add miniconda, other small improvements (#83)

- update linux/ubuntu/Dockerfile
  - add miniconda
- update docker-bake.hcl
  - add CONDA_PATH arg
- update README.md
  - rephrased some parts
- update ci.yml
  - remove most `kics-scan ignore-line`
  - enable `deleteDotnet`
  - use github.repository_owner instead of hardcoded name
- add "miniconda" to cspell.json

.cspell.json

@@ -90,6 +90,7 @@
     "mediainfo",
     "mediatypes",
     "mergify",
+    "miniconda",
     "moby",
     "multiarch",
     "myrepo",

.github/workflows/ci.yml

@@ -30,7 +30,6 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
       - name: Setup Docker Buildx
-        # kics-scan ignore-line
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
 
       # get docker binary path to use it with env -i
@@ -97,20 +96,17 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
       - name: Setup QEMU
-        # kics-scan ignore-line
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3
 
       - name: Setup Docker Buildx
-        # kics-scan ignore-line
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
         with:
           driver: docker-container
 
       # Login against a container registry
       # https://github.com/docker/login-action
-      # kics-scan ignore-line
-      - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
-        name: Login to ${{ env.CONTAINER_REGISTRY }}
+      - name: Login to ${{ env.CONTAINER_REGISTRY }}
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
           registry: ${{ env.CONTAINER_REGISTRY }}
           username: ${{ env.CONTAINER_REGISTRY_USER }}
@@ -122,7 +118,7 @@ jobs:
       - uses: ./.github/actions/free-space
         name: Free up disk space
         with:
-          deleteDotnet: 'false'
+          deleteDotnet: 'true'
           deleteAndroid: 'true'
 
       - name: Get meta data
@@ -133,16 +129,16 @@ jobs:
             printf "to_tag=%s\n" "$(REF_NAME="$([[ -z "${GITHUB_BASE_REF}" ]] && git config --get init.defaultBranch || echo "${GITHUB_BASE_REF}")" docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')";
           } | tee "${GITHUB_OUTPUT}"
 
+      # Used when the image is not pushed to a registry
       - name: Create directory for docker output
         if: github.event_name == 'pull_request'
         run: 'mkdir -p "${DIRNAME}"'
         env:
           DIRNAME: ${{ format('{0}/{1}', github.workspace, matrix.platforms) }}
 
       # Bake the image
-      # kics-scan ignore-line
-      - uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112
-        name: Build and Push
+      - name: Build and Push
+        uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112
         id: bake
         with:
           files: docker-bake.hcl
@@ -156,9 +152,8 @@ jobs:
           push: ${{ env.CONTAINER_PUSH }}
 
       # Docker-Scout - Create SBOM
-      # kics-scan ignore-line
-      - uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09
-        name: Create SBOM
+      - name: Create SBOM
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09
         id: docker-scout-sbom
         continue-on-error: true
         if: env.CONTAINER_PUSH == 'true' && vars.DOCKERHUB_USERNAME != ''
@@ -168,10 +163,9 @@ jobs:
           only-severities: critical,high
           only-fixed: true
 
-      # vulnerability scan the image for main branch
-      # kics-scan ignore-line
-      - uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09
-        name: Analyze for critical and high CVEs
+      # vulnerability scan the image for main branch and upload the results as a SARIF file
+      - name: Analyze for critical and high CVEs
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09
         id: docker-scout-cves
         continue-on-error: true
         if: env.CONTAINER_PUSH == 'true' && github.ref_name == 'main'
@@ -181,19 +175,16 @@ jobs:
           image: ${{ steps.meta.outputs.tag }}
           sarif-file: sarif.output.json
           summary: false
-      # upload the results as a SARIF file to gh security tab
-      # kics-scan ignore-line
-      - uses: github/codeql-action/upload-sarif@c73d8a69e18598d5de9d6bf5de3a374253cde261
-        name: Upload SARIF result
+      - name: Upload SARIF result
+        uses: github/codeql-action/upload-sarif@c73d8a69e18598d5de9d6bf5de3a374253cde261
         id: upload-sarif
         if: steps.docker-scout-cves.outcome == 'success'
         with:
           sarif_file: sarif.output.json
 
