From 5249a9ffe1df2834efacab1a9e46671940b3fff9 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 17 Jun 2025 16:05:10 +0100 Subject: [PATCH 001/234] Improving Docker multi-stage builds and compose --- .dockerignore | 12 ++++++ Dockerfile | 57 ++++++++++++++++++++++++---- Dockerfile.contrast | 10 ----- docker-compose-prod.yml | 29 +++++++++++++++ docker-compose.yml | 82 ++++++++++++++++++++++++++++++++++------- 5 files changed, 159 insertions(+), 31 deletions(-) create mode 100644 .dockerignore create mode 100644 docker-compose-prod.yml diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..ec9fdc41 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,12 @@ +# directories +**/bin/ +**/obj/ +**/out/ + +# files +Dockerfile* +**/*.trx +**/*.md +**/*.ps1 +**/*.cmd +**/*.sh diff --git a/Dockerfile b/Dockerfile index 7372c927..5dc194e7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,23 @@ -FROM mcr.microsoft.com/dotnet/sdk:6.0 AS publish +# MULTI STAGE BUILD +# Build stage for building the Netflicks application and it's dependencies +FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build ARG TARGETARCH + WORKDIR /src + +# Copy project files and restore dependencies (leveraging Docker layer caching) +COPY *.sln . +COPY DotNetFlicks.Accessors/*.csproj ./DotNetFlicks.Accessors/ +COPY DotNetFlicks.Common/*.csproj ./DotNetFlicks.Common/ +COPY DotNetFlicks.Engines/*.csproj ./DotNetFlicks.Engines/ +COPY DotNetFlicks.Managers/*.csproj ./DotNetFlicks.Managers/ +COPY DotNetFlicks.ViewModels/*.csproj ./DotNetFlicks.ViewModels/ +COPY DotNetFlicks.Web/*.csproj ./DotNetFlicks.Web/ + +# RUN dotnet restore "DotNetFlicks.Web/Web.csproj" --arch $TARGETARCH +RUN dotnet restore "DotNetFlicks.Web/Web.csproj" /p:Platform=$TARGETARCH + +# Copy the rest of the source code and build COPY ./DotNetFlicks.Accessors ./DotNetFlicks.Accessors COPY ./DotNetFlicks.Common ./DotNetFlicks.Common COPY ./DotNetFlicks.Engines ./DotNetFlicks.Engines @@ -8,13 +25,37 @@ COPY ./DotNetFlicks.Managers ./DotNetFlicks.Managers COPY ./DotNetFlicks.ViewModels ./DotNetFlicks.ViewModels COPY ./DotNetFlicks.Web ./DotNetFlicks.Web COPY ./DotNetFlicks.sln ./DotNetFlicks.sln -RUN dotnet publish "DotNetFlicks.Web/Web.csproj" /p:Platform=$TARGETARCH -c Release -o /app +RUN dotnet publish "DotNetFlicks.Web/Web.csproj" \ + # --arch $TARGETARCH \ + /p:Platform=$TARGETARCH \ + --configuration Release \ + --no-restore \ + --output /app \ + --self-contained false -FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS final -RUN uname -a -RUN apt-get update && apt-get --assume-yes install libnss3-tools -WORKDIR /app -EXPOSE 80 -COPY --from=publish /app . +# Runtime stage for running the application without the Contrast agent +FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS runtime + +RUN apt-get update && \ + apt-get install --assume-yes --no-install-recommends \ + libnss3-tools \ + && rm -rf /var/lib/apt/lists/* +WORKDIR /app +COPY --from=build /app . ENTRYPOINT ["dotnet", "DotNetFlicks.Web.dll"] + +# Final stage for running the Netflicks application with the Contrast agent +FROM runtime AS runtime-with-contrast +ARG TARGETARCH + +# Copy the agent from the contrast agent image +COPY --from=contrast/agent-dotnet-core:latest /contrast /opt/contrast +# Workaround for architecture naming differences between .NET Core and Contrast +RUN ln -s /opt/contrast/runtimes/linux-x64 /opt/contrast/runtimes/linux-amd64 + +# Needs to be linux-arm64 or linux-x64 or win-x64 or win-x86 +ENV CORECLR_PROFILER_PATH_64=/opt/contrast/runtimes/linux-$TARGETARCH/native/ContrastProfiler.so \ + CORECLR_PROFILER={8B2CE134-0948-48CA-A4B2-80DDAD9F5791} \ + CORECLR_ENABLE_PROFILING=1 \ + CONTRAST_CORECLR_LOGS_DIRECTORY=/opt/contrast diff --git a/Dockerfile.contrast b/Dockerfile.contrast index 70a1cf4b..e69de29b 100644 --- a/Dockerfile.contrast +++ b/Dockerfile.contrast @@ -1,10 +0,0 @@ -FROM contrastsecuritydemo/netflicks:latest-no-agent -ARG TARGETARCH - -# Copy the agent from the contrast agent image -COPY --from=contrast/agent-dotnet-core:latest /contrast /opt/contrast -# Workaround for architecture naming differences between .NET Core and Contrast -RUN ln -s /opt/contrast/runtimes/linux-x64 /opt/contrast/runtimes/linux-amd64 - -# Needs to be linux-arm64 or linux-x64 or win-x64 or win-x86 -ENV CORECLR_PROFILER_PATH_64 /opt/contrast/runtimes/linux-$TARGETARCH/native/ContrastProfiler.so diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml new file mode 100644 index 00000000..40560557 --- /dev/null +++ b/docker-compose-prod.yml @@ -0,0 +1,29 @@ + +services: + database: + image: mcr.microsoft.com/azure-sql-edge + environment: + - ACCEPT_EULA=Y + - SA_PASSWORD=reallyStrongPwd123 + ports: + - '1433:1433' + + web: + image: contrastsecuritydemo/netflicks:latest + build: + context: . + dockerfile: Dockerfile.contrast + depends_on: + - database + ports: + - '8888:80' + volumes: + - ./contrast_security.yaml:/etc/contrast/dotnet-core/contrast_security.yaml + environment: + - ConnectionStrings__DotNetFlicksConnection=Server=tcp:database,1433;Initial Catalog=DotNetFlicksDb;Persist Security Info=False;User ID=sa;Password=reallyStrongPwd123;MultipleActiveResultSets=False; + - CORECLR_PROFILER={8B2CE134-0948-48CA-A4B2-80DDAD9F5791} + - CORECLR_ENABLE_PROFILING=1 + - CONTRAST_CORECLR_LOGS_DIRECTORY=/opt/contrast/ + +volumes: + mysql-data: diff --git a/docker-compose.yml b/docker-compose.yml index d5d10a43..6d4eff19 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,30 +1,86 @@ -version: '3' services: database: - image: mcr.microsoft.com/azure-sql-edge + image: mcr.microsoft.com/mssql/server:2022-latest environment: - ACCEPT_EULA=Y - SA_PASSWORD=reallyStrongPwd123 ports: - '1433:1433' - - web: + volumes: + - mssql-data:/var/opt/mssql + healthcheck: + test: ["CMD-SHELL", "/opt/mssql-tools18/bin/sqlcmd -C -U sa -P reallyStrongPwd123 -Q 'SELECT 1' -b"] + # test: ["CMD", "/opt/mssql-tools18/bin/sqlcmd", "-S", "http://localhost:1433", "-U", "sa", "-P", "reallyStrongPwd123", "-Q", "SELECT 1"] + interval: 10s + timeout: 5s + retries: 10 + start_period: 10s + + + web-no-contrast: + image: contrastsecuritydemo/netflicks:latest-no-agent + build: + context: . + dockerfile: Dockerfile + target: runtime + depends_on: + database: + condition: service_healthy + ports: + - '8887:80' + environment: + - ConnectionStrings__DotNetFlicksConnection=Server=tcp:database,1433;Initial Catalog=DotNetFlicksDb;Persist Security Info=False;User ID=sa;Password=reallyStrongPwd123;MultipleActiveResultSets=False;TrustServerCertificate=yes; + + # Development environment for Contrast Assess demos + web-dev: + image: contrastsecuritydemo/netflicks:latest + build: + context: . + dockerfile: Dockerfile + target: runtime-with-contrast + depends_on: + database: + condition: service_healthy + ports: + - '8888:80' + volumes: + - ./contrast_security.yaml:/etc/contrast/dotnet-core/contrast_security.yaml:ro + environment: + - ConnectionStrings__DotNetFlicksConnection=Server=tcp:database,1433;Initial Catalog=DotNetFlicksDb;Persist Security Info=False;User ID=sa;Password=reallyStrongPwd123;MultipleActiveResultSets=False;TrustServerCertificate=yes; + - CONTRAST__SERVER__NAME=docker-netflicks-dev + - CONTRAST__SERVER__ENVIRONMENT=development + web-prod: image: contrastsecuritydemo/netflicks:latest build: context: . - dockerfile: Dockerfile.contrast + dockerfile: Dockerfile + target: runtime-with-contrast depends_on: - - database + database: + condition: service_healthy ports: - - '8081:80' + - '8889:80' volumes: - - ./contrast_security.yaml:/etc/contrast/dotnet-core/contrast_security.yaml + - ./contrast_security.yaml:/etc/contrast/dotnet-core/contrast_security.yaml:ro environment: - - ConnectionStrings__DotNetFlicksConnection=Server=tcp:database,1433;Initial Catalog=DotNetFlicksDb;Persist Security Info=False;User ID=sa;Password=reallyStrongPwd123;MultipleActiveResultSets=False; - - CORECLR_PROFILER={8B2CE134-0948-48CA-A4B2-80DDAD9F5791} - - CORECLR_ENABLE_PROFILING=1 - - CONTRAST_CORECLR_LOGS_DIRECTORY=/opt/contrast/ + - ConnectionStrings__DotNetFlicksConnection=Server=tcp:database,1433;Initial Catalog=DotNetFlicksDb;Persist Security Info=False;User ID=sa;Password=reallyStrongPwd123;MultipleActiveResultSets=False;TrustServerCertificate=yes; + - CONTRAST__SERVER__NAME=docker-netflicks-prod + - CONTRAST__SERVER__ENVIRONMENT=production + + # Testing service + tests: + build: + context: ./tests + dockerfile: Dockerfile + depends_on: + - web-dev + environment: + - BASEURL=http://web-dev:8080 + volumes: + - ./tests:/tests + profiles: + - test volumes: - mysql-data: + mssql-data: From ce282397aad4c1a880d44d8cf6e1ea88020c595e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 14:20:48 +0100 Subject: [PATCH 002/234] Improving Docker multi-stage builds and compose --- .github/workflows/docker-images.yml | 184 +++++++++++++++++++--------- Dockerfile | 10 +- Dockerfile.contrast | 0 docker-compose-prod.yml | 29 ----- docker-compose.yml | 14 ++- 5 files changed, 142 insertions(+), 95 deletions(-) delete mode 100644 Dockerfile.contrast delete mode 100644 docker-compose-prod.yml diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 55976d2d..0548154c 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -13,9 +13,12 @@ on: jobs: - build-base: - name: Docker Build Base (no-agent) + build: + name: Build Multi-Stage Docker Images runs-on: ubuntu-latest + outputs: + image-digest: ${{ steps.build.outputs.digest }} + metadata: ${{ steps.meta.outputs.json }} steps: - name: Checkout branch @@ -30,84 +33,68 @@ jobs: uses: docker/setup-buildx-action@v3 with: platforms: linux/amd64,linux/arm64 - - - name: Create cache for docker images for use in the next job - uses: actions/cache@v4 + - + name: Extract metadata + id: meta + uses: docker/metadata-action@v5 with: - key: latest-no-agent - path: ${{ runner.temp }} + images: contrastsecuritydemo/netflicks + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=raw,value=latest,enable={{is_default_branch}} - - name: Build and push Docker images + name: Get agent version + run: | + # Get the agent version from the image-manifest.json file + CONTRAST_VERSION=$(cat /opt/contrast/image-manifest.json | grep --only-matching '"version": "[^"]*' | cut --delimiter='"' --fields=4) + + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + - + name: Build no-agent variant + id: build uses: docker/build-push-action@v5 with: + context: . + platforms: linux/amd64,linux/arm64 push: false load: true cache-from: type=gha cache-to: type=gha,mode=max - tags: contrastsecuritydemo/netflicks:latest-no-agent - outputs: type=docker,dest=${{ runner.temp }}/latest-no-agent.tar - - - - build-contrast: - name: Docker Build Contrast (agent) - runs-on: ubuntu-latest - needs: - - build-base - steps: - - - name: Checkout branch - uses: actions/checkout@v4 - - - name: Docker Setup QEMU - uses: docker/setup-qemu-action@v3 - with: - platforms: all - - - name: Docker Setup Buildx - uses: docker/setup-buildx-action@v3 - with: - platforms: linux/amd64,linux/arm64 - - - name: Create cache for docker images for use in the next job - uses: actions/cache@v4 - with: - key: latest - path: ${{ runner.temp }} + target: runtime + tags: | + contrastsecuritydemo/netflicks:latest + outputs: type=docker,dest=${{ runner.temp }}/no-agent.tar - - name: Build and push Docker images + name: Build image with Contrast agent + id: build-contrast uses: docker/build-push-action@v5 with: + context: . + platforms: linux/amd64,linux/arm64 push: false load: true - tags: contrastsecuritydemo/netflicks:latest - outputs: type=docker,dest=${{ runner.temp }}/latest.tar + cache-from: type=gha + target: runtime-with-contrast + tags: | + contrastsecuritydemo/netflicks:latest-contrast + contrastsecuritydemo/netflicks:latest-contrast-${{ steps.meta.outputs.contrast_version }} + outputs: type=docker,dest=${{ runner.temp }}/with-agent.tar test: name: Run Tests runs-on: ubuntu-latest needs: - - build-base - - build-contrast + - build steps: - - name: Restore cached docker images - uses: actions/cache/restore@v4 - with: - path: ${{ runner.temp }} - key: latest-no-agent - - - name: Restore cached docker images - uses: actions/cache/restore@v4 - with: - path: ${{ runner.temp }} - key: latest - - - name: Load images + name: Load Docker images run: | - docker load --input ${{ runner.temp }}/latest-no-agent.tar - docker load --input ${{ runner.temp }}/latest.tar + docker load --input ${{ runner.temp }}/no-agent.tar + docker load --input ${{ runner.temp }}/with-agent.tar - name: Checkout branch uses: actions/checkout@v4 @@ -149,7 +136,6 @@ jobs: runs-on: ubuntu-latest needs: - test - steps: - name: Docker Metadata action id: metadata @@ -158,16 +144,92 @@ jobs: images: contrastsecuritydemo/netflicks flavor: | latest=true - suffix=agent tags: | type=semver,pattern={{version}}, priority=100 type=semver,pattern={{major}}.{{minor}}, priority=200 - name: Version number run: | - echo Getting the old build number + echo Getting the build metadata echo $(echo ${{ steps.metadata.outputs.tags }}) + # push: + # name: Push Images to Docker Hub + # if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) + # runs-on: ubuntu-latest + # needs: + # - test + # steps: + # - + # name: Checkout branch + # uses: actions/checkout@v4 + # - + # name: Docker Setup QEMU + # uses: docker/setup-qemu-action@v3 + # with: + # platforms: all + # - + # name: Docker Setup Buildx + # uses: docker/setup-buildx-action@v3 + # with: + # platforms: linux/amd64,linux/arm64 + # - + # name: Login to Docker Hub + # uses: docker/login-action@v3 + # with: + # username: ${{ secrets.DOCKERHUB_USERNAME }} + # password: ${{ secrets.DOCKERHUB_TOKEN }} + # - + # name: Extract metadata for no-agent variant + # id: meta-no-agent + # uses: docker/metadata-action@v5 + # with: + # images: contrastsecuritydemo/netflicks + # flavor: | + # latest=true + # suffix=-no-agent + # tags: | + # type=ref,event=branch + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + # type=raw,value=latest,enable={{is_default_branch}} + # - + # name: Extract metadata for agent variant + # id: meta-agent + # uses: docker/metadata-action@v5 + # with: + # images: contrastsecuritydemo/netflicks + # flavor: | + # latest=true + # suffix=-agent + # tags: | + # type=ref,event=branch + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + # type=raw,value=latest,enable={{is_default_branch}} + # - + # name: Build and push no-agent variant + # uses: docker/build-push-action@v5 + # with: + # context: . + # platforms: linux/amd64,linux/arm64 + # push: true + # cache-from: type=gha + # target: runtime + # tags: ${{ steps.meta-no-agent.outputs.tags }} + # labels: ${{ steps.meta-no-agent.outputs.labels }} + # - + # name: Build and push agent variant + # uses: docker/build-push-action@v5 + # with: + # context: . + # platforms: linux/amd64,linux/arm64 + # push: true + # cache-from: type=gha + # target: runtime-with-contrast + # tags: ${{ steps.meta-agent.outputs.tags }} + # labels: ${{ steps.meta-agent.outputs.labels }} + diff --git a/Dockerfile b/Dockerfile index 5dc194e7..2913d429 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ # MULTI STAGE BUILD +ARG CONTRAST_AGENT_VERSION=latest # Build stage for building the Netflicks application and it's dependencies FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build ARG TARGETARCH @@ -39,18 +40,25 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS runtime RUN apt-get update && \ apt-get install --assume-yes --no-install-recommends \ libnss3-tools \ + curl \ && rm -rf /var/lib/apt/lists/* WORKDIR /app COPY --from=build /app . ENTRYPOINT ["dotnet", "DotNetFlicks.Web.dll"] +# Contrast agent image for .NET Core applications + +FROM contrast/agent-dotnet-core:${CONTRAST_AGENT_VERSION} AS contrast-agent + + # Final stage for running the Netflicks application with the Contrast agent FROM runtime AS runtime-with-contrast ARG TARGETARCH # Copy the agent from the contrast agent image -COPY --from=contrast/agent-dotnet-core:latest /contrast /opt/contrast +COPY --from=contrast-agent /contrast /opt/contrast + # Workaround for architecture naming differences between .NET Core and Contrast RUN ln -s /opt/contrast/runtimes/linux-x64 /opt/contrast/runtimes/linux-amd64 diff --git a/Dockerfile.contrast b/Dockerfile.contrast deleted file mode 100644 index e69de29b..00000000 diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml deleted file mode 100644 index 40560557..00000000 --- a/docker-compose-prod.yml +++ /dev/null @@ -1,29 +0,0 @@ - -services: - database: - image: mcr.microsoft.com/azure-sql-edge - environment: - - ACCEPT_EULA=Y - - SA_PASSWORD=reallyStrongPwd123 - ports: - - '1433:1433' - - web: - image: contrastsecuritydemo/netflicks:latest - build: - context: . - dockerfile: Dockerfile.contrast - depends_on: - - database - ports: - - '8888:80' - volumes: - - ./contrast_security.yaml:/etc/contrast/dotnet-core/contrast_security.yaml - environment: - - ConnectionStrings__DotNetFlicksConnection=Server=tcp:database,1433;Initial Catalog=DotNetFlicksDb;Persist Security Info=False;User ID=sa;Password=reallyStrongPwd123;MultipleActiveResultSets=False; - - CORECLR_PROFILER={8B2CE134-0948-48CA-A4B2-80DDAD9F5791} - - CORECLR_ENABLE_PROFILING=1 - - CONTRAST_CORECLR_LOGS_DIRECTORY=/opt/contrast/ - -volumes: - mysql-data: diff --git a/docker-compose.yml b/docker-compose.yml index 6d4eff19..88033523 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -50,6 +50,13 @@ services: - ConnectionStrings__DotNetFlicksConnection=Server=tcp:database,1433;Initial Catalog=DotNetFlicksDb;Persist Security Info=False;User ID=sa;Password=reallyStrongPwd123;MultipleActiveResultSets=False;TrustServerCertificate=yes; - CONTRAST__SERVER__NAME=docker-netflicks-dev - CONTRAST__SERVER__ENVIRONMENT=development + healthcheck: + test: ["CMD-SHELL", "curl -f http://localhost || exit 1"] + interval: 10s + timeout: 5s + retries: 10 + start_period: 10s + web-prod: image: contrastsecuritydemo/netflicks:latest build: @@ -74,11 +81,10 @@ services: context: ./tests dockerfile: Dockerfile depends_on: - - web-dev + web-dev: + condition: service_healthy environment: - - BASEURL=http://web-dev:8080 - volumes: - - ./tests:/tests + - BASEURL=http://web-dev profiles: - test From b1c5bfb077f504d4ba8c3808bfdb50a862ee6ddd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 14:45:15 +0100 Subject: [PATCH 003/234] Tweaking CICD --- .github/workflows/docker-images.