From a12c6115c7d48be6ae7f83e92debe737c6a48cd4 Mon Sep 17 00:00:00 2001 From: Benjamin Grandfond Date: Thu, 18 Apr 2024 22:01:22 +0200 Subject: [PATCH 1/6] Use quotes for each line of secret as shown in the action docs --- .github/workflows/build-scan-push.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-scan-push.yaml b/.github/workflows/build-scan-push.yaml index ea7a35d..4cbccbe 100644 --- a/.github/workflows/build-scan-push.yaml +++ b/.github/workflows/build-scan-push.yaml @@ -125,8 +125,8 @@ jobs: BUGSNAG_RELEASE_STAGE=production BUGSNAG_APP_VERSION=${{ github.event.release.tag_name }} secrets: | - BUGSNAG_API_KEY=${{ secrets.BUGSNAG_API_KEY }} - REACT_APP_MUI_LICENSE_KEY=${{ secrets.REACT_APP_MUI_LICENSE_KEY }} + "BUGSNAG_API_KEY=${{ secrets.BUGSNAG_API_KEY }}" + "REACT_APP_MUI_LICENSE_KEY=${{ secrets.REACT_APP_MUI_LICENSE_KEY }}" # If PR, put image tags in the PR comments # from https://github.com/marketplace/actions/create-or-update-comment From 4f7613513638168e005e466e822eff924374ee8e Mon Sep 17 00:00:00 2001 From: Benjamin Grandfond Date: Thu, 18 Apr 2024 22:02:01 +0200 Subject: [PATCH 2/6] One run to mount two secrets and then run build --- Dockerfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index e48f707..728f64b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,12 +20,11 @@ RUN --mount=type=cache,target=/usr/src/app/.npm \ npm ci # install COPY ui /ui -RUN --mount=type=secret,id=BUGSNAG_API_KEY \ +RUN --mount=type=secret,id=BUGSNAG_API_KEY,target=/run/secrets/BUGSNAG_API_KEY \ + --mount=type=secret,id=REACT_APP_MUI_LICENSE_KEY,target=/run/secrets/REACT_APP_MUI_LICENSE_KEY \ REACT_APP_BUGSNAG_API_KEY=$(cat /run/secrets/BUGSNAG_API_KEY) \ - npm run build -RUN --mount=type=secret,id=REACT_APP_MUI_LICENSE_KEY \ REACT_APP_MUI_LICENSE_KEY=$(cat /run/secrets/REACT_APP_MUI_LICENSE_KEY) \ - yarn build + npm run build FROM alpine:3.16@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad as base ARG CLI_VERSION=20.10.17 From 3142b55f3b0e3fd4dc5bf5a021cca810bea9cf57 Mon Sep 17 00:00:00 2001 From: Benjamin Grandfond Date: Thu, 18 Apr 2024 23:23:01 +0200 Subject: [PATCH 3/6] Downgarde docker/build-push-action --- .github/workflows/build-scan-push.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-scan-push.yaml b/.github/workflows/build-scan-push.yaml index 4cbccbe..019e20d 100644 --- a/.github/workflows/build-scan-push.yaml +++ b/.github/workflows/build-scan-push.yaml @@ -109,12 +109,12 @@ jobs: - name: Docker Build and Push to Docker Hub if: ${{ !github.event.pull_request.head.repo.fork }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v2 with: push: true tags: ${{ steps.docker_meta.outputs.tags }} - sbom: ${{ github.event_name != 'pull_request' }} - provenance: ${{ github.event_name != 'pull_request' }} + #sbom: ${{ github.event_name != 'pull_request' }} + #provenance: ${{ github.event_name != 'pull_request' }} labels: | org.opencontainers.image.revision=${{ github.event.pull_request.head.sha || github.event.after || github.event.release.tag_name }} org.opencontainers.image.source=https://github.com/${{ github.repository }} From 351a8b0099e5fd98b0f78e6937d15ecac2c95e4a Mon Sep 17 00:00:00 2001 From: Benjamin Grandfond Date: Thu, 18 Apr 2024 23:30:47 +0200 Subject: [PATCH 4/6] Upgrade docker/build-push-action to v4 --- .github/workflows/build-scan-push.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-scan-push.yaml b/.github/workflows/build-scan-push.yaml index 019e20d..8db21e7 100644 --- a/.github/workflows/build-scan-push.yaml +++ b/.github/workflows/build-scan-push.yaml @@ -109,7 +109,7 @@ jobs: - name: Docker Build and Push to Docker Hub if: ${{ !github.event.pull_request.head.repo.fork }} - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v4 with: push: true tags: ${{ steps.docker_meta.outputs.tags }} From 8ffbe184f04a506e9c14fee93cd6f53610cbe7ad Mon Sep 17 00:00:00 2001 From: Benjamin Grandfond Date: Thu, 18 Apr 2024 23:37:05 +0200 Subject: [PATCH 5/6] Upgrade docker/build-push-action to v5 --- .github/workflows/build-scan-push.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-scan-push.yaml b/.github/workflows/build-scan-push.yaml index 8db21e7..c6a675e 100644 --- a/.github/workflows/build-scan-push.yaml +++ b/.github/workflows/build-scan-push.yaml @@ -109,7 +109,7 @@ jobs: - name: Docker Build and Push to Docker Hub if: ${{ !github.event.pull_request.head.repo.fork }} - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: push: true tags: ${{ steps.docker_meta.outputs.tags }} From 78178718e7a3c6730b5e7f567a83dcbfb8d36cea Mon Sep 17 00:00:00 2001 From: Benjamin Grandfond Date: Thu, 18 Apr 2024 23:43:25 +0200 Subject: [PATCH 6/6] Re-add sbom and provenance --- .github/workflows/build-scan-push.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-scan-push.yaml b/.github/workflows/build-scan-push.yaml index c6a675e..4cbccbe 100644 --- a/.github/workflows/build-scan-push.yaml +++ b/.github/workflows/build-scan-push.yaml @@ -113,8 +113,8 @@ jobs: with: push: true tags: ${{ steps.docker_meta.outputs.tags }} - #sbom: ${{ github.event_name != 'pull_request' }} - #provenance: ${{ github.event_name != 'pull_request' }} + sbom: ${{ github.event_name != 'pull_request' }} + provenance: ${{ github.event_name != 'pull_request' }} labels: | org.opencontainers.image.revision=${{ github.event.pull_request.head.sha || github.event.after || github.event.release.tag_name }} org.opencontainers.image.source=https://github.com/${{ github.repository }}