${{ env.BRANCH }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ env.TAG }}
+          labels: ${{ steps.meta.outputs.labels }}
+          context: ${{ env.CONTEXT }}
+          file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+
+      - name: Linting Dockerfile with hadolint in GH Actions
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+
+      - name: Run Trivy container image vulnerability scanner
+        uses: aquasecurity/trivy-action@0.12.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml
@@ -0,0 +1,89 @@
+name: Test ckan-docker images (PR)
+
+on:
+  pull_request:
+    branches:
+        - master
+        - 'ckan-*.*.*'
+        - '!dev/ckan-*.*.*'
+        - '!feature/*'
+        - '!fix/*'
+
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ckan-docker-spatial
+    CONTEXT: .
+    BRANCH: ${{ github.head_ref }}
+    DOCKERFILE_PATH: /ckan
+    DOCKERFILE: Dockerfile
+    HADOLINT_VERSION: 2.12.0
+
+jobs:
+  docker:
+    name: runner/test-docker-pr:${{ github.head_ref }}
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      -  name: NGINX build
+         uses: docker/build-push-action@v5
+         with:
+            context: ./nginx
+            file: ./nginx/Dockerfile
+            push: false
+            tags: mjanez/ckan-docker-nginx:test-build-only
+
+      -  name: Apache HTTP Server build
+         uses: docker/build-push-action@v5
+         with:
+            context: ./apache
+            file: ./apache/Dockerfile
+            push: false
+            tags: mjanez/ckan-docker-apache:test-build-only
+
+      -  name: PostgreSQL build
+         uses: docker/build-push-action@v5
+         with:
+              context: ./postgresql
+              file: ./postgresql/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-postgresql:test-build-only
+
+      -  name: Solr build
+         uses: docker/build-push-action@v5
+         with:
+              context: ./solr
+              file: ./solr/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-solr:test-build-only
+
+      -  name: ckan-pycsw build
+         uses: docker/build-push-action@v4
+         with:
+              context: ./ckan-pycsw
+              file: ./ckan-pycsw/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-pycsw:test-build-only
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Linting Dockerfiles and annotate code inline in the github PR viewer
+        id: hadolint
+        uses: jbergstroem/hadolint-gh-action@v1.11.0
+        with:
+          dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}.ghcr
+          version: ${{ env.HADOLINT_VERSION }}
+          annotate: true
+          error_level: -1
diff --git a/ckan/Dockerfile b/ckan/Dockerfile
@@ -1,11 +1,15 @@
 FROM ghcr.io/mjanez/ckan-base-spatial:ckan-2.9.9
+LABEL maintainer="mnl.janez@gmail.com"
 
 # Set up environment variables
-ENV APP_DIR=/srv/app \
-    TZ=UTC
+ENV APP_DIR=/srv/app
+ENV TZ=UTC
+
+# Set working directory
+WORKDIR ${APP_DIR}
 