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 0548154c..bcb56ca5 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -60,7 +60,6 @@ jobs: context: . platforms: linux/amd64,linux/arm64 push: false - load: true cache-from: type=gha cache-to: type=gha,mode=max target: runtime @@ -75,7 +74,6 @@ jobs: context: . platforms: linux/amd64,linux/arm64 push: false - load: true cache-from: type=gha target: runtime-with-contrast tags: | From 54b5342bbb6682f972bd2c3a09111585b1e6b6fa Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 16:47:03 +0100 Subject: [PATCH 004/234] Tweaking CICD --- .github/workflows/docker-images.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index bcb56ca5..36c2f59a 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -49,37 +49,42 @@ jobs: name: Get agent version run: | # Get the agent version from the image-manifest.json file - CONTRAST_VERSION=$(cat /opt/contrast/image-manifest.json | grep --only-matching '"version": "[^"]*' | cut --delimiter='"' --fields=4) - + # Build a temporary container just to extract the version + docker build --target runtime-with-contrast -t temp-contrast . + CONTRAST_VERSION=$(docker run --rm temp-contrast cat /opt/contrast/image-manifest.json | jq -r '.version') echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + docker rmi temp-contrast + + # CONTRAST_VERSION=$(cat /opt/contrast/image-manifest.json | grep --only-matching '"version": "[^"]*' | cut --delimiter='"' --fields=4) + # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - name: Build no-agent variant id: build uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64,linux/arm64 + platforms: linux/amd64 push: false + load: true cache-from: type=gha cache-to: type=gha,mode=max target: runtime tags: | - contrastsecuritydemo/netflicks:latest - outputs: type=docker,dest=${{ runner.temp }}/no-agent.tar + contrastsecuritydemo/netflicks:latest-no-agent - name: Build image with Contrast agent id: build-contrast uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64,linux/arm64 + platforms: linux/amd64 push: false + load: true cache-from: type=gha target: runtime-with-contrast tags: | - contrastsecuritydemo/netflicks:latest-contrast - contrastsecuritydemo/netflicks:latest-contrast-${{ steps.meta.outputs.contrast_version }} - outputs: type=docker,dest=${{ runner.temp }}/with-agent.tar + contrastsecuritydemo/netflicks:latest-with-agent + contrastsecuritydemo/netflicks:latest-with-agent-${{ steps.meta.outputs.contrast_version }} test: @@ -88,11 +93,6 @@ jobs: needs: - build steps: - - - name: Load Docker images - run: | - docker load --input ${{ runner.temp }}/no-agent.tar - docker load --input ${{ runner.temp }}/with-agent.tar - name: Checkout branch uses: actions/checkout@v4 From 37bc9e51d97756034289932a5118555b23e3743e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 16:50:33 +0100 Subject: [PATCH 005/234] Tweaking CICD --- .github/workflows/docker-images.yml | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 36c2f59a..394e63eb 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -45,18 +45,18 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest,enable={{is_default_branch}} - - - name: Get agent version - run: | - # Get the agent version from the image-manifest.json file - # Build a temporary container just to extract the version - docker build --target runtime-with-contrast -t temp-contrast . - CONTRAST_VERSION=$(docker run --rm temp-contrast cat /opt/contrast/image-manifest.json | jq -r '.version') - echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - docker rmi temp-contrast + # - + # name: Get agent version + # run: | + # # Get the agent version from the image-manifest.json file + # # Build a temporary container just to extract the version + # docker build --target runtime-with-contrast -t temp-contrast . + # CONTRAST_VERSION=$(docker run --rm temp-contrast cat /opt/contrast/image-manifest.json | jq -r '.version') + # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + # docker rmi temp-contrast - # CONTRAST_VERSION=$(cat /opt/contrast/image-manifest.json | grep --only-matching '"version": "[^"]*' | cut --delimiter='"' --fields=4) - # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + # # CONTRAST_VERSION=$(cat /opt/contrast/image-manifest.json | grep --only-matching '"version": "[^"]*' | cut --delimiter='"' --fields=4) + # # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - name: Build no-agent variant id: build @@ -70,7 +70,7 @@ jobs: cache-to: type=gha,mode=max target: runtime tags: | - contrastsecuritydemo/netflicks:latest-no-agent + netflicks:latest-no-agent - name: Build image with Contrast agent id: build-contrast @@ -83,8 +83,7 @@ jobs: cache-from: type=gha target: runtime-with-contrast tags: | - contrastsecuritydemo/netflicks:latest-with-agent - contrastsecuritydemo/netflicks:latest-with-agent-${{ steps.meta.outputs.contrast_version }} + netflicks:latest-with-agent test: From 21a9b695980f8e8f60996c8e4914026fce0ed8cf Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 17:12:53 +0100 Subject: [PATCH 006/234] Tweaking CICD --- .github/workflows/docker-images.yml | 48 ++++++----------------------- 1 file changed, 9 insertions(+), 39 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 394e63eb..b6491e88 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -84,49 +84,19 @@ jobs: target: runtime-with-contrast tags: | netflicks:latest-with-agent - - - test: - name: Run Tests - runs-on: ubuntu-latest - needs: - - build - steps: - - - name: Checkout branch - uses: actions/checkout@v4 - name: Run docker-compose tests run: | - docker compose up -d - - - name: Setup Node - uses: actions/setup-node@v4 - with: - node-version: lts/* - - - name: Install dependencies + docker compose --profile test up --build --abort-on-container-exit --exit-code-from tests + - + name: Get currently installed Contrast agent version run: | - cd tests - npm ci - - - - name: Install playwright browsers - run: | - cd tests - npx playwright install --with-deps chromium - - - name: Run Playwright tests - run: | - cd tests - npx playwright test assess/*.spec.ts - - - uses: actions/upload-artifact@v4 - if: ${{ !cancelled() }} - with: - name: playwright-report - path: tests/playwright-report/ - retention-days: 30 + docker compose up web-dev -d + docker cp web-dev:/opt/contrast/image-manifest.json image-manifest.json + CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + docker compose down + echo "Contrast agent version: ${CONTRAST_VERSION}" pre-merge: name: Prepare to merge From 00b6931092267eff087b8f64174a6aa70b0e6630 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 17:14:14 +0100 Subject: [PATCH 007/234] Tweaking CICD --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index b6491e88..69451934 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -102,7 +102,7 @@ jobs: name: Prepare to merge runs-on: ubuntu-latest needs: - - test + - build steps: - name: Docker Metadata action id: metadata From 5d38e9ca1452bcfe0c3d6fbbd4c7bef60a942a86 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 17:15:05 +0100 Subject: [PATCH 008/234] Tweaking CICD --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 69451934..713c75ba 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -205,7 +205,7 @@ jobs: if: github.event.pull_request.merged runs-on: ubuntu-latest needs: - - test + - pre-merge steps: - run: | From b67874dab93afaa140757507f6e231bca3d7ccac Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 17:27:19 +0100 Subject: [PATCH 009/234] Tweaking CICD --- tests/Dockerfile | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/tests/Dockerfile b/tests/Dockerfile index efcd0894..608dc415 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,26 +1,20 @@ -FROM mcr.microsoft.com/playwright:v1.32.1-jammy -# copy project (including tests) -# COPY . /tests +FROM mcr.microsoft.com/playwright:v1.50.0 WORKDIR /tests -# COPY ./tests/package.json ./tests/package-lock.json /tests/ -COPY package.json /tests/ +COPY package.json package-lock.json /tests/ # Install dependencies from the package-lock.json file above -# RUN npm ci -RUN npm install -# Install browsers - TODO: Do we need this line? -# RUN npx playwright install +RUN npm ci # Add the base playwright config. This will need to be overwritten with a volume if changes are needed. COPY playwright.config.ts /tests/playwright.config.ts COPY global-setup.ts /tests/global-setup.ts # Add example test for testing the container. Will be overwritten with the actual tests via volumes. -COPY tests /tests +COPY . /tests # Run playwright test ENV BASEURL="http://demo-netflicks-web-1" +ENV CI=true CMD [ "npx", "playwright", "test", "assess" ] -# EXPOSE 9323 -# CMD ["/bin/bash"] + From c7d51eac6fc0bf403003f7c5fd96842e36b5649e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 17:33:12 +0100 Subject: [PATCH 010/234] Tweaking CICD --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 713c75ba..f7e3651c 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -92,7 +92,7 @@ jobs: name: Get currently installed Contrast agent version run: | docker compose up web-dev -d - docker cp web-dev:/opt/contrast/image-manifest.json image-manifest.json + docker cp web-dev-1:/opt/contrast/image-manifest.json image-manifest.json CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT docker compose down From 7a334ab8d94ec054e4cec3d9d910e9529526e79c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 17:38:33 +0100 Subject: [PATCH 011/234] Tweaking CICD --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index f7e3651c..edd3f235 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -92,7 +92,7 @@ jobs: name: Get currently installed Contrast agent version run: | docker compose up web-dev -d - docker cp web-dev-1:/opt/contrast/image-manifest.json image-manifest.json + docker cp demo-netfkicks-web-dev-1:/opt/contrast/image-manifest.json image-manifest.json CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT docker compose down From 0322281f9d7ba530285bdfbb8b7b7e5751b932ca Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 21:37:06 +0100 Subject: [PATCH 012/234] Tweaking CICD --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index edd3f235..1e06a658 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -92,7 +92,7 @@ jobs: name: Get currently installed Contrast agent version run: | docker compose up web-dev -d - docker cp demo-netfkicks-web-dev-1:/opt/contrast/image-manifest.json image-manifest.json + docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT docker compose down From 6b5a3004ce0b260af7d0ec7829d5004ba5530dba Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 18 Jun 2025 21:45:26 +0100 Subject: [PATCH 013/234] Testing CONTRAST_VERSION is working --- .github/workflows/docker-images.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 1e06a658..26d93ae6 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -90,6 +90,7 @@ jobs: docker compose --profile test up --build --abort-on-container-exit --exit-code-from tests - name: Get currently installed Contrast agent version + id: versions run: | docker compose up web-dev -d docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json @@ -118,7 +119,7 @@ jobs: - name: Version number run: | echo Getting the build metadata - echo $(echo ${{ steps.metadata.outputs.tags }}) + echo ${{ steps.versions.outputs.contrast_version }} # push: # name: Push Images to Docker Hub From d312ab5bbcf40b770b07013a6851bc851321f79c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 19 Jun 2025 12:28:12 +0100 Subject: [PATCH 014/234] Retrying multi-platform builds --- .github/workflows/docker-images.yml | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 26d93ae6..09f32278 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -23,6 +23,17 @@ jobs: - name: Checkout branch uses: actions/checkout@v4 + - + name: Set up Docker daemon for multi-platform builds + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } - name: Docker Setup QEMU uses: docker/setup-qemu-action@v3 @@ -45,25 +56,13 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest,enable={{is_default_branch}} - # - - # name: Get agent version - # run: | - # # Get the agent version from the image-manifest.json file - # # Build a temporary container just to extract the version - # docker build --target runtime-with-contrast -t temp-contrast . - # CONTRAST_VERSION=$(docker run --rm temp-contrast cat /opt/contrast/image-manifest.json | jq -r '.version') - # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - # docker rmi temp-contrast - - # # CONTRAST_VERSION=$(cat /opt/contrast/image-manifest.json | grep --only-matching '"version": "[^"]*' | cut --delimiter='"' --fields=4) - # # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - name: Build no-agent variant id: build uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64 + platforms: linux/amd64, linux/arm64 push: false load: true cache-from: type=gha @@ -77,7 +76,7 @@ jobs: uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64 + platforms: linux/amd64, linux/arm64 push: false load: true cache-from: type=gha From 2c675df8970502daa3c341037e69416205eed26a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 19 Jun 2025 12:54:13 +0100 Subject: [PATCH 015/234] Fixing outputs reference for agent version number --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 09f32278..a41a7543 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -118,7 +118,7 @@ jobs: - name: Version number run: | echo Getting the build metadata - echo ${{ steps.versions.outputs.contrast_version }} + echo ${{ needs.build.outputs.contrast_version }} # push: # name: Push Images to Docker Hub From 2ba540cd1d4ad2a70a17481c6f392903e544ace5 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 19 Jun 2025 13:02:21 +0100 Subject: [PATCH 016/234] Fixing outputs reference for agent version number --- .github/workflows/docker-images.