Change alpine version + Fix CVE-2023-42364,CVE-2023-42364

LawiK974 · Jun 13, 2024 · 8db70ec · 8db70ec
1 parent 7bb742e
commit 8db70ec
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 10 deletions.
diff --git a/.github/workflows/github-actions-docker-tags.yml b/.github/workflows/github-actions-docker-tags.yml
@@ -23,6 +23,8 @@ jobs:
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
+          build-args: |
+            TAG=${{github.ref_name}}
           context: .
           platforms: linux/amd64,linux/arm64
           push: true

diff --git a/.github/workflows/github-actions-docker.yml b/.github/workflows/github-actions-docker.yml
@@ -23,6 +23,8 @@ jobs:
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
+          build-args: |
+            TAG=${{github.ref_name}}
           context: .
           platforms: linux/amd64,linux/arm64
           push: true

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -31,7 +31,7 @@ jobs:
 
       - name: Build an image from Dockerfile
         run: |
-          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+          docker build --build-arg TAG=${{ github.sha }} -t docker.io/my-organization/my-app:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe

diff --git a/Dockerfile b/Dockerfile
@@ -1,21 +1,29 @@
 # Stage 1: Builder stage where the package is built using Poetry
-FROM python:3.12-alpine as builder
+FROM python:alpine3.20 as builder
 
 WORKDIR /app
-RUN apk add gcc libc-dev libffi-dev
-RUN pip install poetry
+ARG TAG
+RUN apk update \
+    # Install poetry dependencies
+    && apk add gcc libc-dev libffi-dev \
+    # Fix CVE-2023-42364
+    && apk upgrade busybox \
+    # Clean cache
+    && apk cache clean
+RUN pip install poetry==1.8.3
 COPY . /app
 # Disable virtual env creation by poetry, it's not needed in Docker
 RUN poetry config virtualenvs.create false
 # Install dependencies only (to improve caching)
-RUN poetry install --no-root --no-dev
+RUN poetry install --no-root --only main
 # Build the package (this creates the package wheel)
-RUN poetry build
+RUN poetry version $TAG && poetry build
 
 # Stage 2: Lightweight production stage with minimal footprint
-FROM python:3.12-alpine as production
+FROM python:alpine3.20 as production
 WORKDIR /app
-COPY --from=builder /app/dist/*.whl /app/
-RUN pip install --no-cache-dir /app/*.whl
+ARG TAG
+COPY --from=builder /app/dist/*.whl /tmp/
+RUN pip install --no-cache-dir /tmp/*.whl && rm -rf /tmp/*.whl
 ENV PYTHONUNBUFFERED=1
 CMD ["kube-notify", "--config", "/app/config.yaml", "--inCluster"]
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "kube-notify"
-version = "0.1.1"
+version = "0"
 description = "A simple python app to relay k8s events to gotify"
 authors = ["wikle <loic97429@gmail.com>"]
 license = "MIT"