From a6b3de36c21f72704f7fbf382582fa739f536309 Mon Sep 17 00:00:00 2001 From: Matthias Wild Date: Fri, 3 Nov 2023 17:41:32 +0100 Subject: [PATCH] add miniconda, other small improvements (#83) - update linux/ubuntu/Dockerfile - add miniconda - update docker-bake.hcl - add CONDA_PATH arg - update README.md - rephrased some parts - update ci.yml - remove most `kics-scan ignore-line` - enable `deleteDotnet` - use github.repository_owner instead of hardcoded name - add "miniconda" to cspell.json --- .cspell.json | 1 + .github/workflows/ci.yml | 41 ++++++++++++++++------------------------ README.md | 31 +++++++++++++++--------------- docker-bake.hcl | 1 + linux/ubuntu/Dockerfile | 20 ++++++++++++++++++++ 5 files changed, 53 insertions(+), 41 deletions(-) diff --git a/.cspell.json b/.cspell.json index d4b3625..70b8ecd 100644 --- a/.cspell.json +++ b/.cspell.json @@ -90,6 +90,7 @@ "mediainfo", "mediatypes", "mergify", + "miniconda", "moby", "multiarch", "myrepo", diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 15e3eee..a9b2f87 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,6 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Setup Docker Buildx - # kics-scan ignore-line uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # get docker binary path to use it with env -i @@ -97,20 +96,17 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Setup QEMU - # kics-scan ignore-line uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 - name: Setup Docker Buildx - # kics-scan ignore-line uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 with: driver: docker-container # Login against a container registry # https://github.com/docker/login-action - # kics-scan ignore-line - - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d - name: Login to ${{ env.CONTAINER_REGISTRY }} + - name: Login to ${{ env.CONTAINER_REGISTRY }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d with: registry: ${{ env.CONTAINER_REGISTRY }} username: ${{ env.CONTAINER_REGISTRY_USER }} @@ -122,7 +118,7 @@ jobs: - uses: ./.github/actions/free-space name: Free up disk space with: - deleteDotnet: 'false' + deleteDotnet: 'true' deleteAndroid: 'true' - name: Get meta data @@ -133,6 +129,7 @@ jobs: printf "to_tag=%s\n" "$(REF_NAME="$([[ -z "${GITHUB_BASE_REF}" ]] && git config --get init.defaultBranch || echo "${GITHUB_BASE_REF}")" docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; } | tee "${GITHUB_OUTPUT}" + # Used when the image is not pushed to a registry - name: Create directory for docker output if: github.event_name == 'pull_request' run: 'mkdir -p "${DIRNAME}"' @@ -140,9 +137,8 @@ jobs: DIRNAME: ${{ format('{0}/{1}', github.workspace, matrix.platforms) }} # Bake the image - # kics-scan ignore-line - - uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 - name: Build and Push + - name: Build and Push + uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 id: bake with: files: docker-bake.hcl @@ -156,9 +152,8 @@ jobs: push: ${{ env.CONTAINER_PUSH }} # Docker-Scout - Create SBOM - # kics-scan ignore-line - - uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 - name: Create SBOM + - name: Create SBOM + uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 id: docker-scout-sbom continue-on-error: true if: env.CONTAINER_PUSH == 'true' && vars.DOCKERHUB_USERNAME != '' @@ -168,10 +163,9 @@ jobs: only-severities: critical,high only-fixed: true - # vulnerability scan the image for main branch - # kics-scan ignore-line - - uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 - name: Analyze for critical and high CVEs + # vulnerability scan the image for main branch and upload the results as a SARIF file + - name: Analyze for critical and high CVEs + uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 id: docker-scout-cves continue-on-error: true if: env.CONTAINER_PUSH == 'true' && github.ref_name == 'main' @@ -181,19 +175,16 @@ jobs: image: ${{ steps.meta.outputs.tag }} sarif-file: sarif.output.json summary: false - # upload the results as a SARIF file to gh security tab - # kics-scan ignore-line - - uses: github/codeql-action/upload-sarif@c73d8a69e18598d5de9d6bf5de3a374253cde261 - name: Upload SARIF result + - name: Upload SARIF result + uses: github/codeql-action/upload-sarif@c73d8a69e18598d5de9d6bf5de3a374253cde261 id: upload-sarif if: steps.docker-scout-cves.outcome == 'success' with: sarif_file: sarif.output.json # vulnerability scanning to verify PRs - # kics-scan ignore-line - - uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 - name: Docker Scout compare + - name: Docker Scout compare + uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 id: pr-compare if: github.event_name == 'pull_request' && vars.DOCKERHUB_USERNAME != '' with: @@ -212,7 +203,7 @@ jobs: approve-pr: needs: [build] runs-on: ubuntu-latest - if: ${{ success() && contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' }} + if: ${{ success() && contains(fromJson(format('["{0}","dependabot[bot]"]', github.repository_owner)), github.triggering_actor) && github.event_name == 'pull_request' }} permissions: contents: read pull-requests: write diff --git a/README.md b/README.md index 8ea58ae..43e2389 100644 --- a/README.md +++ b/README.md @@ -14,23 +14,23 @@ ## What -The docker images in this repository are made to be used with [nektos/act][nektos-act-repo], which -is a very handy tool to execute github workflows locally. +The containers in this repository are made to be used with [nektos/act][nektos-act-repo], which is a +very handy tool to execute, test and debug github workflows locally. If you don't know it yet, I highly recommend to check it out 🤓 ## Why -In the other Images I had problems with executing azure related tools, so I decided to create my own -image which is heavily inspired by the images of [catthehacker][catthehacker-image-repo] and the +Since I had trouble with other images when executing azure related tools, I decided to create my own +container which is heavily inspired by the images of [catthehacker][catthehacker-image-repo] and the [official runner images][actions-runner-images]. ## How to use -These Docker images are intended for use with nektos/arc, which allows you to run GitHub workflows -on your local host. +These Docker images are intended to be used with [nektos/act][nektos-act-repo]. Setup guides can be +found [here][nektosSetupGuide]. -The easiest way is to add those lines in your `~/.actrc`: +Add these lines in `~/.actrc` to use this image with act: ```bash -P ubuntu-latest=mauwii/ubuntu-act:latest @@ -41,7 +41,7 @@ The easiest way is to add those lines in your `~/.actrc`: For further information about [nektos/act][nektos-act-repo] and how to use it, take a 👀 at the [nektos documentation📖][nektosDocs] -## How I run act on my M2-Max 💻 +## How to run act on apple silicon 💻 - Install act via [brew🍺](https://brew.sh) @@ -99,7 +99,9 @@ For further information about [nektos/act][nektos-act-repo] and how to use it, t - `~/.actrc`: ```bash - --rm + --container-architecture linux/arm64 + --rm=true + --reuse=false -P ubuntu-latest=mauwii/ubuntu-act:latest -P ubuntu-22.04=mauwii/ubuntu-act:22.04 -P ubuntu-20.04=mauwii/ubuntu-act:20.04 @@ -154,7 +156,6 @@ To execute the mega-linter locally without the needs to install it, there are di ```bash npx mega-linter-runner \ --flavor terraform \ - -e