diff --git a/.github/drafts/docker.yaml b/.github/drafts/docker.yaml new file mode 100644 index 0000000..2bbb993 --- /dev/null +++ b/.github/drafts/docker.yaml @@ -0,0 +1,51 @@ +name: Docker + +on: + push: + branches: + - main + - latest + tags: + - 'v*.*.*' + pull_request: + branches: + - main + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - + name: Set up QEMU + uses: docker/setup-qemu-action@v2 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - + name: Checkout + uses: actions/checkout@v3 + - + name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + - + name: Build and push + uses: docker/build-push-action@v3 + with: + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/docker-manual.yaml b/.github/workflows/docker-manual.yaml new file mode 100644 index 0000000..b594ca4 --- /dev/null +++ b/.github/workflows/docker-manual.yaml @@ -0,0 +1,73 @@ +name: Build and release image manually + +on: workflow_dispatch + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + CONTEXT: . + BRANCH: ${{ github.ref_name }} + DOCKERFILE_PATH: /ckan-mqa + DOCKERFILE: Dockerfile + +jobs: + docker: + name: manual/build-docker-push:${{ github.ref_name }} + runs-on: ubuntu-latest + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Check out code + uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md + org.opencontainers.image.version=${{ env.BRANCH }} + + - name: Replace slashes in BRANCH to avoid errors + run: echo "BRANCH=${BRANCH////_}" >> $GITHUB_ENV + + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + labels: ${{ steps.meta.outputs.labels }} + context: ${{ env.CONTEXT }} + file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Linting Dockerfile with hadolint in GH Actions + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + no-fail: true + + - name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.17.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-results.sarif \ No newline at end of file diff --git a/.github/workflows/docker-pr.yaml b/.github/workflows/docker-pr.yaml new file mode 100644 index 0000000..a1e147e --- /dev/null +++ b/.github/workflows/docker-pr.yaml @@ -0,0 +1,49 @@ +name: Test ckan-mqa images (PR) + +on: + pull_request: + branches: + - master + - 'ckan-mqa-*.*.*' + - '!dev/ckan-mqa-*.*.*' + - '!feature/*' + - '!fix/*' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ckan-mqa + CONTEXT: . + BRANCH: ${{ github.head_ref }} + DOCKERFILE_PATH: /ckan-mqa + DOCKERFILE: Dockerfile + HADOLINT_VERSION: 2.12.0 + +jobs: + docker: + name: runner/test-ckan-mqa-pr:${{ github.head_ref }} + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Checkout + uses: actions/checkout@v4 + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Linting Dockerfiles and annotate code inline in the github PR viewer + id: hadolint + uses: jbergstroem/hadolint-gh-action@v1.12.2 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + version: ${{ env.HADOLINT_VERSION }} + annotate: true + error_level: -1 \ No newline at end of file diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index b0d3177..8e5c167 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -1,51 +1,83 @@ -name: Docker - -on: - push: - branches: - - main - - latest - tags: - - 'v*.*.*' - pull_request: - branches: - - main - -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} - -jobs: - docker: - runs-on: ubuntu-latest - steps: - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Checkout - uses: actions/checkout@v3 - - - name: Login to registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v2 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v4 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - - name: Build and push - uses: docker/build-push-action@v3 - with: - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} +name: Build and push ckan-mqa image from PR Merge + +on: + pull_request: + types: + - closed + branches: + - master + - 'ckan-mqa-*.*.*' + - '!dev/ckan-mqa-*.*.