From df5827c36542b68cfef0344e9924393153435400 Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 22:12:39 -0800
Subject: [PATCH 1/9] Update GH actions

---
 .github/workflows/docker-publish.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index f893dc9..dcae14f 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -18,17 +18,17 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Log into registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
@@ -38,7 +38,7 @@ jobs:
         id: vars
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           build-args: |
             azul_docker_pycharm_version=${{ env.azul_docker_pycharm_version }}

From ff804b66bb7241e5871fc27aa166a267f9cf9c98 Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 22:18:53 -0800
Subject: [PATCH 2/9] Only login to registry when user name is configured

---
 .github/workflows/docker-publish.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index dcae14f..aa2ddd2 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -27,7 +27,9 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log into registry
-        if: github.event_name != 'pull_request'
+        if: >
+          github.event_name != 'pull_request'
+          && vars.DOCKERHUB_USERNAME
         uses: docker/login-action@v3
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}

From be84e9cf91ce0fc8493a98761f47e68962df6c51 Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 22:55:23 -0800
Subject: [PATCH 3/9] Stop deriving PyCharm version from branch name

---
 .github/workflows/docker-publish.yml |  8 +++-----
 Dockerfile                           | 10 +++++-----
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index aa2ddd2..996d429 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -8,6 +8,7 @@ on:
 
 env:
   azul_docker_pycharm_version: 4  # increment this to update the OS packages
+  PYCHARM_VERSION: 2023.2.3
 
 jobs:
   build:
@@ -35,16 +36,13 @@ jobs:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-      - name: Get the current branch name
-        run: echo "::set-output name=branch::${GITHUB_REF#refs/heads/}"
-        id: vars
-
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           build-args: |
             azul_docker_pycharm_version=${{ env.azul_docker_pycharm_version }}
+            PYCHARM_VERSION=${{ env.PYCHARM_VERSION }}
           context: .
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ vars.DOCKERHUB_REPOSITORY }}:${{ steps.vars.outputs.branch }}-${{ env.azul_docker_pycharm_version }}
+          tags: ${{ vars.DOCKERHUB_REPOSITORY }}:${{ env.PYCHARM_VERSION }}-${{ env.azul_docker_pycharm_version }}
diff --git a/Dockerfile b/Dockerfile
index f40de1b..74ebf8b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,18 +18,16 @@ RUN \
   && rm -rf /var/lib/apt/lists/* \
   && useradd -ms /bin/bash developer
 
-ARG PYCHARM_VERSION=2022.3.3
-ARG PYCHARM_BUILD=2022.3.3
-
-ARG pycharm_local_dir=.PyCharmCE${PYCHARM_VERSION}
 
 WORKDIR /opt/pycharm
 
 SHELL ["/bin/bash", "-c"]
 
+ARG PYCHARM_VERSION
+
 RUN set -o pipefail \
   && export pycharm_arch=$(python3 -c "print(dict(amd64='',arm64='-aarch64')['${TARGETARCH}'])") \
-  && export pycharm_source="https://download.jetbrains.com/python/pycharm-community-${PYCHARM_BUILD}${pycharm_arch}.tar.gz" \
+  && export pycharm_source="https://download.jetbrains.com/python/pycharm-community-${PYCHARM_VERSION}${pycharm_arch}.tar.gz" \
   && echo "Downloading ${pycharm_source}" \
   && curl -fsSL "${pycharm_source}" -o installer.tgz \
   && tar --strip-components=1 -xzf installer.tgz \
@@ -38,6 +36,8 @@ RUN set -o pipefail \
 USER developer
 ENV HOME /home/developer
 
+ARG pycharm_local_dir=.PyCharmCE${PYCHARM_VERSION}
+
 RUN mkdir /home/developer/.PyCharm \
   && ln -sf /home/developer/.PyCharm "/home/developer/$pycharm_local_dir"
 

From 48dfaafae436880da1c03509f0d151af451806b1 Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 22:59:06 -0800
Subject: [PATCH 4/9] Move user creation to separate command in Dockerfile

---
 Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 74ebf8b..1c309a7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,9 +15,7 @@ RUN \
     gcc git openssh-client less curl \
     libxtst-dev libxext-dev libxrender-dev libfreetype6-dev \
     libfontconfig1 libgtk2.0-0 libxslt1.1 libxxf86vm1 \
-  && rm -rf /var/lib/apt/lists/* \
-  && useradd -ms /bin/bash developer
-
+  && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /opt/pycharm
 
@@ -33,6 +31,8 @@ RUN set -o pipefail \
   && tar --strip-components=1 -xzf installer.tgz \
   && rm installer.tgz
 
+RUN useradd -ms /bin/bash developer
+
 USER developer
 ENV HOME /home/developer
 

From beeaa05d47772d7deb2e74c19428867748bcbe4f Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 23:00:13 -0800
Subject: [PATCH 5/9] Remove maintainer of upstream fork

---
 Dockerfile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1c309a7..140a10c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,8 +2,7 @@ FROM --platform=${TARGETPLATFORM} debian:bullseye-20230502
 
 ARG TARGETARCH
 
-LABEL maintainer "Viktor Adam <rycus86@gmail.com>"
-LABEL maintainer "Azul Group <azul-group@ucsc.edu>"
+LABEL maintainer="Azul Group <azul-group@ucsc.edu>"
 