 # requirements.txt files fixed until next releases
-COPY req_fixes ${APP_DIR}/req_fixes
+COPY req_fixes req_fixes
 
 # Extensions
 ### XLoader - 1.0.1 ###
@@ -23,40 +27,40 @@ RUN echo ${TZ} > /etc/timezone && \
     if ! [ /usr/share/zoneinfo/${TZ} -ef /etc/localtime ]; then cp /usr/share/zoneinfo/${TZ} /etc/localtime ; fi && \
     # Install CKAN extensions
     echo "ckan/ckanext-xloader" && \
-    pip3 install -e git+https://github.com/ckan/ckanext-xloader.git@1.0.1#egg=ckanext-xloader && \ 
-    pip3 install -r ${APP_DIR}/src/ckanext-xloader/requirements.txt && \
-    pip3 install -U requests[security] && \
+    pip3 install --no-cache-dir -e git+https://github.com/ckan/ckanext-xloader.git@1.0.1#egg=ckanext-xloader && \ 
+    pip3 install --no-cache-dir -r ${APP_DIR}/src/ckanext-xloader/requirements.txt && \
+    pip3 install --no-cache-dir -U requests[security] && \
     echo "ckan/ckanext-harvest" && \
-    pip3 install -e git+https://github.com/ckan/ckanext-harvest.git@v1.5.1#egg=ckanext-harvest && \
-    pip3 install -r ${APP_DIR}/src/ckanext-harvest/pip-requirements.txt && \
+    pip3 install --no-cache-dir -e git+https://github.com/ckan/ckanext-harvest.git@v1.5.1#egg=ckanext-harvest && \
+    pip3 install --no-cache-dir -r ${APP_DIR}/src/ckanext-harvest/pip-requirements.txt && \
     echo "ckan/ckanext-geoview" && \
-    pip3 install -e git+https://github.com/ckan/ckanext-geoview.git@v0.0.20#egg=ckanext-geoview && \
+    pip3 install --no-cache-dir -e git+https://github.com/ckan/ckanext-geoview.git@v0.0.20#egg=ckanext-geoview && \
     echo "ckan/ckanext-spatial" && \
-    pip3 install -e git+https://github.com/ckan/ckanext-spatial.git@v2.0.0#egg=ckanext-spatial && \
-    pip3 install -r ${APP_DIR}/req_fixes/ckanext-spatial_requirements.txt && \
+    pip3 install --no-cache-dir -e git+https://github.com/ckan/ckanext-spatial.git@v2.0.0#egg=ckanext-spatial && \
+    pip3 install --no-cache-dir -r ${APP_DIR}/req_fixes/ckanext-spatial_requirements.txt && \
     echo "mjanez/ckanext-dcat (GeoDCAT-AP extended version)" && \
-    pip3 install -e git+https://github.com/mjanez/ckanext-dcat.git@v1.2.0-geodcatap#egg=ckanext-dcat && \
-    pip3 install -r ${APP_DIR}/src/ckanext-dcat/requirements.txt && \
+    pip3 install --no-cache-dir -e git+https://github.com/mjanez/ckanext-dcat.git@v1.2.0-geodcatap#egg=ckanext-dcat && \
+    pip3 install --no-cache-dir -r ${APP_DIR}/src/ckanext-dcat/requirements.txt && \
     echo "ckan/ckanext-scheming" && \
-    pip3 install -e git+https://github.com/ckan/ckanext-scheming.git@release-3.0.0#egg=ckanext-scheming && \
+    pip3 install --no-cache-dir -e git+https://github.com/ckan/ckanext-scheming.git@release-3.0.0#egg=ckanext-scheming && \
     echo "mjanez/ckanext-resourcedictionary" && \
-    pip3 install -e git+https://github.com/mjanez/ckanext-resourcedictionary.git@v1.0.1#egg=ckanext-resourcedictionary && \
+    pip3 install --no-cache-dir -e git+https://github.com/mjanez/ckanext-resourcedictionary.git@v1.0.1#egg=ckanext-resourcedictionary && \
     echo "ckan/ckanext-pages" && \
-    pip3 install -e git+https://github.com/ckan/ckanext-pages.git@v0.5.2#egg=ckanext-pages && \
+    pip3 install --no-cache-dir -e git+https://github.com/ckan/ckanext-pages.git@v0.5.2#egg=ckanext-pages && \
     echo "ckan/ckanext-pdfview" && \
-    pip3 install -e git+https://github.com/ckan/ckanext-pdfview.git@0.0.8#egg=ckanext-pdfview && \
+    pip3 install --no-cache-dir -e git+https://github.com/ckan/ckanext-pdfview.git@0.0.8#egg=ckanext-pdfview && \
     echo "mjanez/ckanext-scheming_dcat" && \
-    pip3 install -e git+https://github.com/mjanez/ckanext-scheming_dcat.git@v2.0.0#egg=ckanext_scheming_dcat && \
-    pip3 install -r https://raw.githubusercontent.com/mjanez/ckanext-scheming_dcat/v2.0.0/requirements.txt
+    pip3 install --no-cache-dir -e git+https://github.com/mjanez/ckanext-scheming_dcat.git@v2.0.0#egg=ckanext_scheming_dcat && \
+    pip3 install --no-cache-dir -r https://raw.githubusercontent.com/mjanez/ckanext-scheming_dcat/v2.0.0/requirements.txt
 
 # Used to configure the container environment by setting environment variables, creating users, running initialization scripts, .etc
 COPY docker-entrypoint.d/* /docker-entrypoint.d/
 
 # Update who.ini with PROXY_CKAN_LOCATION
-COPY setup/who.ini ${APP_DIR}/
+COPY setup/who.ini ./
 
 # Apply any patches needed to CKAN core
-COPY patches ${APP_DIR}/patches
+COPY patches patches
 
 RUN for d in $APP_DIR/patches/*; do \
     if [ -d $d ]; then \
@@ -66,4 +70,4 @@ RUN for d in $APP_DIR/patches/*; do \
     fi ; \
     done
 
-CMD $APP_DIR/start_ckan.sh
+CMD ["/bin/sh", "-c", "$APP_DIR/start_ckan.sh"]
diff --git a/ckan/Dockerfile.dev b/ckan/Dockerfile.dev
@@ -1,9 +1,13 @@
 FROM ghcr.io/mjanez/ckan-base-spatial:ckan-2.9.9-dev
+LABEL maintainer="mnl.janez@gmail.com"
 