*' + - '!feature/*' + - '!fix/*' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + CONTEXT: . + BRANCH: ${{ github.head_ref }} + DOCKERFILE_PATH: /ckan-mqa + DOCKERFILE: Dockerfile + +jobs: + docker: + name: runner/build-docker-push:${{ github.head_ref }} + runs-on: ubuntu-latest + if: github.event.pull_request.merged == true + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Check out code + uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + labels: | + org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md + org.opencontainers.image.version=${{ env.BRANCH }} + + - name: Replace slashes in BRANCH to avoid errors + run: echo "BRANCH=${BRANCH////_}" >> $GITHUB_ENV + + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ghcr.io/${{ github.repository }}:${{ github.head_ref }} + labels: ${{ steps.meta.outputs.labels }} + context: ${{ env.CONTEXT }} + file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + + - name: Linting Dockerfile with hadolint in GH Actions + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }} + no-fail: true + + - name: Run Trivy container image vulnerability scanner + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-results.sarif \ No newline at end of file diff --git a/Dockerfile b/ckan-mqa/Dockerfile similarity index 80% rename from Dockerfile rename to ckan-mqa/Dockerfile index f24f3a5..183a03a 100644 --- a/Dockerfile +++ b/ckan-mqa/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.11-slim +FROM python:3.13.0a3-slim LABEL maintainer="mnl.janez@gmail.com" ENV APP_DIR=/app @@ -17,11 +17,11 @@ RUN apt-get -q -y update && \ python3 -m pip install pdm WORKDIR ${APP_DIR} -COPY pyproject.toml pdm.lock . +COPY pyproject.toml pdm.lock ./ RUN pdm install --no-self --group prod -COPY ckan-mqa/entrypoint.sh entrypoint.sh -COPY ckan2mqa ckan2mqa +COPY ckan-mqa/docker-entrypoint.d/entrypoint.sh entrypoint.sh +COPY ./ckan2mqa /ckan2mqa ENTRYPOINT ["/bin/bash", "./entrypoint.sh"] \ No newline at end of file diff --git a/Dockerfile.dev b/ckan-mqa/Dockerfile.dev similarity index 76% rename from Dockerfile.dev rename to ckan-mqa/Dockerfile.dev index c206a4e..ac4dec0 100644 --- a/Dockerfile.dev +++ b/ckan-mqa/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM python:3.11-slim +FROM python:3.13.0a3-slim LABEL maintainer="mnl.janez@gmail.com" ENV APP_DIR=/app @@ -17,15 +17,15 @@ RUN apt-get -q -y update && \ python3 -m pip install pdm debugpy WORKDIR ${APP_DIR} -COPY pyproject.toml pdm.lock . +COPY pyproject.toml pdm.lock ./ RUN pdm install --no-self --group prod -COPY ckan-mqa/entrypoint_dev.sh entrypoint.sh -COPY ckan2mqa ckan2mqa +COPY ckan-mqa/docker-entrypoint.d/entrypoint_dev.sh entrypoint.sh +COPY ./ckan2mqa /ckan2mqa EXPOSE 5678/TCP # Set entrypoint with debugpy -ENTRYPOINT ["python3", "-m", "debugpy", "--listen", "0.0.0.0:5678", "--wait-for-client", "./entrypoint_dev.sh"] +ENTRYPOINT ["python3", "-m", "debugpy", "--listen", "0.0.0.0:5678", "--wait-for-client", "./ckan-mqa/docker-entrypoint.d/entrypoint_dev.sh"] CMD ["tail", "-f", "/dev/null"] \ No newline at end of file diff --git a/ckan-mqa/entrypoint.sh b/ckan-mqa/docker-entrypoint.d/entrypoint.sh similarity index 100% rename from ckan-mqa/entrypoint.sh rename to ckan-mqa/docker-entrypoint.d/entrypoint.sh diff --git a/ckan-mqa/entrypoint_dev.sh b/ckan-mqa/docker-entrypoint.d/entrypoint_dev.sh similarity index 100% rename from ckan-mqa/entrypoint_dev.sh rename to ckan-mqa/docker-entrypoint.d/entrypoint_dev.sh diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index e9735b1..d3b149e 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -4,7 +4,7 @@ services: container_name: ckan-mqa-dev build: context: . - dockerfile: Dockerfile.dev + dockerfile: ckan-mqa/Dockerfile.dev env_file: - .env logging: diff --git a/docker-compose.yml b/docker-compose.yml index 7e39db7..c9a6937 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ services: container_name: ckan-mqa build: context: . - dockerfile: Dockerfile + dockerfile: ckan-mqa/Dockerfile image: ghcr.io/mjanez/ckan-mqa:latest env_file: - .env diff --git a/log/mqa/README.md b/log/mqa/README.md index 5ccada8..63d5e85 100644 --- a/log/mqa/README.md +++ b/log/mqa/README.md @@ -1,2 +1,2 @@ # Log folder -This folder is used to store logs generated by `ckan2pycsw` script and `catalog.rdf` file downloaded from URL. Logs are essential for debugging and tracing the execution of the code. By keeping logs, you can track the behavior of your code over time, identify errors and performance issues, and improve the overall quality of your code. \ No newline at end of file +This folder is used to store logs generated by `ckan2pycsw` script and `catalog.rdf` file downloaded from `CKAN_CATALOG_URL`. Logs are essential for debugging and tracing the execution of the code. By keeping logs, you can track the behavior of your code over time, identify errors and performance issues, and improve the overall quality of your code. \ No newline at end of file