Change alpine version + Fix CVE-2023-42364,CVE-2023-42364

LawiK974 · Jun 13, 2024 · cfa397e · cfa397e
1 parent 7bb742e
commit cfa397e
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 9 deletions.
diff --git a/.github/workflows/github-actions-docker-tags.yml b/.github/workflows/github-actions-docker-tags.yml
@@ -11,6 +11,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-tags: true
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx

diff --git a/.github/workflows/github-actions-docker.yml b/.github/workflows/github-actions-docker.yml
@@ -11,6 +11,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-tags: true
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -27,7 +27,9 @@ jobs:
     runs-on: "ubuntu-20.04"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
 
       - name: Build an image from Dockerfile
         run: |

diff --git a/Dockerfile b/Dockerfile
@@ -1,21 +1,29 @@
 # Stage 1: Builder stage where the package is built using Poetry
-FROM python:3.12-alpine as builder
+FROM python:alpine3.20 as builder
 
 WORKDIR /app
-RUN apk add gcc libc-dev libffi-dev
-RUN pip install poetry
+RUN apk update \
+    # Install poetry dependencies
+    && apk add gcc libc-dev libffi-dev git \
+    # Fix CVE-2023-42364
+    && apk upgrade busybox \
+    # Clean cache
+    && apk cache clean
+RUN pip install poetry==1.8.3
 COPY . /app
 # Disable virtual env creation by poetry, it's not needed in Docker
 RUN poetry config virtualenvs.create false
+# Install poetry version plugin see https://github.com/tiangolo/poetry-version-plugin
+RUN poetry self add poetry-version-plugin==0.2.0
 # Install dependencies only (to improve caching)
-RUN poetry install --no-root --no-dev
+RUN poetry install --no-root --only main
 # Build the package (this creates the package wheel)
 RUN poetry build
 
 # Stage 2: Lightweight production stage with minimal footprint
-FROM python:3.12-alpine as production
+FROM python:alpine3.20 as production
 WORKDIR /app
-COPY --from=builder /app/dist/*.whl /app/
-RUN pip install --no-cache-dir /app/*.whl
+COPY --from=builder /app/dist/*.whl /tmp/
+RUN pip install --no-cache-dir /tmp/*.whl && rm -rf /tmp/*.whl
 ENV PYTHONUNBUFFERED=1
 CMD ["kube-notify", "--config", "/app/config.yaml", "--inCluster"]
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "kube-notify"
-version = "0.1.1"
+version = "0"
 description = "A simple python app to relay k8s events to gotify"
 authors = ["wikle <loic97429@gmail.com>"]
 license = "MIT"
@@ -28,3 +28,7 @@ pytest-mock = "^3.14.0"
 [build-system]
 requires = ["poetry-core>=1.0.0"]
 build-backend = "poetry.core.masonry.api"
+
+
+[tool.poetry-version-plugin]
+source = "git-tag"