 ARG azul_docker_pycharm_version
 

From 77052f221848ea7f5d5d54147db8657998a0c25d Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 23:00:39 -0800
Subject: [PATCH 6/9] Upgrade base image

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 140a10c..fff7d08 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=${TARGETPLATFORM} debian:bullseye-20230502
+FROM --platform=${TARGETPLATFORM} debian:bullseye-20231030
 
 ARG TARGETARCH
 

From 2545dcbe041c204cc01cf4a71bb62a2bf2a69b60 Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 23:01:23 -0800
Subject: [PATCH 7/9] Fix CVEs by removing cruft

---
 Dockerfile | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index fff7d08..8e000ef 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,8 +10,8 @@ RUN \
   apt-get update \
   && apt-get upgrade -y \
   && apt-get install --no-install-recommends -y \
-    python3 python3-dev python3-setuptools python3-pip \
-    gcc git openssh-client less curl \
+    python3 python3-dev \
+    gcc git openssh-client less curl ca-certificates \
     libxtst-dev libxext-dev libxrender-dev libfreetype6-dev \
     libfontconfig1 libgtk2.0-0 libxslt1.1 libxxf86vm1 \
   && rm -rf /var/lib/apt/lists/*
@@ -30,6 +30,15 @@ RUN set -o pipefail \
   && tar --strip-components=1 -xzf installer.tgz \
   && rm installer.tgz
 
+# CVE-2021-23383 CVE-2021-23369 CVE-2019-19919 GHSA-q42p-pg8m-cqh6
+# GHSA-q2c6-c6pm-g3gh GHSA-g9r4-xpmj-mj65 GHSA-2cf5-4w76-r9qv CVE-2019-20920
+# GHSA-h6ch-v84p-w6p9⁠ CVE-2020-7712⁠
+RUN rm -rf /opt/pycharm/plugins/textmate
+
+# CVE-2023-24539 CVE-2023-24540 CVE-2023-29400 CVE-2023-29403 CVE-2023-39325
+# CVE-2023-44487 CVE-2021-21353⁠
+RUN rm /opt/pycharm/bin/repair
+
 RUN useradd -ms /bin/bash developer
 
 USER developer

From 0c80633a2c748f3fbd7993bf4a5df08c463563bd Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 23:02:31 -0800
Subject: [PATCH 8/9] Update OS packages

---
 .github/workflows/docker-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 996d429..1f85d47 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -7,7 +7,7 @@ on:
   pull_request:
 
 env:
-  azul_docker_pycharm_version: 4  # increment this to update the OS packages
+  azul_docker_pycharm_version: 5  # increment this to update the OS packages
   PYCHARM_VERSION: 2023.2.3
 
 jobs:

From fd02f3a5d95bf81002f44fc4d654e72f4fe2a6a5 Mon Sep 17 00:00:00 2001
From: Hannes Schmidt <hannes@ucsc.edu>
Date: Mon, 6 Nov 2023 23:03:10 -0800
Subject: [PATCH 9/9] Add ability to build images locally

---
 Makefile  | 24 ++++++++++++++++++++++++
 README.md | 19 +++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 Makefile

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..c07f9a7
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,24 @@
+SHELL=/bin/bash
+registry_port=5000
+
+all:
+
+start_registry:
+	 docker run \
+ 		--rm \
+ 		--detach \
+ 		--publish $(registry_port):5000 \
+ 		--name registry registry:2.7
+
+check_registry:
+	@curl --fail http://localhost:$(registry_port)/ \
+		|| { echo "Run 'make start_registry' first" ; false ; }
+
+images: check_registry
+	DOCKER_HOST=$$(docker context inspect --format '{{.Endpoints.docker.Host}}') \
+	act \
+		--var DOCKERHUB_REPOSITORY="localhost:$(registry_port)/docker.io/ucscgi/azul-pycharm" \
+		push
+
+stop_registry:
+	 docker stop registry
diff --git a/README.md b/README.md
index 7b9ecd8..d3ef937 100644
--- a/README.md
+++ b/README.md
@@ -24,3 +24,22 @@ Project folders need to be mounted like `-v ~/Project:/home/developer/Project`.
 The actual name can be anything - I used something random to be able to start multiple instances if needed.
 
 To use `pip`, either use the terminal in PyCharm or install from the terminal from inside the container like `docker exec -it pycharm-running bash` then install using **pip**.
+
+### Azul Notes
+
+Changes can be tested locally. You would need `make`, `curl`, Docker Desktop and 
+[act](https://github.com/nektos/act). For example:
+
+```
+brew install act
+act # the first invocation is to interactively configure `act`
+make start_registry
+make images
+# scroll up in terminal output, note image name
+# |   "image.name": "localhost:5000/docker.io/ucscgi/azul-pycharm:2023.2.3-5"
+docker pull localhost:5000/docker.io/ucscgi/azul-pycharm:2023.2.3-5
+# You could now examine the image for vulnerabilities in Docker Desktop and/or
+# test the image in Azul:
+cd ../azul; azul_docker_pycharm_version=2023.2.3-5 azul_docker_registry=localhost:5000/ make format
+make stop_registry
+```