Merge pull request #20 from paul-gilber/container-structure-test

Container structure test
paul-gilber · Oct 30, 2023 · a965a97 · a965a97
2 parents 72dfec3 + 563bbfa
commit a965a97
Show file tree

Hide file tree

Showing 6 changed files with 106 additions and 4 deletions.
diff --git a/.github/actions/container-structure-test/Dockerfile b/.github/actions/container-structure-test/Dockerfile
@@ -0,0 +1,9 @@
+FROM alpine:3.18
+
+# Get VERSION from: https://github.com/GoogleContainerTools/container-structure-test/releases
+ARG VERSION=latest
+
+RUN apk add --no-cache curl
+
+# Get command from: https://github.com/GoogleContainerTools/container-structure-test#linux
+RUN curl -LO https://storage.googleapis.com/container-structure-test/${VERSION}/container-structure-test-linux-amd64 && chmod +x container-structure-test-linux-amd64 && mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
diff --git a/.github/actions/container-structure-test/action.yml b/.github/actions/container-structure-test/action.yml
@@ -0,0 +1,25 @@
+---
+name: Container Structure Tests
+description: |
+  Container Structure Tests provide a powerful framework to validate the structure of a container image.
+  These tests can be used to check the output of commands in an image, as well as verify metadata and contents of the filesystem.
+  See https://github.com/GoogleContainerTools/container-structure-test
+  Note: This action does not pull remote images
+inputs:
+  image:
+    description: Container Image to test
+    required: true
+  configFile:
+    description: Path to Container Structure Test Configuration File
+    required: false
+    default: default-container-structure-test.yaml
+runs:
+  using: docker
+  image: Dockerfile
+  args:
+    - container-structure-test
+    - test
+    - --image
+    - ${{ inputs.image }}
+    - --config
+    - ${{ inputs.configFile }}
diff --git a/.github/actions/container-structure-test/default-container-structure-test.yaml b/.github/actions/container-structure-test/default-container-structure-test.yaml
@@ -0,0 +1,15 @@
+---
+# Run command:
+# > container-structure-test test --image demoapp-backend --config container-structure-test.yaml
+schemaVersion: 2.0.0
+
+metadataTest:
+  user: ''
+
+fileExistenceTests:
+  - name: Check Container structure test is installed
+    path: /usr/local/bin/container-structure-test
+    shouldExist: true
+    permissions: -rwxr-xr-x
+    uid: 0
+    gid: 0
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -32,6 +32,8 @@ gradle:
 container:
   # to any changes of any Containerfile within this repository
   - '**/Containerfile*'
+  # to any changes of any Dockerfile within this repository
+  - '**/Dockerfile*'
   # to any chages to container-structure-test.yaml file
   - container-structure-test.yaml
   # to any chages to compose.yaml or compose.yml file

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -80,6 +80,11 @@ jobs:
         run: |
           echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
 
+      # Set Complete Container Image URL
+      - name: Set CONTAINER_IMAGE_URL
+        run: |
+          echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.PROJECT }}:${{ env.VERSION }}" >> $GITHUB_ENV
+
       # Fail job when invalid builder is selected
       - name: Check BUILDER environment variable
         # if expression clarification: https://github.com/github/docs/blob/main/data/reusables/actions/expression-syntax-if.md
@@ -147,7 +152,7 @@ jobs:
           build-args: |
             "JAR_FILE=${{ env.PROJECT }}-${{ env.VERSION }}.jar"
           push: true
-          tags: ${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.PROJECT }}:${{ env.VERSION }}
+          tags: ${{ env.CONTAINER_IMAGE_URL }}    # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -158,9 +163,50 @@ jobs:
           context: .
           file: Containerfile.multistage
           push: true
-          tags: ${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.PROJECT }}:${{ env.VERSION }}
+          tags: ${{ env.CONTAINER_IMAGE_URL }}    # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
           cache-from: type=gha
           cache-to: type=gha,mode=max
+  container-structure-test:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: docker-hub    # Use `docker-hub` repository environment
+    steps:
+      # Workaround for the absence of github.branch_name
+      # Setting an environment variable: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable
+      - name: Set VERSION
+        if: github.head_ref != ''
+        run: |
+          echo "VERSION=${{ github.head_ref }}" >> $GITHUB_ENV
+      - name: Set VERSION
+        if: github.head_ref == ''
+        run: |
+          echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+
+      # Set Complete Container Image URL
+      - name: Set CONTAINER_IMAGE_URL
+        run: |
+          echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.PROJECT }}:${{ env.VERSION }}" >> $GITHUB_ENV
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3    # https://github.com/marketplace/actions/docker-login
+        with:
+          registry: ${{ vars.DOCKER_REGISTRY_URL }}
+          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
+          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+      - name: Pull Container Image
+        # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
+        run: |
+          docker pull ${{ env.CONTAINER_IMAGE_URL }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4    # https://github.com/marketplace/actions/checkout
+
+      - name: Run Container Structure Test
+        uses: ./.github/actions/container-structure-test
+        with:
+          image: ${{ env.CONTAINER_IMAGE_URL }}    # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
+          configFile: ./container-structure-test.yaml
+
   scan:
     needs: build
     runs-on: ubuntu-latest
@@ -182,6 +228,11 @@ jobs:
         run: |
           echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
 
+      # Set Complete Container Image URL
+      - name: Set CONTAINER_IMAGE_URL
+        run: |
+          echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.PROJECT }}:${{ env.VERSION }}" >> $GITHUB_ENV
+
       - name: Checkout repository
         uses: actions/checkout@v4    # https://github.com/marketplace/actions/checkout
 
@@ -195,7 +246,7 @@ jobs:
       - name: Scan Image with Aqua Security Trivy
         uses: aquasecurity/trivy-action@0.13.0    # https://github.com/marketplace/actions/aqua-security-trivy
         with:
-          image-ref: ${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.PROJECT }}:${{ env.VERSION }}
+          image-ref: ${{ env.CONTAINER_IMAGE_URL }}    # CONTAINER_IMAGE_URL is defined in GITHUB_ENV
           vuln-type: 'os,library'
           severity: 'LOW,MEDIUM,HIGH,CRITICAL'
           scanners: 'vuln,secret,config'

diff --git a/Containerfile b/Containerfile
@@ -6,6 +6,6 @@ WORKDIR /app
 
 # Add the service itself
 ARG JAR_FILE
-COPY target/${JAR_FILE} demoapp-backend.jar
+COPY --chown=185:0 target/${JAR_FILE} demoapp-backend.jar
 
 CMD ["/usr/bin/java", "-jar", "/app/demoapp-backend.jar"]