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index a41a7543..f9c7d246 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -19,6 +19,7 @@ jobs: outputs: image-digest: ${{ steps.build.outputs.digest }} metadata: ${{ steps.meta.outputs.json }} + contrast_version: ${{ steps.versions.outputs.contrast_version }} steps: - name: Checkout branch From 9066374edd67e7593292bfc9d54def95452db50e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Fri, 20 Jun 2025 14:58:07 +0100 Subject: [PATCH 017/234] implementing bake for docker builds --- .github/workflows/docker-images.yml | 71 ++++++++++++++++------------- Dockerfile | 11 +++-- docker-bake.hcl | 65 ++++++++++++++++++++++++++ docker-compose.yml | 2 +- 4 files changed, 112 insertions(+), 37 deletions(-) create mode 100644 docker-bake.hcl diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index f9c7d246..c6ee3f25 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -45,6 +45,46 @@ jobs: uses: docker/setup-buildx-action@v3 with: platforms: linux/amd64,linux/arm64 + - + name: Build all image variants with Docker Buildx Bake + uses: docker/bake-action@v3 + with: + files: docker-bake.hcl + push: false + load: true + set: | + CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} + - + # name: Build no-agent variant + # id: build + # uses: docker/build-push-action@v5 + # with: + # context: . + # platforms: linux/amd64, linux/arm64 + # push: false + # load: true + # cache-from: type=gha + # cache-to: type=gha,mode=max + # target: runtime + # tags: | + # netflicks:latest-no-agent + # - + # name: Build image with Contrast agent + # id: build-contrast + # uses: docker/build-push-action@v5 + # with: + # context: . + # platforms: linux/amd64, linux/arm64 + # push: false + # load: true + # cache-from: type=gha + # target: runtime-with-contrast + # tags: | + # netflicks:latest-with-agent + - + name: Run docker-compose tests + run: | + docker compose --profile test up --abort-on-container-exit --exit-code-from tests - name: Extract metadata id: meta @@ -57,37 +97,6 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest,enable={{is_default_branch}} - - - name: Build no-agent variant - id: build - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64, linux/arm64 - push: false - load: true - cache-from: type=gha - cache-to: type=gha,mode=max - target: runtime - tags: | - netflicks:latest-no-agent - - - name: Build image with Contrast agent - id: build-contrast - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64, linux/arm64 - push: false - load: true - cache-from: type=gha - target: runtime-with-contrast - tags: | - netflicks:latest-with-agent - - - name: Run docker-compose tests - run: | - docker compose --profile test up --build --abort-on-container-exit --exit-code-from tests - name: Get currently installed Contrast agent version id: versions diff --git a/Dockerfile b/Dockerfile index 2913d429..570a94a9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,8 +47,9 @@ WORKDIR /app COPY --from=build /app . ENTRYPOINT ["dotnet", "DotNetFlicks.Web.dll"] -# Contrast agent image for .NET Core applications +# Contrast agent image for .NET Core applications +# Need the extra FROM line here for the CONTRAST_AGENT_VERSION argument to work FROM contrast/agent-dotnet-core:${CONTRAST_AGENT_VERSION} AS contrast-agent @@ -59,11 +60,11 @@ ARG TARGETARCH # Copy the agent from the contrast agent image COPY --from=contrast-agent /contrast /opt/contrast -# Workaround for architecture naming differences between .NET Core and Contrast -RUN ln -s /opt/contrast/runtimes/linux-x64 /opt/contrast/runtimes/linux-amd64 - +# Handle architecture naming differences between TARGETARCH and Contrast using +# shell variable substitution: ${TARGETARCH/arm64/x64} (requires bash) +SHELL ["/bin/bash", "-c"] # Needs to be linux-arm64 or linux-x64 or win-x64 or win-x86 -ENV CORECLR_PROFILER_PATH_64=/opt/contrast/runtimes/linux-$TARGETARCH/native/ContrastProfiler.so \ +ENV CORECLR_PROFILER_PATH_64=/opt/contrast/runtimes/linux-${TARGETARCH/arm64/x64}/native/ContrastProfiler.so \ CORECLR_PROFILER={8B2CE134-0948-48CA-A4B2-80DDAD9F5791} \ CORECLR_ENABLE_PROFILING=1 \ CONTRAST_CORECLR_LOGS_DIRECTORY=/opt/contrast diff --git a/docker-bake.hcl b/docker-bake.hcl new file mode 100644 index 00000000..14c80db8 --- /dev/null +++ b/docker-bake.hcl @@ -0,0 +1,65 @@ + +variable "CONTRAST_AGENT_VERSION" { + description = "Target version of the Contrast Security agent to use" + default = "latest" +} + +group "default" { + targets = ["runtime", "runtime-with-contrast", "tests"] +} + +group "multiarch" { + targets = ["runtime-multiarch", "runtime-with-contrast-multiarch", "tests-multiarch"] +} + +target "runtime" { + context = "." + dockerfile = "Dockerfile" + target = "runtime" + no-cache = true + tags = [ + "contrastsecuritydemo/netflicks:latest" + ] +} + +target "runtime-multiarch" { + inherits = ["runtime"] + platforms = [ + "linux/amd64", + "linux/arm64" + ] +} + +target "runtime-with-contrast" { + context = "." + dockerfile = "Dockerfile" + target = "runtime-with-contrast" + args = { + CONTRAST_AGENT_VERSION = CONTRAST_AGENT_VERSION + } + tags = ["contrastsecuritydemo/netflicks:latest-contrast"] +} + +target "runtime-with-contrast-multiarch" { + inherits = ["runtime-with-contrast"] + platforms = [ + "linux/amd64", + "linux/arm64" + ] +} + +target "tests" { + context = "./tests" + dockerfile = "Dockerfile" + tags = [ + "e2e-tests/netflicks:latest" + ] +} + +target "tests-multiarch" { + inherits = ["tests"] + platforms = [ + "linux/amd64", + "linux/arm64" + ] +} diff --git a/docker-compose.yml b/docker-compose.yml index 88033523..530d3abc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -86,7 +86,7 @@ services: environment: - BASEURL=http://web-dev profiles: - - test + - tests volumes: mssql-data: From d3203a7755c5f5b3c74ff60a5c355f30130523ee Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Fri, 20 Jun 2025 15:03:06 +0100 Subject: [PATCH 018/234] implementing bake for docker builds --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index c6ee3f25..4d610995 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -54,7 +54,7 @@ jobs: load: true set: | CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} - - + # - # name: Build no-agent variant # id: build # uses: docker/build-push-action@v5 From 0b051b920d06e77c2c89bf0467faef6d5b3643bc Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Fri, 20 Jun 2025 15:11:46 +0100 Subject: [PATCH 019/234] implementing bake for docker builds --- .github/workflows/docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 4d610995..9fd8e4b0 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -52,8 +52,8 @@ jobs: files: docker-bake.hcl push: false load: true - set: | - CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} + # set: | + # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} # - # name: Build no-agent variant # id: build From 435d3628765f121ad01738e3c3f79f1517a461e6 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Fri, 20 Jun 2025 15:13:59 +0100 Subject: [PATCH 020/234] implementing bake for docker builds --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 9fd8e4b0..3b5ff467 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -84,7 +84,7 @@ jobs: - name: Run docker-compose tests run: | - docker compose --profile test up --abort-on-container-exit --exit-code-from tests + docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - name: Extract metadata id: meta From c4d5b4eeb01187247c1c5154e43c017838fb7353 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Fri, 20 Jun 2025 15:21:29 +0100 Subject: [PATCH 021/234] implementing bake for docker builds --- docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 530d3abc..f7a02b84 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,7 +19,7 @@ services: web-no-contrast: - image: contrastsecuritydemo/netflicks:latest-no-agent + image: contrastsecuritydemo/netflicks:latest build: context: . dockerfile: Dockerfile @@ -34,7 +34,7 @@ services: # Development environment for Contrast Assess demos web-dev: - image: contrastsecuritydemo/netflicks:latest + image: contrastsecuritydemo/netflicks:latest-contrast build: context: . dockerfile: Dockerfile @@ -58,7 +58,7 @@ services: start_period: 10s web-prod: - image: contrastsecuritydemo/netflicks:latest + image: contrastsecuritydemo/netflicks:latest-contrast build: context: . dockerfile: Dockerfile From eb818d6332ffb0dcea63dd702897f485eb7c67c3 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Fri, 20 Jun 2025 15:28:44 +0100 Subject: [PATCH 022/234] implementing bake for docker builds --- .github/workflows/docker-images.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 3b5ff467..3825e60a 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -50,6 +50,10 @@ jobs: uses: docker/bake-action@v3 with: files: docker-bake.hcl + targets: | + runtime-multiarch + runtime-with-contrast-multiarch + tests-multiarch push: false load: true # set: | From ec943bc4b95b5f0e110068dee322ae9da796e63a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Fri, 20 Jun 2025 16:06:44 +0100 Subject: [PATCH 023/234] implementing bake for docker builds --- .github/workflows/docker-images.yml | 35 ++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 3825e60a..abcfe0fd 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -49,7 +49,9 @@ jobs: name: Build all image variants with Docker Buildx Bake uses: docker/bake-action@v3 with: - files: docker-bake.hcl + files: | + docker-bake.hcl + cwd://${{ runner.temp }}/bake-meta.json targets: | runtime-multiarch runtime-with-contrast-multiarch @@ -111,6 +113,20 @@ jobs: echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT docker compose down echo "Contrast agent version: ${CONTRAST_VERSION}" + - + name: Export digest + run: | + mkdir -p ${{ runner.temp }}/digests + digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + - + name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 pre-merge: name: Prepare to merge @@ -134,6 +150,23 @@ jobs: echo Getting the build metadata echo ${{ needs.build.outputs.contrast_version }} + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/digests + pattern: digests + merge-multiple: true + + - name: Create manifest list and push + working-directory: ${{ runner.temp }}/digests + run: | + docker buildx imagetools create contrastsecuritydemo/netflicks:latest \ + $(printf 'contrastsecuritydemo/netflicks:latest@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect contrastsecuritydemo/netflicks:latest + # push: # name: Push Images to Docker Hub # if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) From b6c92bbff113800f5fa7d73641d75a7e1c08ad6b Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 09:21:35 +0100 Subject: [PATCH 024/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 147 ++++++++++++++++++++-------- 1 file changed, 106 insertions(+), 41 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index abcfe0fd..03095f8d 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -11,43 +11,93 @@ on: - main workflow_dispatch: +env: + REGISTRY_IMAGE: contrastsecuritydemo/netflicks + jobs: + prepare: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.platforms.outputs.matrix }} + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Create matrix + id: platforms + run: | + echo "matrix=$(docker buildx bake image-all --print | jq -cr '.target."image-all".platforms')" >>${GITHUB_OUTPUT} + + - name: Show matrix + run: echo "${{ steps.platforms.outputs.matrix }}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + + - name: Rename meta bake definition file + run: | + mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json" + - name: Upload meta bake definition + uses: actions/upload-artifact@v4 + with: + name: bake-meta + path: ${{ runner.temp }}/bake-meta.json + if-no-files-found: error + retention-days: 1 + build: name: Build Multi-Stage Docker Images runs-on: ubuntu-latest - outputs: - image-digest: ${{ steps.build.outputs.digest }} - metadata: ${{ steps.meta.outputs.json }} - contrast_version: ${{ steps.versions.outputs.contrast_version }} + needs: + - prepare + strategy: + fail-fast: false + matrix: + platform: ${{ fromJson(needs.prepare.outputs.matrix) }} + # outputs: + # image-digest: ${{ steps.build.outputs.digest }} + # metadata: ${{ steps.meta.outputs.json }} + # contrast_version: ${{ steps.versions.outputs.contrast_version }} steps: - - - name: Checkout branch - uses: actions/checkout@v4 - - - name: Set up Docker daemon for multi-platform builds - uses: docker/setup-docker-action@v4 + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + + - name: Download meta bake definition + uses: actions/download-artifact@v4 with: - daemon-config: | - { - "debug": true, - "features": { - "containerd-snapshotter": true - } - } - - - name: Docker Setup QEMU + name: bake-meta + path: ${{ runner.temp }} + + # - + # name: Set up Docker daemon for multi-platform builds + # uses: docker/setup-docker-action@v4 + # with: + # daemon-config: | + # { + # "debug": true, + # "features": { + # "containerd-snapshotter": true + # } + # } + + - name: Docker Setup QEMU uses: docker/setup-qemu-action@v3 with: platforms: all - - - name: Docker Setup Buildx + + - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 - with: - platforms: linux/amd64,linux/arm64 - - - name: Build all image variants with Docker Buildx Bake - uses: docker/bake-action@v3 + # with: + # platforms: linux/amd64,linux/arm64 + + - name: Build all image variants with Docker Buildx Bake + uses: docker/bake-action@v6 with: files: | docker-bake.hcl @@ -58,6 +108,10 @@ jobs: tests-multiarch push: false load: true + set: | + *.tags=${{ env.REGISTRY_IMAGE }} + *.platform=${{ matrix.platform }} + *.output=type=image,push-by-digest=true,name-canonical=true,push=false" # set: | # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} # - @@ -87,12 +141,12 @@ jobs: # target: runtime-with-contrast # tags: | # netflicks:latest-with-agent - - - name: Run docker-compose tests + + - name: Run docker-compose tests run: | docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - - - name: Extract metadata + + - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: @@ -103,8 +157,8 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest,enable={{is_default_branch}} - - - name: Get currently installed Contrast agent version + + - name: Get currently installed Contrast agent version id: versions run: | docker compose up web-dev -d @@ -113,14 +167,14 @@ jobs: echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT docker compose down echo "Contrast agent version: ${CONTRAST_VERSION}" - - - name: Export digest + + - name: Export digest run: | mkdir -p ${{ runner.temp }}/digests digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" - - - name: Upload digest + + - name: Upload digest uses: actions/upload-artifact@v4 with: name: digests @@ -150,23 +204,34 @@ jobs: echo Getting the build metadata echo ${{ needs.build.outputs.contrast_version }} + - name: Download meta bake definition + uses: actions/download-artifact@v4 + with: + name: bake-meta + path: ${{ runner.temp }} + - name: Download digests uses: actions/download-artifact@v4 with: path: ${{ runner.temp }}/digests - pattern: digests + pattern: digests-* merge-multiple: true - + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Create manifest list and push working-directory: ${{ runner.temp }}/digests run: | - docker buildx imagetools create contrastsecuritydemo/netflicks:latest \ - $(printf 'contrastsecuritydemo/netflicks:latest@sha256:%s ' *) + docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - name: Inspect image run: | - docker buildx imagetools inspect contrastsecuritydemo/netflicks:latest + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json) + + # push: # name: Push Images to Docker Hub # if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) From 95182280e198fb9d4bd1d1d056b48c3cd437cac1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 09:24:30 +0100 Subject: [PATCH 025/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 03095f8d..d5b1834b 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -26,7 +26,7 @@ jobs: - name: Create matrix id: platforms run: | - echo "matrix=$(docker buildx bake image-all --print | jq -cr '.target."image-all".platforms')" >>${GITHUB_OUTPUT} + echo "matrix=$(docker buildx bake multiarch --print | jq -cr '.target."multiarch".platforms')" >>${GITHUB_OUTPUT} - name: Show matrix run: echo "${{ steps.platforms.outputs.matrix }}" @@ -231,7 +231,7 @@ jobs: docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json) - + # push: # name: Push Images to Docker Hub # if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) From cdbb03e3af4ab216675c33291818c97885ca0e9a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 09:29:40 +0100 Subject: [PATCH 026/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index d5b1834b..2208c6fd 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -26,7 +26,9 @@ jobs: - name: Create matrix id: platforms run: | - echo "matrix=$(docker buildx bake multiarch --print | jq -cr '.target."multiarch".platforms')" >>${GITHUB_OUTPUT} + echo "matrix=$(docker buildx bake runtime-multiarch --print | jq -cr '.target."runtime-multiarch".platforms')" >> ${GITHUB_OUTPUT} + echo "matrix=$(docker buildx bake runtime-contrast-multiarch --print | jq -cr '.target."runtime-contrast-multiarch".platforms')" >> ${GITHUB_OUTPUT} + echo "matrix=$(docker buildx bake tests-multiarch --print | jq -cr '.target."tests-multiarch".platforms')" >> ${GITHUB_OUTPUT} - name: Show matrix run: echo "${{ steps.platforms.outputs.matrix }}" From 46152b1b715b22897dcd225149d363e87f74d200 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 09:30:49 +0100 Subject: [PATCH 