 # Set up environment variables
-ENV APP_DIR=/srv/app \
-    TZ=UTC \
-    SRC_EXTENSIONS_DIR=/srv/app/src_extensions
+ENV APP_DIR=/srv/app
+ENV TZ=UTC
+ENV SRC_EXTENSIONS_DIR=/srv/app/src_extensions
+
+# Set working directory
+WORKDIR ${APP_DIR}
 
 RUN echo ${TZ} > /etc/timezone && \
     set -ex && apk --no-cache add sudo && \
@@ -47,23 +51,29 @@ RUN echo ${TZ} > /etc/timezone && \
 # to get them mounted in this image at runtime
 
 # Used to configure the container environment by setting environment variables, creating users, running initialization scripts, .etc
-COPY docker-entrypoint.d/* /docker-entrypoint.d/
+COPY docker-entrypoint.d/* docker-entrypoint.d/
 
 # Update who.ini with PROXY_CKAN_LOCATION
-COPY setup/who.ini ${APP_DIR}/
+COPY setup/who.ini ./
 
 # Override start_ckan.sh with DEV sh
-COPY setup/start_ckan_development.sh.override ${APP_DIR}/start_ckan_development.sh
-RUN chmod +x ${APP_DIR}/start_ckan_development.sh
+COPY setup/start_ckan_development.sh.override start_ckan_development.sh
+RUN chmod +x start_ckan_development.sh
 
 # Apply any patches needed to CKAN core or any of the built extensions (not the
-# runtime mounted ones)
-COPY patches ${APP_DIR}/patches
+# runtime mounted ones!)
+COPY patches patches
 
 RUN for d in $APP_DIR/patches/*; do \
     if [ -d $d ]; then \
-    for f in `ls $d/*.patch | sort -g`; do \
-    cd $SRC_DIR/`basename "$d"` && echo "$0: Applying patch $f to $SRC_DIR/`basename $d`"; patch -p1 < "$f" ; \
-    done ; \
+        for f in `ls $d/*.patch | sort -g`; do \
+            if [ -d $SRC_DIR/`basename "$d"` ]; then \
+                cd $SRC_DIR/`basename "$d"` && \
+                echo "$0: Applying patch $f to $SRC_DIR/`basename $d`" && \
+                patch -p1 < "$f" ; \
+            else \
+                echo "$0: Skipping patch $f because directory $SRC_DIR/`basename $d` does not exist. Built the extension: `basename $d`" ; \
+            fi \
+        done ; \
     fi ; \
-    done
+done
diff --git a/ckan/Dockerfile.ghcr b/ckan/Dockerfile.ghcr
@@ -1,23 +1,27 @@
 FROM ghcr.io/mjanez/ckan-spatial:ckan-2.9.9
+LABEL maintainer="mnl.janez@gmail.com"
 
 # Set up environment variables
 ENV APP_DIR=/srv/app
 ENV TZ=UTC
-RUN echo ${TZ} > /etc/timezone
+
+# Set working directory
+WORKDIR ${APP_DIR}
 
 # Make sure both files are not exactly the same
-RUN if ! [ /usr/share/zoneinfo/${TZ} -ef /etc/localtime ]; then \
-    cp /usr/share/zoneinfo/${TZ} /etc/localtime ;\
+RUN echo ${TZ} > /etc/timezone && \
+    if ! [ /usr/share/zoneinfo/${TZ} -ef /etc/localtime ]; then \
+        cp /usr/share/zoneinfo/${TZ} /etc/localtime ; \
     fi ;
 
 # Used to configure the container environment by setting environment variables, creating users, running initialization scripts, .etc
-COPY docker-entrypoint.d/* /docker-entrypoint.d/
+COPY docker-entrypoint.d/* docker-entrypoint.d/
 
 # Update who.ini with PROXY_CKAN_LOCATION
-COPY setup/who.ini ${APP_DIR}/
+COPY setup/who.ini ./
 
 # Apply any patches needed to CKAN core
-COPY patches ${APP_DIR}/patches
+COPY patches patches
 
 #  Updated version of the Dockerfile RUN command that skips applying a patch if a reversed or previously applied patch is detected
 RUN for d in $APP_DIR/patches/*; do \
@@ -34,4 +38,4 @@ RUN for d in $APP_DIR/patches/*; do \
     fi ; \
 done
 
-CMD $APP_DIR/start_ckan.sh
+CMD ["/bin/sh", "-c", "$APP_DIR/start_ckan.sh"]