       # vulnerability scanning to verify PRs
-      # kics-scan ignore-line
-      - uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09
-        name: Docker Scout compare
+      - name: Docker Scout compare
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09
         id: pr-compare
         if: github.event_name == 'pull_request' && vars.DOCKERHUB_USERNAME != ''
         with:
@@ -212,7 +203,7 @@ jobs:
   approve-pr:
     needs: [build]
     runs-on: ubuntu-latest
-    if: ${{ success() && contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' }}
+    if: ${{ success() && contains(fromJson(format('["{0}","dependabot[bot]"]', github.repository_owner)), github.triggering_actor) && github.event_name == 'pull_request' }}
     permissions:
       contents: read
       pull-requests: write

README.md

@@ -14,23 +14,23 @@
 
 ## What
 
-The docker images in this repository are made to be used with [nektos/act][nektos-act-repo], which
-is a very handy tool to execute github workflows locally.
+The containers in this repository are made to be used with [nektos/act][nektos-act-repo], which is a
+very handy tool to execute, test and debug github workflows locally.
 
 If you don't know it yet, I highly recommend to check it out 🤓
 
 ## Why
 
-In the other Images I had problems with executing azure related tools, so I decided to create my own
-image which is heavily inspired by the images of [catthehacker][catthehacker-image-repo] and the
+Since I had trouble with other images when executing azure related tools, I decided to create my own
+container which is heavily inspired by the images of [catthehacker][catthehacker-image-repo] and the
 [official runner images][actions-runner-images].
 
 ## How to use
 
-These Docker images are intended for use with nektos/arc, which allows you to run GitHub workflows
-on your local host.
+These Docker images are intended to be used with [nektos/act][nektos-act-repo]. Setup guides can be
+found [here][nektosSetupGuide].
 
-The easiest way is to add those lines in your `~/.actrc`:
+Add these lines in `~/.actrc` to use this image with act:
 
 ```bash
 -P ubuntu-latest=mauwii/ubuntu-act:latest
@@ -41,7 +41,7 @@ The easiest way is to add those lines in your `~/.actrc`:
 For further information about [nektos/act][nektos-act-repo] and how to use it, take a 👀 at the
 [nektos documentation📖][nektosDocs]
 
-## How I run act on my M2-Max 💻
+## How to run act on apple silicon 💻
 
 - Install act via [brew🍺](https://brew.sh)
 
@@ -99,7 +99,9 @@ For further information about [nektos/act][nektos-act-repo] and how to use it, t
 - `~/.actrc`:
 
   ```bash
-  --rm
+  --container-architecture linux/arm64
+  --rm=true
+  --reuse=false
   -P ubuntu-latest=mauwii/ubuntu-act:latest
   -P ubuntu-22.04=mauwii/ubuntu-act:22.04
   -P ubuntu-20.04=mauwii/ubuntu-act:20.04
@@ -154,7 +156,6 @@ To execute the mega-linter locally without the needs to install it, there are di
   ```bash
   npx mega-linter-runner \
       --flavor terraform \
-      -e GITHUB_TOKEN="$(gh auth token)" \
       --remove-container
   ```
 