GITHUB_TOKEN="$(gh auth token)" \ --remove-container ``` @@ -176,6 +177,7 @@ repository root if you want to enable the pre-commit hooks on your system as wel [GitHub-Commits]: https://github.com/mauwii/act-docker-images/commits/ "GitHub repository - commits" [License]: https://github.com/mauwii/act-docker-images/blob/main/LICENSE "License" [nektos-act-repo]: https://github.com/nektos/act "nektos/act git repository" +[nektosSetupGuide]: https://nektosact.com/installation/index.html "nektos/act setup guide" [nektosDocs]: https://nektosact.com/beginner/index.html "nektos/act docs" [catthehacker-image-repo]: https://github.com/catthehacker/docker_images @@ -206,12 +208,9 @@ repository root if you want to enable the pre-commit hooks on your system as wel [DockerHub-size-badge]: https://badgen.net/docker/size/mauwii/ubuntu-act?icon=docker&label=image%20size [DockerHub-stars-badge]: https://badgen.net/docker/stars/mauwii/ubuntu-act?icon=docker&label=stars -[GitHub-stars-badge]: - https://badgen.net/github/stars/mauwii/act-docker-images?icon=github -[GitHub-forks-badge]: - https://badgen.net/github/forks/mauwii/act-docker-images?icon=github -[GitHub-issues-badge]: - https://badgen.net/github/issues/mauwii/act-docker-images/?icon=github +[GitHub-stars-badge]: https://badgen.net/github/stars/mauwii/act-docker-images?icon=github +[GitHub-forks-badge]: https://badgen.net/github/forks/mauwii/act-docker-images?icon=github +[GitHub-issues-badge]: https://badgen.net/github/issues/mauwii/act-docker-images/?icon=github [GitHub-commit-badge]: https://badgen.net/github/last-commit/mauwii/act-docker-images/main?icon=github&color=blue [License-badge]: https://badgen.net/github/license/mauwii/act-docker-images diff --git a/docker-bake.hcl b/docker-bake.hcl index bde1218..35ee292 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -119,6 +119,7 @@ target "ubuntu" { BICEP_VERSION = BICEP_VERSION CARGO_HOME = "/usr/local/cargo" CODENAME = release.codename + CONDA_PATH = "/usr/share/miniconda" DEPENDENCIES = DEPENDENCIES DOTNET_CHANNEL = release.DOTNET_CHANNEL DOTNET_DEPS = release.DOTNET_DEPS diff --git a/linux/ubuntu/Dockerfile b/linux/ubuntu/Dockerfile index 816d958..32c4ce5 100644 --- a/linux/ubuntu/Dockerfile +++ b/linux/ubuntu/Dockerfile @@ -209,6 +209,19 @@ RUN KUBECTL_VERSION=$(curl -fsSL "https://dl.k8s.io/release/stable.txt") \ && curl -sSLO "https://storage.googleapis.com/minikube/releases/latest/minikube-linux-${TARGETARCH}" \ && install "minikube-linux-${TARGETARCH}" "${PATH_LOCAL_BINS}/minikube" +ARG FROM_VERSION +FROM buildpack-deps:${FROM_VERSION} as miniconda +ARG TARGETARCH +ARG PATH_LOCAL_BINS +ARG CONDA_PATH +SHELL [ "/bin/bash", "--login", "-e", "-o", "pipefail", "-c" ] +RUN targetarch="$(dpkg-architecture --query DEB_TARGET_GNU_CPU)" && if [[ "${targetarch}" == "amd64" ]]; then targetarch=x86_64; fi \ + && curl -fsSL "https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-${targetarch}.sh" \ + -o miniconda.sh \ + && chmod +x miniconda.sh \ + && ./miniconda.sh -b -p ${CONDA_PATH} \ + && rm miniconda.sh + FROM base as pypy SHELL [ "/bin/bash", "--login", "-e", "-o", "pipefail", "-c" ] ARG PYPY_VERSIONS @@ -476,6 +489,13 @@ COPY --link --from=k8s-tools \ "${PATH_LOCAL_BINS}/minikube" \ "${PATH_LOCAL_BINS}"/ +# add miniconda +ARG CONDA_PATH +ENV CONDA=${CONDA_PATH} +COPY --link --from=miniconda "${CONDA_PATH}" "${CONDA_PATH}" +RUN printf "CONDA=%s" "${CONDA_PATH}" | tee -a /etc/environment \ + && ln -s "$(realpath --relative-to="${PATH_LOCAL_BINS}" "${CONDA_PATH}/bin")/conda" "${PATH_LOCAL_BINS}/conda" + # add PyPy COPY --link --from=pypy "${AGENT_TOOLSDIRECTORY}/PyPy" "${AGENT_TOOLSDIRECTORY}/PyPy"