027/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 2208c6fd..2811b8bd 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -27,7 +27,7 @@ jobs: id: platforms run: | echo "matrix=$(docker buildx bake runtime-multiarch --print | jq -cr '.target."runtime-multiarch".platforms')" >> ${GITHUB_OUTPUT} - echo "matrix=$(docker buildx bake runtime-contrast-multiarch --print | jq -cr '.target."runtime-contrast-multiarch".platforms')" >> ${GITHUB_OUTPUT} + echo "matrix=$(docker buildx bake runtime-with-contrast-multiarch --print | jq -cr '.target."runtime-with-contrast-multiarch".platforms')" >> ${GITHUB_OUTPUT} echo "matrix=$(docker buildx bake tests-multiarch --print | jq -cr '.target."tests-multiarch".platforms')" >> ${GITHUB_OUTPUT} - name: Show matrix From 47ba4d02576cca0e1e6b5d083a3adc07116c1d7c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 10:00:58 +0100 Subject: [PATCH 028/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 2811b8bd..3fd0c1dc 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -98,6 +98,11 @@ jobs: # with: # platforms: linux/amd64,linux/arm64 + - name: print the problem file + run: | + echo "bake-meta.json file: ${{ runner.temp }}/bake-meta.json" + cat "${{ runner.temp }}/bake-meta.json" + - name: Build all image variants with Docker Buildx Bake uses: docker/bake-action@v6 with: From 5fe429cdbf30f5e964354ca9fc5ba68802d2f77a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 11:54:51 +0100 Subject: [PATCH 029/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 3fd0c1dc..d1165748 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -118,7 +118,7 @@ jobs: set: | *.tags=${{ env.REGISTRY_IMAGE }} *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=false" + *.output=type=image,push-by-digest=true,name-canonical=true,push=false # set: | # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} # - From adb45f88ea8cf08d3f2e83e726d9ef2eca210d1c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 12:09:52 +0100 Subject: [PATCH 030/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index d1165748..8ed91b47 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -51,6 +51,14 @@ jobs: if-no-files-found: error retention-days: 1 + - name: Upload docker-compose definition + uses: actions/upload-artifact@v4 + with: + name: docker-compose + path: ${{ runner.temp }}/docker-compose.yml + if-no-files-found: error + retention-days: 1 + build: name: Build Multi-Stage Docker Images runs-on: ubuntu-latest @@ -110,9 +118,7 @@ jobs: docker-bake.hcl cwd://${{ runner.temp }}/bake-meta.json targets: | - runtime-multiarch - runtime-with-contrast-multiarch - tests-multiarch + multiarch push: false load: true set: | @@ -149,6 +155,12 @@ jobs: # tags: | # netflicks:latest-with-agent + - name: Download docker-compose definition + uses: actions/download-artifact@v4 + with: + name: docker-compose + path: ${{ runner.temp }} + - name: Run docker-compose tests run: | docker compose --profile tests up --abort-on-container-exit --exit-code-from tests From 9cf6bf8722c8d990c17e84d24180fb92dca79185 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 12:23:43 +0100 Subject: [PATCH 031/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 8ed91b47..2c4ac956 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -73,6 +73,9 @@ jobs: # metadata: ${{ steps.meta.outputs.json }} # contrast_version: ${{ steps.versions.outputs.contrast_version }} steps: + - name: Checkout branch + uses: actions/checkout@v4 + - name: Prepare run: | platform=${{ matrix.platform }} From 430163dc4748c61faba8b98515807e190f1dfe6f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 12:26:26 +0100 Subject: [PATCH 032/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 2c4ac956..a214ccef 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -51,13 +51,6 @@ jobs: if-no-files-found: error retention-days: 1 - - name: Upload docker-compose definition - uses: actions/upload-artifact@v4 - with: - name: docker-compose - path: ${{ runner.temp }}/docker-compose.yml - if-no-files-found: error - retention-days: 1 build: name: Build Multi-Stage Docker Images @@ -157,12 +150,6 @@ jobs: # target: runtime-with-contrast # tags: | # netflicks:latest-with-agent - - - name: Download docker-compose definition - uses: actions/download-artifact@v4 - with: - name: docker-compose - path: ${{ runner.temp }} - name: Run docker-compose tests run: | From 3f2e7c63f53b64bfa1e70921c590dc4d7a34bb65 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 12:36:02 +0100 Subject: [PATCH 033/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index a214ccef..f7461a10 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -118,7 +118,7 @@ jobs: push: false load: true set: | - *.tags=${{ env.REGISTRY_IMAGE }} + # *.tags=${{ env.REGISTRY_IMAGE }} *.platform=${{ matrix.platform }} *.output=type=image,push-by-digest=true,name-canonical=true,push=false # set: | From 069f83b943f649b1c82952719c474053696d2dbd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 12:37:33 +0100 Subject: [PATCH 034/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index f7461a10..cc7fa149 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -118,11 +118,12 @@ jobs: push: false load: true set: | - # *.tags=${{ env.REGISTRY_IMAGE }} *.platform=${{ matrix.platform }} *.output=type=image,push-by-digest=true,name-canonical=true,push=false # set: | # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} + # FROM ABOVE: + # *.tags=${{ env.REGISTRY_IMAGE }} # - # name: Build no-agent variant # id: build From c0fafccdf092e6cc9a850c4ee7aae1f863862650 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 12:44:18 +0100 Subject: [PATCH 035/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index cc7fa149..c4e207ac 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -108,6 +108,7 @@ jobs: cat "${{ runner.temp }}/bake-meta.json" - name: Build all image variants with Docker Buildx Bake + id: bake uses: docker/bake-action@v6 with: files: | From 9ffc68ffed76d16132f5d172401b132fdec73cf1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 13:40:58 +0100 Subject: [PATCH 036/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 34 +++++------------------------ 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index c4e207ac..00128c1e 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -120,38 +120,16 @@ jobs: load: true set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=false + + - name: Inspect + run: | + docker image inspect ${{ env.REGISTRY_IMAGE }}:${{ fromJSON(steps.bake.outputs.metadata).image['docker-metadata-action'].tags['latest'] }} + # set: | # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} # FROM ABOVE: # *.tags=${{ env.REGISTRY_IMAGE }} - # - - # name: Build no-agent variant - # id: build - # uses: docker/build-push-action@v5 - # with: - # context: . - # platforms: linux/amd64, linux/arm64 - # push: false - # load: true - # cache-from: type=gha - # cache-to: type=gha,mode=max - # target: runtime - # tags: | - # netflicks:latest-no-agent - # - - # name: Build image with Contrast agent - # id: build-contrast - # uses: docker/build-push-action@v5 - # with: - # context: . - # platforms: linux/amd64, linux/arm64 - # push: false - # load: true - # cache-from: type=gha - # target: runtime-with-contrast - # tags: | - # netflicks:latest-with-agent + # *.output=type=image,push-by-digest=true,name-canonical=true - name: Run docker-compose tests run: | From a13c08d9c5d70cd47f08b8a3ea7e1dbed16e824d Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 13:46:12 +0100 Subject: [PATCH 037/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 00128c1e..8b14f24e 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -123,7 +123,8 @@ jobs: - name: Inspect run: | - docker image inspect ${{ env.REGISTRY_IMAGE }}:${{ fromJSON(steps.bake.outputs.metadata).image['docker-metadata-action'].tags['latest'] }} + docker image inspect ${{ env.REGISTRY_IMAGE }}:latest + docker image inspect ${{ env.REGISTRY_IMAGE }}:latest-contrast # set: | # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} From 6ff1d3eae40c6ecc1301680734d987da56447773 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 14:00:40 +0100 Subject: [PATCH 038/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 8b14f24e..2ebb2597 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -117,9 +117,10 @@ jobs: targets: | multiarch push: false - load: true set: | *.platform=${{ matrix.platform }} + *.output=type=image,push-by-digest=true,name-canonical=true + - name: Inspect run: | From f9c64a59070a56f59277f41e0e96612c93c89042 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 14:06:08 +0100 Subject: [PATCH 039/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 2ebb2597..4135f188 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -131,7 +131,7 @@ jobs: # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} # FROM ABOVE: # *.tags=${{ env.REGISTRY_IMAGE }} - # *.output=type=image,push-by-digest=true,name-canonical=true + # *.output=type=docker,push-by-digest=true,name-canonical=true - name: Run docker-compose tests run: | From 9b8922c8006681421e8928596de690f87436b790 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 14:09:41 +0100 Subject: [PATCH 040/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 4135f188..cf4efdac 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -119,7 +119,7 @@ jobs: push: false set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true + *.output=type=docker,push-by-digest=true,name-canonical=true - name: Inspect @@ -131,7 +131,7 @@ jobs: # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} # FROM ABOVE: # *.tags=${{ env.REGISTRY_IMAGE }} - # *.output=type=docker,push-by-digest=true,name-canonical=true + # *.output=type=docker,push-by-digest=true,name-canonical=true,push=true - name: Run docker-compose tests run: | From 701776d09fb11ededf2d50de3d50d2d271f5c116 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 14:25:15 +0100 Subject: [PATCH 041/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index cf4efdac..adc5acc2 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -116,10 +116,10 @@ jobs: cwd://${{ runner.temp }}/bake-meta.json targets: | multiarch - push: false + # push: false set: | *.platform=${{ matrix.platform }} - *.output=type=docker,push-by-digest=true,name-canonical=true + *.output=type=docker,push-by-digest=true,name-canonical=true,push=true - name: Inspect From 64e44ee4b0171155c56c40554bfb71a460af1d21 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 14:36:07 +0100 Subject: [PATCH 042/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 38 ++++++++++++++++------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index adc5acc2..98be0994 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -107,8 +107,10 @@ jobs: echo "bake-meta.json file: ${{ runner.temp }}/bake-meta.json" cat "${{ runner.temp }}/bake-meta.json" - - name: Build all image variants with Docker Buildx Bake - id: bake + # Need to do two bake steps because load=true is not compatible with push-by-digest=true + # https://github.com/moby/buildkit/issues/5556 + - name: Build all image variants with Docker Buildx Bake (for local testing)) + id: bake-local uses: docker/bake-action@v6 with: files: | @@ -116,23 +118,11 @@ jobs: cwd://${{ runner.temp }}/bake-meta.json targets: | multiarch - # push: false + push: false + load: true set: | *.platform=${{ matrix.platform }} - *.output=type=docker,push-by-digest=true,name-canonical=true,push=true - - - - name: Inspect - run: | - docker image inspect ${{ env.REGISTRY_IMAGE }}:latest - docker image inspect ${{ env.REGISTRY_IMAGE }}:latest-contrast - - # set: | - # CONTRAST_AGENT_VERSION=${{ github.event.inputs.contrast_agent_version || 'latest' }} - # FROM ABOVE: - # *.tags=${{ env.REGISTRY_IMAGE }} - # *.output=type=docker,push-by-digest=true,name-canonical=true,push=true - + - name: Run docker-compose tests run: | docker compose --profile tests up --abort-on-container-exit --exit-code-from tests @@ -159,6 +149,20 @@ jobs: docker compose down echo "Contrast agent version: ${CONTRAST_VERSION}" + - name: Build all image variants with Docker Buildx Bake (for local testing)) + id: bake + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + cwd://${{ runner.temp }}/bake-meta.json + targets: | + multiarch + push: false + set: | + *.platform=${{ matrix.platform }} + *.output=type=image,push-by-digest=true,name-canonical=true + - name: Export digest run: | mkdir -p ${{ runner.temp }}/digests From 7d719b058dd42c56b76a5cd7c91ae3db41b4bc6c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 14:43:13 +0100 Subject: [PATCH 043/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 98be0994..f22d62f3 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -109,7 +109,7 @@ jobs: # Need to do two bake steps because load=true is not compatible with push-by-digest=true # https://github.com/moby/buildkit/issues/5556 - - name: Build all image variants with Docker Buildx Bake (for local testing)) + - name: Build all image variants with Docker Buildx Bake (for local testing) id: bake-local uses: docker/bake-action@v6 with: @@ -149,7 +149,7 @@ jobs: docker compose down echo "Contrast agent version: ${CONTRAST_VERSION}" - - name: Build all image variants with Docker Buildx Bake (for local testing)) + - name: Build all image variants with Docker Buildx Bake id: bake uses: docker/bake-action@v6 with: @@ -172,7 +172,7 @@ jobs: - name: Upload digest uses: actions/upload-artifact@v4 with: - name: digests + name: digests-${{ env.PLATFORM_PAIR }} path: ${{ runner.temp }}/digests/* if-no-files-found: error retention-days: 1 From c9a3b2b3e9231c3ad24b69df513b841e064f09a7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 14:51:20 +0100 Subject: [PATCH 044/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index f22d62f3..9eb23a5d 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -158,10 +158,10 @@ jobs: cwd://${{ runner.temp }}/bake-meta.json targets: | multiarch - push: false + # push: false set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true + *.output=type=image,push-by-digest=true,name-canonical=true,push=false - name: Export digest run: | From a2b8aa421db4da0a59e10ab04a14eed75610a604 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 14:58:59 +0100 Subject: [PATCH 045/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 9eb23a5d..b7fb0086 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -99,6 +99,8 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 + with: + driver: docker # with: # platforms: linux/amd64,linux/arm64 @@ -149,19 +151,19 @@ jobs: docker compose down echo "Contrast agent version: ${CONTRAST_VERSION}" - - name: Build all image variants with Docker Buildx Bake - id: bake - uses: docker/bake-action@v6 - with: - files: | - docker-bake.hcl - cwd://${{ runner.temp }}/bake-meta.json - targets: | - multiarch - # push: false - set: | - *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=false + # - name: Build all image variants with Docker Buildx Bake + # id: bake + # uses: docker/bake-action@v6 + # with: + # files: | + # docker-bake.hcl + # cwd://${{ runner.temp }}/bake-meta.json + # targets: | + # multiarch + # # push: false + # set: | + # *.platform=${{ matrix.platform }} + # *.output=type=image,push-by-digest=true,name-canonical=true,push=false - name: Export digest run: | From c684c19e0a05848688cb86b4c3db84ed87bf4f61 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 16:44:45 +0100 Subject: [PATCH 046/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index b7fb0086..7ad50945 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -168,7 +168,7 @@ jobs: - name: Export digest run: | mkdir -p ${{ runner.temp }}/digests - digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" + digest="${{ fromJSON(steps.bake-local.outputs.metadata).image['containerimage.digest'] }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" - name: Upload digest From 147b13153775fc3aac5256177973d4c5fcf38aa5 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 17:01:17 +0100 Subject: [PATCH 047/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 7ad50945..0064f948 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -124,6 +124,7 @@ jobs: load: true set: | *.platform=${{ matrix.platform }} + *.output=type=image,push-by-digest=true,name-canonical=true,push=false - name: Run docker-compose tests run: | From dfb88eb7c17db7feb6f0e13426939b30691a2a0e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 17:05:24 +0100 Subject: [PATCH 048/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 0064f948..c187f782 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -124,7 +124,7 @@ jobs: load: true set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=false + *.output=type=docker,push-by-digest=true,name-canonical=true,push=false - name: Run docker-compose tests run: | From a605e0bd7d81f052d7933038f89bfdb4327594a7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 17:10:00 +0100 Subject: [PATCH 049/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index c187f782..b4702472 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -124,7 +124,7 @@ jobs: load: true set: | *.platform=${{ matrix.platform }} - *.output=type=docker,push-by-digest=true,name-canonical=true,push=false + *.output=type=docker,push-by-digest=true,name-canonical=true,oci-mediatypes=true - name: Run docker-compose tests run: | From 3ce09e739783ed27e86a0b4dbcae26f88bd35db6 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 23 Jun 2025 17:15:23 +0100 Subject: [PATCH 050/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index b4702472..c0c5ae18 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -124,7 +124,6 @@ jobs: load: true set: | *.platform=${{ matrix.platform }} - *.output=type=docker,push-by-digest=true,name-canonical=true,oci-mediatypes=true - name: Run docker-compose tests run: | @@ -152,24 +151,24 @@ jobs: docker compose down echo "Contrast agent version: ${CONTRAST_VERSION}" - # - name: Build all image variants with Docker Buildx Bake - # id: bake - # uses: docker/bake-action@v6 - # with: - # files: | - # docker-bake.hcl - # cwd://${{ runner.temp }}/bake-meta.json - # targets: | - # multiarch - # # push: false - # set: | - # *.platform=${{ matrix.platform }} - # *.output=type=image,push-by-digest=true,name-canonical=true,push=false + - name: Build all image variants with Docker Buildx Bake + id: bake + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + cwd://${{ runner.temp }}/bake-meta.json + targets: | + multiarch + # push: false + set: | + *.platform=${{ matrix.platform }} + *.output=type=image,push-by-digest=true,name-canonical=true,push=false - name: Export digest run: | mkdir -p ${{ runner.temp }}/digests - digest="${{ fromJSON(steps.bake-local.outputs.metadata).image['containerimage.digest'] }}" + digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" - name: Upload digest From 4431902b1f6c92dfaf7c1f1b1490417b26cbdcb6 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 08:55:47 +0100 Subject: [PATCH 051/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index c0c5ae18..d853ece9 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -99,8 +99,8 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 - with: - driver: docker + # with: + # driver: docker # with: # platforms: linux/amd64,linux/arm64 From a9e383e48ea2637ff8bbbab5e1daabf21d54bfd8 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:01:57 +0100 Subject: [PATCH 052/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index d853ece9..7f24dd29 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -117,7 +117,6 @@ jobs: with: files: | docker-bake.hcl - cwd://${{ runner.temp }}/bake-meta.json targets: | multiarch push: false From 8c86a5d5051b16e709145f1a151b1687343a67dc Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:19:47 +0100 Subject: [PATCH 053/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 7f24dd29..fb4751c2 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -99,10 +99,6 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 - # with: - # driver: docker - # with: - # platforms: linux/amd64,linux/arm64 - name: print the problem file run: | @@ -166,6 +162,7 @@ jobs: - name: Export digest run: | + echo ${{ fromJSON(steps.bake.outputs.metadata) }} mkdir -p ${{ runner.temp }}/digests digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" From 614e250623daa52ed54db1e81ed911853be733ce Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:24:29 +0100 Subject: [PATCH 054/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index fb4751c2..5400856b 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -162,7 +162,7 @@ jobs: - name: Export digest run: | - echo ${{ fromJSON(steps.bake.outputs.metadata) }} + echo ${{ steps.bake.outputs.metadata }} mkdir -p ${{ runner.temp }}/digests digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" From cbe8fae03b986226106010264b854c84f5ae968b Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:39:57 +0100 Subject: [PATCH 055/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 73 ++++++++++++++--------------- 1 file changed, 36 insertions(+), 37 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 5400856b..8a9edf34 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -107,44 +107,44 @@ jobs: # Need to do two bake steps because load=true is not compatible with push-by-digest=true # https://github.com/moby/buildkit/issues/5556 - - name: Build all image variants with Docker Buildx Bake (for local testing) - id: bake-local - uses: docker/bake-action@v6 - with: - files: | - docker-bake.hcl - targets: | - multiarch - push: false - load: true - set: | - *.platform=${{ matrix.platform }} + # - name: Build all image variants with Docker Buildx Bake (for local testing) + # id: bake-local + # uses: docker/bake-action@v6 + # with: + # files: | + # docker-bake.hcl + # targets: | + # multiarch + # push: false + # load: true + # set: | + # *.platform=${{ matrix.platform }} - - name: Run docker-compose tests - run: | - docker compose --profile tests up --abort-on-container-exit --exit-code-from tests + # - name: Run docker-compose tests + # run: | + # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: contrastsecuritydemo/netflicks - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=raw,value=latest,enable={{is_default_branch}} + # - name: Extract metadata + # id: meta + # uses: docker/metadata-action@v5 + # with: + # images: contrastsecuritydemo/netflicks + # tags: | + # type=ref,event=branch + # type=ref,event=pr + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + # type=raw,value=latest,enable={{is_default_branch}} - - name: Get currently installed Contrast agent version - id: versions - run: | - docker compose up web-dev -d - docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json - CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') - echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - docker compose down - echo "Contrast agent version: ${CONTRAST_VERSION}" + # - name: Get currently installed Contrast agent version + # id: versions + # run: | + # docker compose up web-dev -d + # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json + # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') + # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + # docker compose down + # echo "Contrast agent version: ${CONTRAST_VERSION}" - name: Build all image variants with Docker Buildx Bake id: bake @@ -155,10 +155,9 @@ jobs: cwd://${{ runner.temp }}/bake-meta.json targets: | multiarch - # push: false set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=false + *.output=type=image,push-by-digest=true,name-canonical=true - name: Export digest run: | From 5c9eccd63d578b59b6efda11a67da50a274983ed Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:45:54 +0100 Subject: [PATCH 056/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 8a9edf34..f68d3673 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -155,13 +155,14 @@ jobs: cwd://${{ runner.temp }}/bake-meta.json targets: | multiarch + push: false + load: true set: | *.platform=${{ matrix.platform }} *.output=type=image,push-by-digest=true,name-canonical=true - name: Export digest run: | - echo ${{ steps.bake.outputs.metadata }} mkdir -p ${{ runner.temp }}/digests digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" From caf9c56d0c20636882eaf15aa992463d7e89151a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:51:57 +0100 Subject: [PATCH 057/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index f68d3673..0ef8e533 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -156,7 +156,6 @@ jobs: targets: | multiarch push: false - load: true set: | *.platform=${{ matrix.platform }} *.output=type=image,push-by-digest=true,name-canonical=true @@ -165,6 +164,7 @@ jobs: run: | mkdir -p ${{ runner.temp }}/digests digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" + echo "digest=${digest}" touch "${{ runner.temp }}/digests/${digest#sha256:}" - name: Upload digest From 7fc2d0465107bdfd47d17dd77463aae709dc7be4 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:54:16 +0100 Subject: [PATCH 058/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 0ef8e533..08d88077 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -155,10 +155,9 @@ jobs: cwd://${{ runner.temp }}/bake-meta.json targets: | multiarch - push: false set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true + *.output=type=image,push-by-digest=true,name-canonical=true,push=true - name: Export digest run: | From db08df9cafdcd027b28f6eb5dc258402bc455598 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:57:30 +0100 Subject: [PATCH 059/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 08d88077..c2eebbfb 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -154,7 +154,7 @@ jobs: docker-bake.hcl cwd://${{ runner.temp }}/bake-meta.json targets: | - multiarch + runtime set: | *.platform=${{ matrix.platform }} *.output=type=image,push-by-digest=true,name-canonical=true,push=true From 6f576292098cc99b40a047132b3c8d6900352b58 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 09:59:46 +0100 Subject: [PATCH 060/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index c2eebbfb..bebdda64 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -157,7 +157,7 @@ jobs: runtime set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=true + *.output=type=image,push-by-digest=true,name-canonical=true,push=false - name: Export digest run: | From ca395d2bda04646867eb21c8aa2268ec549c9791 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:05:22 +0100 Subject: [PATCH 061/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index bebdda64..cb6929d2 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -155,6 +155,8 @@ jobs: cwd://${{ runner.temp }}/bake-meta.json targets: | runtime + load: false + push: false set: | *.platform=${{ matrix.platform }} *.output=type=image,push-by-digest=true,name-canonical=true,push=false From b0c7c1c5bb65fe6a240b4510da8c14ba528dbda9 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:08:17 +0100 Subject: [PATCH 062/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index cb6929d2..53e89f46 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -156,7 +156,6 @@ jobs: targets: | runtime load: false - push: false set: | *.platform=${{ matrix.platform }} *.output=type=image,push-by-digest=true,name-canonical=true,push=false From 2f295c28fb4c44cb9b796848c10b63c088e7948a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:14:01 +0100 Subject: [PATCH 063/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 53e89f46..c6c3e200 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -165,6 +165,10 @@ jobs: mkdir -p ${{ runner.temp }}/digests digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" echo "digest=${digest}" + echo "FULL METADATA" + echo "${{ fromJSON(steps.bake.outputs.metadata) }}" + echo "IMAGE METADATA" + echo "${{ fromJSON(steps.bake.outputs.metadata).image }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" - name: Upload digest From 6bdedc03198d4ece6b54f8a3fed48fe8b468f0bd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:26:33 +0100 Subject: [PATCH 064/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index c6c3e200..60f57396 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -162,13 +162,17 @@ jobs: - name: Export digest run: | + echo "DIGEST METADATA" + echo '${{ fromJSON(steps.bake.outputs.digest) }}' + echo "IMAGE METADATA" + echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' + echo "FULL METADATA" + echo '${{ fromJSON(steps.bake.outputs.metadata) }}' + + mkdir -p ${{ runner.temp }}/digests digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" echo "digest=${digest}" - echo "FULL METADATA" - echo "${{ fromJSON(steps.bake.outputs.metadata) }}" - echo "IMAGE METADATA" - echo "${{ fromJSON(steps.bake.outputs.metadata).image }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" - name: Upload digest From df9c188b8c64d1e75fbeeb3be0a128b385e5dd59 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:28:42 +0100 Subject: [PATCH 065/234] trying matrix builds for amd and arm --- .github/workflows/docker-images-single.yml | 325 +++++++++++++++++++++ .github/workflows/docker-images.yml | 2 +- 2 files changed, 326 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/docker-images-single.yml diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml new file mode 100644 index 00000000..60f57396 --- /dev/null +++ b/.github/workflows/docker-images-single.yml @@ -0,0 +1,325 @@ +name: Docker Image CI + +on: + push: + branches: + - main + tags: + - v* + pull_request: + branches: + - main + workflow_dispatch: + +env: + REGISTRY_IMAGE: contrastsecuritydemo/netflicks + +jobs: + prepare: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.platforms.outputs.matrix }} + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Create matrix + id: platforms + run: | + echo "matrix=$(docker buildx bake runtime-multiarch --print | jq -cr '.target."runtime-multiarch".platforms')" >> ${GITHUB_OUTPUT} + echo "matrix=$(docker buildx bake runtime-with-contrast-multiarch --print | jq -cr '.target."runtime-with-contrast-multiarch".platforms')" >> ${GITHUB_OUTPUT} + echo "matrix=$(docker buildx bake tests-multiarch --print | jq -cr '.target."tests-multiarch".platforms')" >> ${GITHUB_OUTPUT} + + - name: Show matrix + run: echo "${{ steps.platforms.outputs.matrix }}" + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + + - name: Rename meta bake definition file + run: | + mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json" + + - name: Upload meta bake definition + uses: actions/upload-artifact@v4 + with: + name: bake-meta + path: ${{ runner.temp }}/bake-meta.json + if-no-files-found: error + retention-days: 1 + + + build: + name: Build Multi-Stage Docker Images + runs-on: ubuntu-latest + needs: + - prepare + strategy: + fail-fast: false + matrix: + platform: ${{ fromJson(needs.prepare.outputs.matrix) }} + # outputs: + # image-digest: ${{ steps.build.outputs.digest }} + # metadata: ${{ steps.meta.outputs.json }} + # contrast_version: ${{ steps.versions.outputs.contrast_version }} + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + + - name: Download meta bake definition + uses: actions/download-artifact@v4 + with: + name: bake-meta + path: ${{ runner.temp }} + + # - + # name: Set up Docker daemon for multi-platform builds + # uses: docker/setup-docker-action@v4 + # with: + # daemon-config: | + # { + # "debug": true, + # "features": { + # "containerd-snapshotter": true + # } + # } + + - name: Docker Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: all + + - name: Docker Setup Buildx + uses: docker/setup-buildx-action@v3 + + - name: print the problem file + run: | + echo "bake-meta.json file: ${{ runner.temp }}/bake-meta.json" + cat "${{ runner.temp }}/bake-meta.json" + + # Need to do two bake steps because load=true is not compatible with push-by-digest=true + # https://github.com/moby/buildkit/issues/5556 + # - name: Build all image variants with Docker Buildx Bake (for local testing) + # id: bake-local + # uses: docker/bake-action@v6 + # with: + # files: | + # docker-bake.hcl + # targets: | + # multiarch + # push: false + # load: true + # set: | + # *.platform=${{ matrix.platform }} + + # - name: Run docker-compose tests + # run: | + # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests + + # - name: Extract metadata + # id: meta + # uses: docker/metadata-action@v5 + # with: + # images: contrastsecuritydemo/netflicks + # tags: | + # type=ref,event=branch + # type=ref,event=pr + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + # type=raw,value=latest,enable={{is_default_branch}} + + # - name: Get currently installed Contrast agent version + # id: versions + # run: | + # docker compose up web-dev -d + # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json + # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') + # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + # docker compose down + # echo "Contrast agent version: ${CONTRAST_VERSION}" + + - name: Build all image variants with Docker Buildx Bake + id: bake + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + cwd://${{ runner.temp }}/bake-meta.json + targets: | + runtime + load: false + set: | + *.platform=${{ matrix.platform }} + *.output=type=image,push-by-digest=true,name-canonical=true,push=false + + - name: Export digest + run: | + echo "DIGEST METADATA" + echo '${{ fromJSON(steps.bake.outputs.digest) }}' + echo "IMAGE METADATA" + echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' + echo "FULL METADATA" + echo '${{ fromJSON(steps.bake.outputs.metadata) }}' + + + mkdir -p ${{ runner.temp }}/digests + digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" + echo "digest=${digest}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 + + pre-merge: + name: Prepare to merge + runs-on: ubuntu-latest + needs: + - build + steps: + - name: Docker Metadata action + id: metadata + uses: docker/metadata-action@v5 + with: + images: contrastsecuritydemo/netflicks + flavor: | + latest=true + tags: | + type=semver,pattern={{version}}, priority=100 + type=semver,pattern={{major}}.