diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7b014261..28cb228e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,9 +23,15 @@ jobs: docker_pipeline: needs: ["lint_test"] - uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0 + uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2 secrets: inherit with: publish: true dockerfile: ./Dockerfile repoName: finality-provider + docker_scan: true + permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 00000000..63355fc1 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,5 @@ +# LND < 0.17.0 issue, not fixing +CVE-2024-27304 +GHSA-7jwh-3vrq-q3m8 +CVE-2024-27289 +CVE-2024-38359 \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 7554c0c2..8b00e603 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -43,6 +43,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### Improvements +* [#127](https://github.com/babylonlabs-io/finality-provider/pull/127) Bump docker workflow version and fix some dockerfile issue * [#132](https://github.com/babylonlabs-io/finality-provider/pull/132) Replace fast sync with batch processing ### Documentation diff --git a/Dockerfile b/Dockerfile index d37b922e..4b577eb9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.23.1-alpine as builder +FROM golang:1.23-alpine as builder # Version to build. Default is the Git HEAD. ARG VERSION="HEAD" @@ -6,10 +6,10 @@ ARG VERSION="HEAD" # Use muslc for static libs ARG BUILD_TAGS="muslc" - +# hadolint ignore=DL3018 RUN apk add --no-cache --update openssh git make build-base linux-headers libc-dev \ pkgconfig zeromq-dev musl-dev alpine-sdk libsodium-dev \ - libzmq-static libsodium-static gcc + libzmq-static libsodium-static gcc && rm -rf /var/cache/apk/* # Build @@ -21,12 +21,13 @@ RUN go mod download COPY ./ /go/src/github.com/babylonlabs-io/finality-provider/ # Cosmwasm - Download correct libwasmvm version +SHELL ["/bin/ash", "-eo", "pipefail", "-c"] RUN WASMVM_VERSION=$(grep github.com/CosmWasm/wasmvm go.mod | cut -d' ' -f2) && \ - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc.$(uname -m).a \ - -O /lib/libwasmvm_muslc.$(uname -m).a && \ + wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc."$(uname -m)".a \ + -O /lib/libwasmvm_muslc."$(uname -m)".a && \ # verify checksum - wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \ - sha256sum /lib/libwasmvm_muslc.$(uname -m).a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc.$(uname -m) | cut -d ' ' -f 1) + wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \ + sha256sum /lib/libwasmvm_muslc."$(uname -m)."a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc."$(uname -m)" | cut -d ' ' -f 1) RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \ CGO_ENABLED=1 \ @@ -35,11 +36,12 @@ RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \ make build # FINAL IMAGE -FROM alpine:3.16 AS run +FROM alpine:3.20 AS run RUN addgroup --gid 1138 -S finality-provider && adduser --uid 1138 -S finality-provider -G finality-provider -RUN apk add bash curl jq +# hadolint ignore=DL3018 +RUN apk add --no-cache bash curl jq && rm -rf /var/cache/apk/* COPY --from=builder /go/src/github.com/babylonlabs-io/finality-provider/build/fpd /bin/fpd COPY --from=builder /go/src/github.com/babylonlabs-io/finality-provider/build/eotsd /bin/eotsd