From 6a28b9b76a6630f07ee5193eb9c22218fc403615 Mon Sep 17 00:00:00 2001 From: Luchesar ILIEV Date: Thu, 5 Dec 2024 12:37:58 +0200 Subject: [PATCH] ops updates, fixes, dependabot config --- .github/dependabot.yml | 19 ++++++++++++ .github/workflows/docker-publish.yml | 45 +++++++++++++++++----------- Dockerfile | 12 +------- 3 files changed, 48 insertions(+), 28 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c635641 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,19 @@ +--- +version: 2 +updates: + + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + assignees: + - "kerberizer" + + # Maintain dependencies for JS + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + assignees: + - "kerberizer" diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f45a19a..d32bf8e 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -6,9 +6,11 @@ on: # yamllint disable-line rule:truthy branches: - main - develop - tags: - - v*.*.* - workflow_dispatch: + pull_request: + branches: + - main + - develop + workflow_dispatch: env: REGISTRY: ghcr.io @@ -27,15 +29,18 @@ jobs: id-token: write steps: + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4.1.7 with: submodules: recursive # TODO: Temporary solution for using different backends. - name: Set up appropriate backend run: >- - if [[ '${{ github.ref }}' == 'refs/heads/main' ]]; then + if [[ '${{ github.event_name }}' == 'pull_request' ]]; then + api_url='https://api-test2.ramanchada.ideaconsult.net/template' + elif [[ '${{ github.ref }}' == 'refs/heads/main' ]]; then api_url="https://api.ramanchada.ideaconsult.net/template" elif [[ '${{ github.ref }}' == 'refs/heads/develop' ]]; then api_url='https://api-test.ramanchada.ideaconsult.net/template' @@ -49,19 +54,19 @@ jobs: # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.3.0 + uses: sigstore/cosign-installer@v3.7.0 with: - cosign-release: 'v2.2.3' + cosign-release: 'v2.4.1' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + uses: docker/setup-buildx-action@v3.7.1 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + uses: docker/login-action@v3.3.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -71,12 +76,18 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@v5.6.1 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.description=Template Designer Service + org.opencontainers.image.licenses=MIT + org.opencontainers.image.title=template-designer + org.opencontainers.image.url=https://github.com/ideaconsult/templateforge/blob/main/README.md + org.opencontainers.image.vendor=IDEAconsult tags: | - type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'develop') }} - type=raw,value=stable,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/develop' }} + type=raw,value=stable,enable=${{ github.ref == 'refs/heads/main' }} type=ref,event=branch type=ref,event=tag type=ref,event=pr @@ -85,14 +96,14 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6.10.0 with: + cache-from: type=gha + cache-to: type=gha,mode=max context: . + labels: ${{ steps.meta.outputs.labels }} push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker @@ -100,7 +111,7 @@ jobs: # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} + if: github.event_name != 'pull_request' env: # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable TAGS: ${{ steps.meta.outputs.tags }} diff --git a/Dockerfile b/Dockerfile index c270187..63e699a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,17 +15,7 @@ RUN npm install #RUN npm run lint RUN npm run build-docker -FROM nginx:mainline -LABEL maintainer="Luchesar ILIEV " \ - org.opencontainers.image.created=$BUILD_DATE \ - org.opencontainers.image.description="Template Designer Service" \ - org.opencontainers.image.revision=$VCS_REF \ - org.opencontainers.image.schema-version="1.0" \ - org.opencontainers.image.source="https://github.com/ideaconsult/templateforge" \ - org.opencontainers.image.title="template-designer" \ - org.opencontainers.image.url="https://github.com/ideaconsult/templateforge/blob/main/README.md" \ - org.opencontainers.image.vendor="IDEAconsult" \ - org.opencontainers.image.version="latest" +FROM nginx:mainline COPY --from=requirements-stage /tmp/dist /usr/share/nginx/html