{{minor}}, priority=200 + + - name: Version number + run: | + echo Getting the build metadata + echo ${{ needs.build.outputs.contrast_version }} + + - name: Download meta bake definition + uses: actions/download-artifact@v4 + with: + name: bake-meta + path: ${{ runner.temp }} + + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Create manifest list and push + working-directory: ${{ runner.temp }}/digests + run: | + docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json) + + + + # push: + # name: Push Images to Docker Hub + # if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) + # runs-on: ubuntu-latest + # needs: + # - test + # steps: + # - + # name: Checkout branch + # uses: actions/checkout@v4 + # - + # name: Docker Setup QEMU + # uses: docker/setup-qemu-action@v3 + # with: + # platforms: all + # - + # name: Docker Setup Buildx + # uses: docker/setup-buildx-action@v3 + # with: + # platforms: linux/amd64,linux/arm64 + # - + # name: Login to Docker Hub + # uses: docker/login-action@v3 + # with: + # username: ${{ secrets.DOCKERHUB_USERNAME }} + # password: ${{ secrets.DOCKERHUB_TOKEN }} + # - + # name: Extract metadata for no-agent variant + # id: meta-no-agent + # uses: docker/metadata-action@v5 + # with: + # images: contrastsecuritydemo/netflicks + # flavor: | + # latest=true + # suffix=-no-agent + # tags: | + # type=ref,event=branch + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + # type=raw,value=latest,enable={{is_default_branch}} + # - + # name: Extract metadata for agent variant + # id: meta-agent + # uses: docker/metadata-action@v5 + # with: + # images: contrastsecuritydemo/netflicks + # flavor: | + # latest=true + # suffix=-agent + # tags: | + # type=ref,event=branch + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + # type=raw,value=latest,enable={{is_default_branch}} + # - + # name: Build and push no-agent variant + # uses: docker/build-push-action@v5 + # with: + # context: . + # platforms: linux/amd64,linux/arm64 + # push: true + # cache-from: type=gha + # target: runtime + # tags: ${{ steps.meta-no-agent.outputs.tags }} + # labels: ${{ steps.meta-no-agent.outputs.labels }} + # - + # name: Build and push agent variant + # uses: docker/build-push-action@v5 + # with: + # context: . + # platforms: linux/amd64,linux/arm64 + # push: true + # cache-from: type=gha + # target: runtime-with-contrast + # tags: ${{ steps.meta-agent.outputs.tags }} + # labels: ${{ steps.meta-agent.outputs.labels }} + + + + + merge: + name: Merge if PR is merged and tests pass + if: github.event.pull_request.merged + runs-on: ubuntu-latest + needs: + - pre-merge + + steps: + - run: | + echo The PR was merged diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 60f57396..0cdcabf5 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -163,7 +163,7 @@ jobs: - name: Export digest run: | echo "DIGEST METADATA" - echo '${{ fromJSON(steps.bake.outputs.digest) }}' + # echo '${{ fromJSON(steps.bake.outputs.digest) }}' echo "IMAGE METADATA" echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' echo "FULL METADATA" From a5ce00f359ea9d7dcb466fcf4655319b32439cd1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:31:37 +0100 Subject: [PATCH 066/234] trying matrix builds for amd and arm --- .github/workflows/docker-images-single.yml | 16 ++++++++-------- .github/workflows/docker-images.yml | 1 - 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 60f57396..5fa699d4 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -1,14 +1,14 @@ name: Docker Image CI on: - push: - branches: - - main - tags: - - v* - pull_request: - branches: - - main + # push: + # branches: + # - main + # tags: + # - v* + # pull_request: + # branches: + # - main workflow_dispatch: env: diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 0cdcabf5..635ffce9 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -163,7 +163,6 @@ jobs: - name: Export digest run: | echo "DIGEST METADATA" - # echo '${{ fromJSON(steps.bake.outputs.digest) }}' echo "IMAGE METADATA" echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' echo "FULL METADATA" From e5e9c0c6a074f0d4565e4ffe7177136269904339 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:33:32 +0100 Subject: [PATCH 067/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 635ffce9..04c5d584 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -163,10 +163,14 @@ jobs: - name: Export digest run: | echo "DIGEST METADATA" - echo "IMAGE METADATA" - echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' - echo "FULL METADATA" - echo '${{ fromJSON(steps.bake.outputs.metadata) }}' + touch metadata.json + echo '${{ steps.bake.outputs.metadata }}' > metadata.json + cat metadata.json + echo "---------------------" + # echo "IMAGE METADATA" + # echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' + # echo "FULL METADATA" + # echo '${{ fromJSON(steps.bake.outputs.metadata) }}' mkdir -p ${{ runner.temp }}/digests From 8e5ceb5d8f5e4262e7d5ab101bcd7c83e42f613d Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:51:35 +0100 Subject: [PATCH 068/234] trying matrix builds for amd and arm --- .github/workflows/docker-images-single.yml | 315 ++++----------------- .github/workflows/docker-images.yml | 5 +- 2 files changed, 55 insertions(+), 265 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 5fa699d4..9060c271 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -15,64 +15,15 @@ env: REGISTRY_IMAGE: contrastsecuritydemo/netflicks jobs: - prepare: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.platforms.outputs.matrix }} - steps: - - name: Checkout branch - uses: actions/checkout@v4 - - - name: Create matrix - id: platforms - run: | - echo "matrix=$(docker buildx bake runtime-multiarch --print | jq -cr '.target."runtime-multiarch".platforms')" >> ${GITHUB_OUTPUT} - echo "matrix=$(docker buildx bake runtime-with-contrast-multiarch --print | jq -cr '.target."runtime-with-contrast-multiarch".platforms')" >> ${GITHUB_OUTPUT} - echo "matrix=$(docker buildx bake tests-multiarch --print | jq -cr '.target."tests-multiarch".platforms')" >> ${GITHUB_OUTPUT} - - - name: Show matrix - run: echo "${{ steps.platforms.outputs.matrix }}" - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - - name: Rename meta bake definition file - run: | - mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json" - - - name: Upload meta bake definition - uses: actions/upload-artifact@v4 - with: - name: bake-meta - path: ${{ runner.temp }}/bake-meta.json - if-no-files-found: error - retention-days: 1 - build: name: Build Multi-Stage Docker Images runs-on: ubuntu-latest - needs: - - prepare strategy: fail-fast: false - matrix: - platform: ${{ fromJson(needs.prepare.outputs.matrix) }} - # outputs: - # image-digest: ${{ steps.build.outputs.digest }} - # metadata: ${{ steps.meta.outputs.json }} - # contrast_version: ${{ steps.versions.outputs.contrast_version }} steps: - name: Checkout branch uses: actions/checkout@v4 - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Download meta bake definition uses: actions/download-artifact@v4 @@ -80,17 +31,16 @@ jobs: name: bake-meta path: ${{ runner.temp }} - # - - # name: Set up Docker daemon for multi-platform builds - # uses: docker/setup-docker-action@v4 - # with: - # daemon-config: | - # { - # "debug": true, - # "features": { - # "containerd-snapshotter": true - # } - # } + - name: Set up Docker daemon for multi-platform builds + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } - name: Docker Setup QEMU uses: docker/setup-qemu-action@v3 @@ -99,52 +49,45 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 - - - name: print the problem file - run: | - echo "bake-meta.json file: ${{ runner.temp }}/bake-meta.json" - cat "${{ runner.temp }}/bake-meta.json" # Need to do two bake steps because load=true is not compatible with push-by-digest=true # https://github.com/moby/buildkit/issues/5556 - # - name: Build all image variants with Docker Buildx Bake (for local testing) - # id: bake-local - # uses: docker/bake-action@v6 - # with: - # files: | - # docker-bake.hcl - # targets: | - # multiarch - # push: false - # load: true - # set: | - # *.platform=${{ matrix.platform }} + - name: Build all image variants with Docker Buildx Bake (for local testing) + id: bake-local + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + targets: | + runtime-multiarch + push: false + load: true - # - name: Run docker-compose tests - # run: | - # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - - # - name: Extract metadata - # id: meta - # uses: docker/metadata-action@v5 - # with: - # images: contrastsecuritydemo/netflicks - # tags: | - # type=ref,event=branch - # type=ref,event=pr - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - # type=raw,value=latest,enable={{is_default_branch}} + - name: Run docker-compose tests + run: | + docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - # - name: Get currently installed Contrast agent version - # id: versions - # run: | - # docker compose up web-dev -d - # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json - # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') - # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - # docker compose down - # echo "Contrast agent version: ${CONTRAST_VERSION}" + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: contrastsecuritydemo/netflicks + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=raw,value=latest,enable={{is_default_branch}} + + - name: Get currently installed Contrast agent version + id: versions + run: | + docker compose up web-dev -d + docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json + CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + docker compose down + echo "Contrast agent version: ${CONTRAST_VERSION}" - name: Build all image variants with Docker Buildx Bake id: bake @@ -154,172 +97,18 @@ jobs: docker-bake.hcl cwd://${{ runner.temp }}/bake-meta.json targets: | - runtime - load: false + runtime-multiarch set: | *.platform=${{ matrix.platform }} *.output=type=image,push-by-digest=true,name-canonical=true,push=false - - name: Export digest - run: | - echo "DIGEST METADATA" - echo '${{ fromJSON(steps.bake.outputs.digest) }}' - echo "IMAGE METADATA" - echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' - echo "FULL METADATA" - echo '${{ fromJSON(steps.bake.outputs.metadata) }}' + - name: Inspect the created images + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.tags }} - - mkdir -p ${{ runner.temp }}/digests - digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" - echo "digest=${digest}" - touch "${{ runner.temp }}/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: ${{ runner.temp }}/digests/* - if-no-files-found: error - retention-days: 1 - - pre-merge: - name: Prepare to merge - runs-on: ubuntu-latest - needs: - - build - steps: - - name: Docker Metadata action - id: metadata - uses: docker/metadata-action@v5 + - name: Login to Docker Hub + uses: docker/login-action@v3 with: - images: contrastsecuritydemo/netflicks - flavor: | - latest=true - tags: | - type=semver,pattern={{version}}, priority=100 - type=semver,pattern={{major}}.{{minor}}, priority=200 - - - name: Version number - run: | - echo Getting the build metadata - echo ${{ needs.build.outputs.contrast_version }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Download meta bake definition - uses: actions/download-artifact@v4 - with: - name: bake-meta - path: ${{ runner.temp }} - - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: ${{ runner.temp }}/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Create manifest list and push - working-directory: ${{ runner.temp }}/digests - run: | - docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json) - - - - # push: - # name: Push Images to Docker Hub - # if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) - # runs-on: ubuntu-latest - # needs: - # - test - # steps: - # - - # name: Checkout branch - # uses: actions/checkout@v4 - # - - # name: Docker Setup QEMU - # uses: docker/setup-qemu-action@v3 - # with: - # platforms: all - # - - # name: Docker Setup Buildx - # uses: docker/setup-buildx-action@v3 - # with: - # platforms: linux/amd64,linux/arm64 - # - - # name: Login to Docker Hub - # uses: docker/login-action@v3 - # with: - # username: ${{ secrets.DOCKERHUB_USERNAME }} - # password: ${{ secrets.DOCKERHUB_TOKEN }} - # - - # name: Extract metadata for no-agent variant - # id: meta-no-agent - # uses: docker/metadata-action@v5 - # with: - # images: contrastsecuritydemo/netflicks - # flavor: | - # latest=true - # suffix=-no-agent - # tags: | - # type=ref,event=branch - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - # type=raw,value=latest,enable={{is_default_branch}} - # - - # name: Extract metadata for agent variant - # id: meta-agent - # uses: docker/metadata-action@v5 - # with: - # images: contrastsecuritydemo/netflicks - # flavor: | - # latest=true - # suffix=-agent - # tags: | - # type=ref,event=branch - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - # type=raw,value=latest,enable={{is_default_branch}} - # - - # name: Build and push no-agent variant - # uses: docker/build-push-action@v5 - # with: - # context: . - # platforms: linux/amd64,linux/arm64 - # push: true - # cache-from: type=gha - # target: runtime - # tags: ${{ steps.meta-no-agent.outputs.tags }} - # labels: ${{ steps.meta-no-agent.outputs.labels }} - # - - # name: Build and push agent variant - # uses: docker/build-push-action@v5 - # with: - # context: . - # platforms: linux/amd64,linux/arm64 - # push: true - # cache-from: type=gha - # target: runtime-with-contrast - # tags: ${{ steps.meta-agent.outputs.tags }} - # labels: ${{ steps.meta-agent.outputs.labels }} - - - - - merge: - name: Merge if PR is merged and tests pass - if: github.event.pull_request.merged - runs-on: ubuntu-latest - needs: - - pre-merge - - steps: - - run: | - echo The PR was merged diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 04c5d584..b9ec9493 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -162,11 +162,12 @@ jobs: - name: Export digest run: | - echo "DIGEST METADATA" + echo "DIGEST METADATA catted out via file" touch metadata.json echo '${{ steps.bake.outputs.metadata }}' > metadata.json - cat metadata.json + cat metadata.json | jq -r '.image["containerimage.digest"]' echo "---------------------" + cat metadata.json # echo "IMAGE METADATA" # echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' # echo "FULL METADATA" From 18a0ebb941934ac7b877c8ca9ea2089bdea774a5 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 10:59:20 +0100 Subject: [PATCH 069/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index b9ec9493..867fe256 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -165,7 +165,7 @@ jobs: echo "DIGEST METADATA catted out via file" touch metadata.json echo '${{ steps.bake.outputs.metadata }}' > metadata.json - cat metadata.json | jq -r '.image["containerimage.digest"]' + cat metadata.json | jq -r '.runtime["containerimage.digest"]' echo "---------------------" cat metadata.json # echo "IMAGE METADATA" From 48b516b640fdf7a30582b9e6cbc8bdcb9fe1ad39 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 13:24:26 +0100 Subject: [PATCH 070/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 867fe256..ddce3017 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -175,7 +175,7 @@ jobs: mkdir -p ${{ runner.temp }}/digests - digest="${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}" + digest="${{ fromJSON(steps.bake.outputs.metadata).runtime['containerimage.digest'] }}" echo "digest=${digest}" touch "${{ runner.temp }}/digests/${digest#sha256:}" From cb654e260fa42d8445750c96650035194a8fa188 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 15:43:02 +0100 Subject: [PATCH 071/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index ddce3017..5b6a7286 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -29,6 +29,7 @@ jobs: echo "matrix=$(docker buildx