Change alpine version + Fix CVE-2023-4236{4,5}

.github/workflows/github-actions-docker-tags.yml

@@ -11,6 +11,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx

.github/workflows/github-actions-docker.yml

@@ -11,6 +11,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx

.github/workflows/trivy.yml

@@ -27,18 +27,20 @@ jobs:
     runs-on: "ubuntu-20.04"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
 
       - name: Build an image from Dockerfile
         run: |
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        uses: aquasecurity/trivy-action@0.22.0
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
 

.gitignore

@@ -1,3 +1,4 @@
 config.yaml
 *__pycache__*
 *.dat
+dist/

Dockerfile

@@ -1,21 +1,29 @@
 # Stage 1: Builder stage where the package is built using Poetry
-FROM python:3.12-alpine as builder
+FROM python:alpine3.20 as builder
 
 WORKDIR /app
-RUN apk add gcc libc-dev libffi-dev
-RUN pip install poetry
+RUN apk update \
+    # Install poetry dependencies
+    && apk add gcc libc-dev libffi-dev git \
+    # Fix CVE-2023-42364
+    && apk upgrade busybox \
+    # Clean cache
+    && apk cache clean
+RUN pip install poetry==1.8.3
 COPY . /app
 # Disable virtual env creation by poetry, it's not needed in Docker
 RUN poetry config virtualenvs.create false
+# Install poetry version plugin see https://github.com/tiangolo/poetry-version-plugin
+RUN poetry self add "poetry-dynamic-versioning[plugin]==v1.3.0"
 # Install dependencies only (to improve caching)
-RUN poetry install --no-root --no-dev
+RUN poetry install --no-root --only main
 # Build the package (this creates the package wheel)
 RUN poetry build
 
 # Stage 2: Lightweight production stage with minimal footprint
-FROM python:3.12-alpine as production
+FROM python:alpine3.20 as production
 WORKDIR /app
-COPY --from=builder /app/dist/*.whl /app/
-RUN pip install --no-cache-dir /app/*.whl
+COPY --from=builder /app/dist/*.whl /tmp/
+RUN pip install --no-cache-dir /tmp/*.whl && rm -rf /tmp/*.whl
 ENV PYTHONUNBUFFERED=1
 CMD ["kube-notify", "--config", "/app/config.yaml", "--inCluster"]

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "kube-notify"
-version = "0.1.1"
+version = "0"
 description = "A simple python app to relay k8s events to gotify"
 authors = ["wikle <loic97429@gmail.com>"]
 license = "MIT"
@@ -28,3 +28,6 @@ pytest-mock = "^3.14.0"
 [build-system]
 requires = ["poetry-core>=1.0.0"]
 build-backend = "poetry.core.masonry.api"
+
+[tool.poetry-dynamic-versioning]
+enable = true