@@ -176,6 +177,7 @@ repository root if you want to enable the pre-commit hooks on your system as wel
 [GitHub-Commits]: https://github.com/mauwii/act-docker-images/commits/ "GitHub repository - commits"
 [License]: https://github.com/mauwii/act-docker-images/blob/main/LICENSE "License"
 [nektos-act-repo]: https://github.com/nektos/act "nektos/act git repository"
+[nektosSetupGuide]: https://nektosact.com/installation/index.html "nektos/act setup guide"
 [nektosDocs]: https://nektosact.com/beginner/index.html "nektos/act docs"
 [catthehacker-image-repo]:
   https://github.com/catthehacker/docker_images
@@ -206,12 +208,9 @@ repository root if you want to enable the pre-commit hooks on your system as wel
 [DockerHub-size-badge]:
   https://badgen.net/docker/size/mauwii/ubuntu-act?icon=docker&label=image%20size
 [DockerHub-stars-badge]: https://badgen.net/docker/stars/mauwii/ubuntu-act?icon=docker&label=stars
-[GitHub-stars-badge]:
-  https://badgen.net/github/stars/mauwii/act-docker-images?icon=github
-[GitHub-forks-badge]:
-  https://badgen.net/github/forks/mauwii/act-docker-images?icon=github
-[GitHub-issues-badge]:
-  https://badgen.net/github/issues/mauwii/act-docker-images/?icon=github
+[GitHub-stars-badge]: https://badgen.net/github/stars/mauwii/act-docker-images?icon=github
+[GitHub-forks-badge]: https://badgen.net/github/forks/mauwii/act-docker-images?icon=github
+[GitHub-issues-badge]: https://badgen.net/github/issues/mauwii/act-docker-images/?icon=github
 [GitHub-commit-badge]:
   https://badgen.net/github/last-commit/mauwii/act-docker-images/main?icon=github&color=blue
 [License-badge]: https://badgen.net/github/license/mauwii/act-docker-images

docker-bake.hcl

@@ -119,6 +119,7 @@ target "ubuntu" {
     BICEP_VERSION                 = BICEP_VERSION
     CARGO_HOME                    = "/usr/local/cargo"
     CODENAME                      = release.codename
+    CONDA_PATH                    = "/usr/share/miniconda"
     DEPENDENCIES                  = DEPENDENCIES
     DOTNET_CHANNEL                = release.DOTNET_CHANNEL
     DOTNET_DEPS                   = release.DOTNET_DEPS

linux/ubuntu/Dockerfile

@@ -209,6 +209,19 @@ RUN KUBECTL_VERSION=$(curl -fsSL "https://dl.k8s.io/release/stable.txt") \
     && curl -sSLO "https://storage.googleapis.com/minikube/releases/latest/minikube-linux-${TARGETARCH}" \
     && install "minikube-linux-${TARGETARCH}" "${PATH_LOCAL_BINS}/minikube"
 
+ARG FROM_VERSION
+FROM buildpack-deps:${FROM_VERSION} as miniconda
+ARG TARGETARCH
+ARG PATH_LOCAL_BINS
+ARG CONDA_PATH
+SHELL [ "/bin/bash", "--login", "-e", "-o", "pipefail", "-c" ]
+RUN targetarch="$(dpkg-architecture --query DEB_TARGET_GNU_CPU)" && if [[ "${targetarch}" == "amd64" ]]; then targetarch=x86_64; fi \
+    && curl -fsSL "https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-${targetarch}.sh" \
+        -o miniconda.sh \
+    && chmod +x miniconda.sh \
+    && ./miniconda.sh -b -p ${CONDA_PATH} \
+    && rm miniconda.sh
+
 FROM base as pypy
 SHELL [ "/bin/bash", "--login", "-e", "-o", "pipefail", "-c" ]
 ARG PYPY_VERSIONS
@@ -476,6 +489,13 @@ COPY --link --from=k8s-tools \
     "${PATH_LOCAL_BINS}/minikube" \
     "${PATH_LOCAL_BINS}"/
 
+# add miniconda
+ARG CONDA_PATH
+ENV CONDA=${CONDA_PATH}
+COPY --link --from=miniconda "${CONDA_PATH}" "${CONDA_PATH}"
+RUN printf "CONDA=%s" "${CONDA_PATH}" | tee -a /etc/environment \
+    && ln -s "$(realpath --relative-to="${PATH_LOCAL_BINS}" "${CONDA_PATH}/bin")/conda" "${PATH_LOCAL_BINS}/conda"
+
 # add PyPy
 COPY --link --from=pypy "${AGENT_TOOLSDIRECTORY}/PyPy" "${AGENT_TOOLSDIRECTORY}/PyPy"