bake runtime-multiarch --print | jq -cr '.target."runtime-multiarch".platforms')" >> ${GITHUB_OUTPUT} echo "matrix=$(docker buildx bake runtime-with-contrast-multiarch --print | jq -cr '.target."runtime-with-contrast-multiarch".platforms')" >> ${GITHUB_OUTPUT} echo "matrix=$(docker buildx bake tests-multiarch --print | jq -cr '.target."tests-multiarch".platforms')" >> ${GITHUB_OUTPUT} + echo "${GITHUB_OUTPUT}" - name: Show matrix run: echo "${{ steps.platforms.outputs.matrix }}" @@ -167,11 +168,12 @@ jobs: echo '${{ steps.bake.outputs.metadata }}' > metadata.json cat metadata.json | jq -r '.runtime["containerimage.digest"]' echo "---------------------" - cat metadata.json - # echo "IMAGE METADATA" - # echo '${{ fromJSON(steps.bake.outputs.metadata).image }}' - # echo "FULL METADATA" - # echo '${{ fromJSON(steps.bake.outputs.metadata) }}' + cat metadata.json + echo "FULL METADATA" + echo '${{ fromJSON(steps.bake.outputs.metadata) }}' + echo "---------------------" + echo "RUNTIME METADATA" + echo '${{ fromJSON(steps.bake.outputs.metadata).runtime }}' mkdir -p ${{ runner.temp }}/digests From db19e13d435c2d094569698515323fa967d58fe3 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 15:53:11 +0100 Subject: [PATCH 072/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 5b6a7286..a1e47f95 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -155,7 +155,7 @@ jobs: docker-bake.hcl cwd://${{ runner.temp }}/bake-meta.json targets: | - runtime + multiarch load: false set: | *.platform=${{ matrix.platform }} From 77caf896033de96f937d323d0f7cee698212d94b Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 16:12:10 +0100 Subject: [PATCH 073/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index a1e47f95..da850338 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -29,7 +29,7 @@ jobs: echo "matrix=$(docker buildx bake runtime-multiarch --print | jq -cr '.target."runtime-multiarch".platforms')" >> ${GITHUB_OUTPUT} echo "matrix=$(docker buildx bake runtime-with-contrast-multiarch --print | jq -cr '.target."runtime-with-contrast-multiarch".platforms')" >> ${GITHUB_OUTPUT} echo "matrix=$(docker buildx bake tests-multiarch --print | jq -cr '.target."tests-multiarch".platforms')" >> ${GITHUB_OUTPUT} - echo "${GITHUB_OUTPUT}" + echo ${GITHUB_OUTPUT} - name: Show matrix run: echo "${{ steps.platforms.outputs.matrix }}" @@ -43,6 +43,7 @@ jobs: - name: Rename meta bake definition file run: | mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json" + echo ${{ runner.temp }}/bake-meta.json - name: Upload meta bake definition uses: actions/upload-artifact@v4 @@ -177,10 +178,16 @@ jobs: mkdir -p ${{ runner.temp }}/digests - digest="${{ fromJSON(steps.bake.outputs.metadata).runtime['containerimage.digest'] }}" - echo "digest=${digest}" - touch "${{ runner.temp }}/digests/${digest#sha256:}" - + runtime_digest="${{ fromJSON(steps.bake.outputs.metadata).runtime-multiarch['containerimage.digest'] }}" + contrast_digest="${{ fromJSON(steps.bake.outputs.metadata).runtime-with-contrast-multiarch['containerimage.digest'] }}" + tests_digest="${{ fromJSON(steps.bake.outputs.metadata).tests-multiarch['containerimage.digest'] }}" + echo "runtime_digest=${runtime_digest}" + echo "contrast_digest=${contrast_digest}" + echo "tests_digest=${tests_digest}" + touch "${{ runner.temp }}/digests/${runtime_digest#sha256:}" + touch "${{ runner.temp }}/digests/${contrast_digest#sha256:}" + touch "${{ runner.temp }}/digests/${tests_digest#sha256:}" + - name: Upload digest uses: actions/upload-artifact@v4 with: From 71803b7bbe212c42efd681f32ee2ba8c243ddeff Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 16:47:14 +0100 Subject: [PATCH 074/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index da850338..cff8f83d 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -160,7 +160,7 @@ jobs: load: false set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=false + *.output=type=image,push-by-digest=true,name-canonical=true,dest=${{ runner.temp }}/myimage.tar,push=false - name: Export digest run: | @@ -184,9 +184,9 @@ jobs: echo "runtime_digest=${runtime_digest}" echo "contrast_digest=${contrast_digest}" echo "tests_digest=${tests_digest}" - touch "${{ runner.temp }}/digests/${runtime_digest#sha256:}" - touch "${{ runner.temp }}/digests/${contrast_digest#sha256:}" - touch "${{ runner.temp }}/digests/${tests_digest#sha256:}" + touch "${{ runner.temp }}/digests/runtime/${runtime_digest#sha256:}" + touch "${{ runner.temp }}/digests/contrast/${contrast_digest#sha256:}" + touch "${{ runner.temp }}/digests/tests/${tests_digest#sha256:}" - name: Upload digest uses: actions/upload-artifact@v4 @@ -237,8 +237,12 @@ jobs: - name: Create manifest list and push working-directory: ${{ runner.temp }}/digests run: | - docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + ls -la + ls -la runtime + ls -la contrast + ls -la tests + # docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \ + # $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - name: Inspect image run: | From 49eef99b6337c7d2ffbe1dc0d31dc3a75a248556 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 16:54:37 +0100 Subject: [PATCH 075/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index cff8f83d..a443d079 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -177,7 +177,9 @@ jobs: echo '${{ fromJSON(steps.bake.outputs.metadata).runtime }}' - mkdir -p ${{ runner.temp }}/digests + mkdir -p ${{ runner.temp }}/digests/runtime + mkdir -p ${{ runner.temp }}/digests/contrast + mkdir -p ${{ runner.temp }}/digests/tests runtime_digest="${{ fromJSON(steps.bake.outputs.metadata).runtime-multiarch['containerimage.digest'] }}" contrast_digest="${{ fromJSON(steps.bake.outputs.metadata).runtime-with-contrast-multiarch['containerimage.digest'] }}" tests_digest="${{ fromJSON(steps.bake.outputs.metadata).tests-multiarch['containerimage.digest'] }}" From 4ae1b2afe363763c032c1e30d191c330843a4ffd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 17:10:23 +0100 Subject: [PATCH 076/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index a443d079..23be37df 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -198,6 +198,12 @@ jobs: if-no-files-found: error retention-days: 1 + - name: Upload image tar + uses: actions/upload-artifact@v4 + with: + name: myimage-${{ env.PLATFORM_PAIR }}.tar + path: ${{ runner.temp }}/myimage.tar + pre-merge: name: Prepare to merge runs-on: ubuntu-latest From db0263787175591fd6ef57f64e2c7a03451ef07a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 17:25:28 +0100 Subject: [PATCH 077/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 23be37df..4ef61165 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -198,11 +198,17 @@ jobs: if-no-files-found: error retention-days: 1 + - name: Export docker images as tar files + run: | + docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime.tar + docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast.tar + docker save contrastsecuritydemo/netflicks:e2e-tests -o ${{ runner.temp }}/images/tests.tar + - name: Upload image tar uses: actions/upload-artifact@v4 with: - name: myimage-${{ env.PLATFORM_PAIR }}.tar - path: ${{ runner.temp }}/myimage.tar + name: images-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/images/* pre-merge: name: Prepare to merge From 038a7a68e97de761be1235e9a911e63d81e35d6b Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 17:27:38 +0100 Subject: [PATCH 078/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 4ef61165..6ddb727e 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -200,6 +200,7 @@ jobs: - name: Export docker images as tar files run: | + mkdir -p ${{ runner.temp }}/images docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime.tar docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast.tar docker save contrastsecuritydemo/netflicks:e2e-tests -o ${{ runner.temp }}/images/tests.tar From 34863bc9c50bfb30d477ec947134b6f1174d9681 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 17:34:02 +0100 Subject: [PATCH 079/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 6ddb727e..6d3c7568 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -200,7 +200,7 @@ jobs: - name: Export docker images as tar files run: | - mkdir -p ${{ runner.temp }}/images + mkdir -p ${{ runner.temp }}/images/ docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime.tar docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast.tar docker save contrastsecuritydemo/netflicks:e2e-tests -o ${{ runner.temp }}/images/tests.tar From f89b0ff20d66ff06dd7b59e4349ff8017ce2392a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 17:43:51 +0100 Subject: [PATCH 080/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 6d3c7568..9cc977ee 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -203,13 +203,15 @@ jobs: mkdir -p ${{ runner.temp }}/images/ docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime.tar docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast.tar - docker save contrastsecuritydemo/netflicks:e2e-tests -o ${{ runner.temp }}/images/tests.tar + docker save e2e-tests/netflicks:latest -o ${{ runner.temp }}/images/tests.tar - name: Upload image tar uses: actions/upload-artifact@v4 with: name: images-${{ env.PLATFORM_PAIR }} path: ${{ runner.temp }}/images/* + if-no-files-found: error + retention-days: 1 pre-merge: name: Prepare to merge From 960c0f285063d5dc6f5e16ad4730b605039732a0 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 17:50:16 +0100 Subject: [PATCH 081/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 54 +++++++++++++++-------------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 9cc977ee..ec620291 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -109,23 +109,38 @@ jobs: # Need to do two bake steps because load=true is not compatible with push-by-digest=true # https://github.com/moby/buildkit/issues/5556 - # - name: Build all image variants with Docker Buildx Bake (for local testing) - # id: bake-local - # uses: docker/bake-action@v6 - # with: - # files: | - # docker-bake.hcl - # targets: | - # multiarch - # push: false - # load: true - # set: | - # *.platform=${{ matrix.platform }} + - name: Build all image variants with Docker Buildx Bake (for local testing) + id: bake-local + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + targets: | + multiarch + push: false + load: true + set: | + *.platform=${{ matrix.platform }} # - name: Run docker-compose tests # run: | # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests + - name: Export docker images as tar files + run: | + mkdir -p ${{ runner.temp }}/images/ + docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime.tar + docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast.tar + docker save e2e-tests/netflicks:latest -o ${{ runner.temp }}/images/tests.tar + + - name: Upload image tar + uses: actions/upload-artifact@v4 + with: + name: images-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/images/* + if-no-files-found: error + retention-days: 1 + # - name: Extract metadata # id: meta # uses: docker/metadata-action@v5 @@ -160,7 +175,7 @@ jobs: load: false set: | *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,dest=${{ runner.temp }}/myimage.tar,push=false + *.output=type=image,push-by-digest=true,name-canonical=true,push=false - name: Export digest run: | @@ -198,20 +213,7 @@ jobs: if-no-files-found: error retention-days: 1 - - name: Export docker images as tar files - run: | - mkdir -p ${{ runner.temp }}/images/ - docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime.tar - docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast.tar - docker save e2e-tests/netflicks:latest -o ${{ runner.temp }}/images/tests.tar - - name: Upload image tar - uses: actions/upload-artifact@v4 - with: - name: images-${{ env.PLATFORM_PAIR }} - path: ${{ runner.temp }}/images/* - if-no-files-found: error - retention-days: 1 pre-merge: name: Prepare to merge From fb513e7811637e20ce7fb836aaa6ac15af86f12b Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 18:11:53 +0100 Subject: [PATCH 082/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 39 ++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index ec620291..5fa0a8cd 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -129,9 +129,9 @@ jobs: - name: Export docker images as tar files run: | mkdir -p ${{ runner.temp }}/images/ - docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime.tar - docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast.tar - docker save e2e-tests/netflicks:latest -o ${{ runner.temp }}/images/tests.tar + docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime/${{ env.PLATFORM_PAIR }}.tar + docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast/${{ env.PLATFORM_PAIR }}.tar + docker save e2e-tests/netflicks:latest -o ${{ runner.temp }}/images/tests/${{ env.PLATFORM_PAIR }}.tar - name: Upload image tar uses: actions/upload-artifact@v4 @@ -141,6 +141,7 @@ jobs: if-no-files-found: error retention-days: 1 + # - name: Extract metadata # id: meta # uses: docker/metadata-action@v5 @@ -153,15 +154,15 @@ jobs: # type=semver,pattern={{major}}.{{minor}} # type=raw,value=latest,enable={{is_default_branch}} - # - name: Get currently installed Contrast agent version - # id: versions - # run: | - # docker compose up web-dev -d - # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json - # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') - # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - # docker compose down - # echo "Contrast agent version: ${CONTRAST_VERSION}" + - name: Get currently installed Contrast agent version + id: versions + run: | + docker compose up web-dev -d + docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json + CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + docker compose down + echo "Contrast agent version: ${CONTRAST_VERSION}" - name: Build all image variants with Docker Buildx Bake id: bake @@ -263,6 +264,20 @@ jobs: # docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \ # $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + - name: Download images + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/images + pattern: images-* + merge-multiple: true + + - name: Load images + run: | + docker load --input ${{ runner.temp }}/images/runtime/*.tar + docker load --input ${{ runner.temp }}/images/contrast/*.tar + docker load --input ${{ runner.temp }}/images/tests/*.tar + docker image ls -a + - name: Inspect image run: | docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json) From ca068c81516088177f61899ed31fe32fb2c3a530 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 18:22:22 +0100 Subject: [PATCH 083/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 5fa0a8cd..744d7a58 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -128,7 +128,9 @@ jobs: - name: Export docker images as tar files run: | - mkdir -p ${{ runner.temp }}/images/ + mkdir -p ${{ runner.temp }}/images/runtime + mkdir -p ${{ runner.temp }}/images/contrast + mkdir -p ${{ runner.temp }}/images/tests docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime/${{ env.PLATFORM_PAIR }}.tar docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast/${{ env.PLATFORM_PAIR }}.tar docker save e2e-tests/netflicks:latest -o ${{ runner.temp }}/images/tests/${{ env.PLATFORM_PAIR }}.tar @@ -273,9 +275,17 @@ jobs: - name: Load images run: | - docker load --input ${{ runner.temp }}/images/runtime/*.tar - docker load --input ${{ runner.temp }}/images/contrast/*.tar - docker load --input ${{ runner.temp }}/images/tests/*.tar + echo "Loading images" + for folder in ${{ runner.temp }}/images/*; do + for file in "$folder"/*.tar; do + echo "Loading $folder image: $file" + docker load --input ${{ runner.temp }}/$folder/$file + done + done + + - name: Check images are loaded + run: | + echo "Checking loaded images" docker image ls -a - name: Inspect image From d474c72d10d8730187e619f20dcbdf71f364aa1f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 25 Jun 2025 21:00:39 +0100 Subject: [PATCH 084/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 744d7a58..e3610b38 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -278,8 +278,8 @@ jobs: echo "Loading images" for folder in ${{ runner.temp }}/images/*; do for file in "$folder"/*.tar; do - echo "Loading $folder image: $file" - docker load --input ${{ runner.temp }}/$folder/$file + echo "Loading $file" + docker load --input $file done done From ea57f9a4da4e4eeb32fed85a641046ead71a55fd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 26 Jun 2025 07:55:49 +0100 Subject: [PATCH 085/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index e3610b38..e41865ad 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -290,7 +290,10 @@ jobs: - name: Inspect image run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json) + docker buildx imagetools inspect contrastsecuritydemo/netflicks:latest + docker buildx imagetools inspect contrastsecuritydemo/netflicks:latest-contrast + docker buildx imagetools inspect e2e-tests/netflicks:latest + # docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json) From 24268dd810534c948e994e12c0b82bdda37f2b70 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 26 Jun 2025 08:18:50 +0100 Subject: [PATCH 086/234] trying matrix builds for amd and arm --- .github/workflows/docker-images-single.