From 8db70ec91d6bb895844d80a426a68b2014412126 Mon Sep 17 00:00:00 2001 From: lawik974 Date: Thu, 13 Jun 2024 21:10:33 +0200 Subject: [PATCH] Change alpine version + Fix CVE-2023-42364,CVE-2023-42364 --- .../workflows/github-actions-docker-tags.yml | 2 ++ .github/workflows/github-actions-docker.yml | 2 ++ .github/workflows/trivy.yml | 2 +- Dockerfile | 24 ++++++++++++------- pyproject.toml | 2 +- 5 files changed, 22 insertions(+), 10 deletions(-) diff --git a/.github/workflows/github-actions-docker-tags.yml b/.github/workflows/github-actions-docker-tags.yml index d65633d..77ef9ff 100644 --- a/.github/workflows/github-actions-docker-tags.yml +++ b/.github/workflows/github-actions-docker-tags.yml @@ -23,6 +23,8 @@ jobs: - name: Build and push uses: docker/build-push-action@v5 with: + build-args: | + TAG=${{github.ref_name}} context: . platforms: linux/amd64,linux/arm64 push: true diff --git a/.github/workflows/github-actions-docker.yml b/.github/workflows/github-actions-docker.yml index 585d05c..9d41d1c 100644 --- a/.github/workflows/github-actions-docker.yml +++ b/.github/workflows/github-actions-docker.yml @@ -23,6 +23,8 @@ jobs: - name: Build and push uses: docker/build-push-action@v5 with: + build-args: | + TAG=${{github.ref_name}} context: . platforms: linux/amd64,linux/arm64 push: true diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index ad9aefb..c155ae5 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -31,7 +31,7 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + docker build --build-arg TAG=${{ github.sha }} -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe diff --git a/Dockerfile b/Dockerfile index 2622653..fbe301c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,29 @@ # Stage 1: Builder stage where the package is built using Poetry -FROM python:3.12-alpine as builder +FROM python:alpine3.20 as builder WORKDIR /app -RUN apk add gcc libc-dev libffi-dev -RUN pip install poetry +ARG TAG +RUN apk update \ + # Install poetry dependencies + && apk add gcc libc-dev libffi-dev \ + # Fix CVE-2023-42364 + && apk upgrade busybox \ + # Clean cache + && apk cache clean +RUN pip install poetry==1.8.3 COPY . /app # Disable virtual env creation by poetry, it's not needed in Docker RUN poetry config virtualenvs.create false # Install dependencies only (to improve caching) -RUN poetry install --no-root --no-dev +RUN poetry install --no-root --only main # Build the package (this creates the package wheel) -RUN poetry build +RUN poetry version $TAG && poetry build # Stage 2: Lightweight production stage with minimal footprint -FROM python:3.12-alpine as production +FROM python:alpine3.20 as production WORKDIR /app -COPY --from=builder /app/dist/*.whl /app/ -RUN pip install --no-cache-dir /app/*.whl +ARG TAG +COPY --from=builder /app/dist/*.whl /tmp/ +RUN pip install --no-cache-dir /tmp/*.whl && rm -rf /tmp/*.whl ENV PYTHONUNBUFFERED=1 CMD ["kube-notify", "--config", "/app/config.yaml", "--inCluster"] diff --git a/pyproject.toml b/pyproject.toml index abcf57a..419d0b3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "kube-notify" -version = "0.1.1" +version = "0" description = "A simple python app to relay k8s events to gotify" authors = ["wikle "] license = "MIT"