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 9060c271..01d7179b 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -1,14 +1,14 @@ name: Docker Image CI on: - # push: - # branches: - # - main - # tags: - # - v* - # pull_request: - # branches: - # - main + push: + branches: + - main + tags: + - v* + pull_request: + branches: + - main workflow_dispatch: env: @@ -59,7 +59,7 @@ jobs: files: | docker-bake.hcl targets: | - runtime-multiarch + multiarch push: false load: true From 12dbfe453e1e963934bb694872f8e82780be74e1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 26 Jun 2025 08:28:54 +0100 Subject: [PATCH 087/234] trying matrix builds for amd and arm --- .github/workflows/docker-images-single.yml | 24 +++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 01d7179b..c7230f78 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -15,7 +15,29 @@ env: REGISTRY_IMAGE: contrastsecuritydemo/netflicks jobs: - + prepare: + name: Prepare for multi-stage builds + runs-on: ubuntu-latest + steps: + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + + - name: Rename meta bake definition file + run: | + mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json" + echo ${{ runner.temp }}/bake-meta.json + + - name: Upload meta bake definition + uses: actions/upload-artifact@v4 + with: + name: bake-meta + path: ${{ runner.temp }}/bake-meta.json + if-no-files-found: error + retention-days: 1 + build: name: Build Multi-Stage Docker Images runs-on: ubuntu-latest From 445dcc312535371a9348c0e9841a7f1466c75b1d Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 26 Jun 2025 08:45:31 +0100 Subject: [PATCH 088/234] trying matrix builds for amd and arm --- .github/workflows/docker-images-single.yml | 4 +++- .github/workflows/docker-images.yml | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index c7230f78..b1842996 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -126,7 +126,9 @@ jobs: - name: Inspect the created images run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.tags }} + docker image ls -a + + # docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.tags }} - name: Login to Docker Hub uses: docker/login-action@v3 diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index e41865ad..149d14d0 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -63,6 +63,11 @@ jobs: fail-fast: false matrix: platform: ${{ fromJson(needs.prepare.outputs.matrix) }} + include: + - platform: amd64 + runner: ubuntu-latest + - platform: arm64 + runner: macos-latest # outputs: # image-digest: ${{ steps.build.outputs.digest }} # metadata: ${{ steps.meta.outputs.json }} From c6dc8722f692a077ea5a4139eb7b39a27f74a23c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 26 Jun 2025 14:26:49 +0100 Subject: [PATCH 089/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 149d14d0..170aecb0 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -62,11 +62,11 @@ jobs: strategy: fail-fast: false matrix: - platform: ${{ fromJson(needs.prepare.outputs.matrix) }} + # platform: ${{ fromJson(needs.prepare.outputs.matrix) }} include: - - platform: amd64 + - platform: linux/amd64 runner: ubuntu-latest - - platform: arm64 + - platform: linux/arm64 runner: macos-latest # outputs: # image-digest: ${{ steps.build.outputs.digest }} From 7f22d7c7bfe6f063d460c4836000889f5024cefa Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 26 Jun 2025 14:38:57 +0100 Subject: [PATCH 090/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 170aecb0..d49a18d8 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -56,23 +56,30 @@ jobs: build: name: Build Multi-Stage Docker Images - runs-on: ubuntu-latest - needs: - - prepare strategy: fail-fast: false matrix: - # platform: ${{ fromJson(needs.prepare.outputs.matrix) }} + platform: ${{ fromJson(needs.prepare.outputs.matrix) }} include: - platform: linux/amd64 runner: ubuntu-latest - platform: linux/arm64 runner: macos-latest + runs-on: ${{ matrix.runner }} + needs: + - prepare + # outputs: # image-digest: ${{ steps.build.outputs.digest }} # metadata: ${{ steps.meta.outputs.json }} # contrast_version: ${{ steps.versions.outputs.contrast_version }} steps: + - name: echo + run: | + echo "matrix.platform = ${{ matrix.platform}}" + echo "matrix.runner = ${{ matrix.runner}}" + echo "matrix.platform.runner = ${{ matrix.platform.runner}}" + - name: Checkout branch uses: actions/checkout@v4 From 07e8f944e6a9e968210df3df687052f1e844277a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 30 Jun 2025 10:42:24 +0100 Subject: [PATCH 091/234] trying matrix builds for amd and arm --- .github/workflows/docker-images.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index d49a18d8..badbf2fd 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -106,10 +106,10 @@ jobs: # } # } - - name: Docker Setup QEMU - uses: docker/setup-qemu-action@v3 - with: - platforms: all + # - name: Docker Setup QEMU + # uses: docker/setup-qemu-action@v3 + # with: + # platforms: all - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 From ce65a590cea0c38269a91c254bde6c62fa9daad9 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 13:35:35 +0100 Subject: [PATCH 092/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 50 +++++++++------------- .github/workflows/docker-images.yml | 16 +++---- 2 files changed, 29 insertions(+), 37 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index b1842996..b01d4dc9 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -10,6 +10,11 @@ on: branches: - main workflow_dispatch: + inputs: + contrast_agent_version: + description: 'Contrast .NET Core agent version to build with' + required: false + default: 'latest' env: REGISTRY_IMAGE: contrastsecuritydemo/netflicks @@ -72,35 +77,35 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: contrastsecuritydemo/netflicks + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=raw,value=latest,enable={{is_default_branch}} + # Need to do two bake steps because load=true is not compatible with push-by-digest=true # https://github.com/moby/buildkit/issues/5556 - - name: Build all image variants with Docker Buildx Bake (for local testing) - id: bake-local + - name: Build all Docker images for this PR + id: bake-pr uses: docker/bake-action@v6 with: files: | docker-bake.hcl - targets: | - multiarch push: false load: true + set: | + \*.platform=linux/{arm64,amd64} - name: Run docker-compose tests run: | docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: contrastsecuritydemo/netflicks - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=raw,value=latest,enable={{is_default_branch}} - - name: Get currently installed Contrast agent version id: versions run: | @@ -111,19 +116,6 @@ jobs: docker compose down echo "Contrast agent version: ${CONTRAST_VERSION}" - - name: Build all image variants with Docker Buildx Bake - id: bake - uses: docker/bake-action@v6 - with: - files: | - docker-bake.hcl - cwd://${{ runner.temp }}/bake-meta.json - targets: | - runtime-multiarch - set: | - *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=false - - name: Inspect the created images run: | docker image ls -a diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index badbf2fd..e0cb60fb 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -1,14 +1,14 @@ name: Docker Image CI on: - push: - branches: - - main - tags: - - v* - pull_request: - branches: - - main + # push: + # branches: + # - main + # tags: + # - v* + # pull_request: + # branches: + # - main workflow_dispatch: env: From f77481f69342db88d9487238196fc4924b0965ed Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 13:37:34 +0100 Subject: [PATCH 093/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 2 +- .github/workflows/docker-images.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index b01d4dc9..f56d70fe 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -100,7 +100,7 @@ jobs: push: false load: true set: | - \*.platform=linux/{arm64,amd64} + =\*.platform=linux/{arm64,amd64} - name: Run docker-compose tests run: | diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index e0cb60fb..3f8ab048 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -1,4 +1,4 @@ -name: Docker Image CI +name: Docker Image CI (Matrix) on: # push: From 4241399b8c8ec3a88ffe555d8911b0b5feb4d77d Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 13:44:14 +0100 Subject: [PATCH 094/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index f56d70fe..1cbb38b4 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -72,7 +72,7 @@ jobs: - name: Docker Setup QEMU uses: docker/setup-qemu-action@v3 with: - platforms: all + platforms: arm64 - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 @@ -100,7 +100,8 @@ jobs: push: false load: true set: | - =\*.platform=linux/{arm64,amd64} + *.platform=linux/amd64 + *.platform=linux/arm64 - name: Run docker-compose tests run: | From 4530db82bbf476664deb368c8a2632bfb9bb8270 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 16:42:44 +0100 Subject: [PATCH 095/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 46 +++++++++++++--------- 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 1cbb38b4..b3f74d44 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -48,6 +48,11 @@ jobs: runs-on: ubuntu-latest strategy: fail-fast: false + matrix: + image: + - name: runtime + - name: runtime-with-contrast + - name: tests steps: - name: Checkout branch uses: actions/checkout@v4 @@ -81,7 +86,10 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: contrastsecuritydemo/netflicks + images: | + - contrastsecuritydemo/netflicks + flavor: | + {{ matrix.image.name}} tags: | type=ref,event=branch type=ref,event=pr @@ -97,25 +105,27 @@ jobs: with: files: | docker-bake.hcl + targets: | + {{ matrix.image.name }} push: false load: true set: | *.platform=linux/amd64 *.platform=linux/arm64 - - name: Run docker-compose tests - run: | - docker compose --profile tests up --abort-on-container-exit --exit-code-from tests + # - name: Run docker-compose tests + # run: | + # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - - name: Get currently installed Contrast agent version - id: versions - run: | - docker compose up web-dev -d - docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json - CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') - echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - docker compose down - echo "Contrast agent version: ${CONTRAST_VERSION}" + # - name: Get currently installed Contrast agent version + # id: versions + # run: | + # docker compose up web-dev -d + # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json + # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') + # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + # docker compose down + # echo "Contrast agent version: ${CONTRAST_VERSION}" - name: Inspect the created images run: | @@ -123,9 +133,9 @@ jobs: # docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.tags }} - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + # - name: Login to Docker Hub + # uses: docker/login-action@v3 + # with: + # username: ${{ secrets.DOCKERHUB_USERNAME }} + # password: ${{ secrets.DOCKERHUB_TOKEN }} From c1317a90fd7ffa16f5e916a43e2caf495a92e34f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 16:45:47 +0100 Subject: [PATCH 096/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index b3f74d44..2b397077 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -89,7 +89,7 @@ jobs: images: | - contrastsecuritydemo/netflicks flavor: | - {{ matrix.image.name}} + ${{ matrix.image.name}} tags: | type=ref,event=branch type=ref,event=pr @@ -106,7 +106,7 @@ jobs: files: | docker-bake.hcl targets: | - {{ matrix.image.name }} + ${{ matrix.image.name }} push: false load: true set: | From f7b8d4543d7f04ec3280d1337aad63815833ee92 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 16:54:07 +0100 Subject: [PATCH 097/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 2b397077..e16d3f22 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -45,6 +45,8 @@ jobs: build: name: Build Multi-Stage Docker Images + needs: + - prepare runs-on: ubuntu-latest strategy: fail-fast: false @@ -89,7 +91,8 @@ jobs: images: | - contrastsecuritydemo/netflicks flavor: | - ${{ matrix.image.name}} + latest=true + suffix=${{ matrix.image.name == 'runtime-with-contrast' && '-contrast' || null }} tags: | type=ref,event=branch type=ref,event=pr From 9e5524c45211aedef5185fb6788fa748675731c7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 17:22:56 +0100 Subject: [PATCH 098/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 31 +++++++++++++--------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index e16d3f22..107cbde8 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -84,6 +84,21 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 + - name: Get the Contrast Agent Image + run: | + docker pull contrastsecurity/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} + docker image inspect contrastsecurity/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} + + # - name: Get currently installed Contrast agent version + # id: versions + # run: | + # docker compose up web-dev -d + # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json + # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') + # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + # docker compose down + # echo "Contrast agent version: ${CONTRAST_VERSION}" + - name: Extract metadata id: meta uses: docker/metadata-action@v5 @@ -91,13 +106,13 @@ jobs: images: | - contrastsecuritydemo/netflicks flavor: | - latest=true + latest=false suffix=${{ matrix.image.name == 'runtime-with-contrast' && '-contrast' || null }} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}}.{{minor}}.{{patch}},value=${{ versions.contrast_version}} type=raw,value=latest,enable={{is_default_branch}} # Need to do two bake steps because load=true is not compatible with push-by-digest=true @@ -118,17 +133,7 @@ jobs: # - name: Run docker-compose tests # run: | - # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - - # - name: Get currently installed Contrast agent version - # id: versions - # run: | - # docker compose up web-dev -d - # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json - # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') - # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - # docker compose down - # echo "Contrast agent version: ${CONTRAST_VERSION}" + # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - name: Inspect the created images run: | From bfcad7c8ead4ccf8988fc38db4ffc40badc1883a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 17:23:59 +0100 Subject: [PATCH 099/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 107cbde8..a8d73c41 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -85,6 +85,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Get the Contrast Agent Image + id: versions run: | docker pull contrastsecurity/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} docker image inspect contrastsecurity/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} From 9cf61bf13828bfb82aa9383aca37fc903f7df9ec Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 17:25:22 +0100 Subject: [PATCH 100/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index a8d73c41..5b018d8d 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -95,8 +95,9 @@ jobs: # run: | # docker compose up web-dev -d # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json - # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') - # echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') + CONTRAST_VERSION=1.1.1 + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT # docker compose down # echo "Contrast agent version: ${CONTRAST_VERSION}" @@ -113,7 +114,7 @@ jobs: type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}}.{{patch}},value=${{ versions.contrast_version}} + type=semver,pattern={{major}}.{{minor}}.{{patch}},value=${{ steps.versions.outputs.contrast_version}} type=raw,value=latest,enable={{is_default_branch}} # Need to do two bake steps because load=true is not compatible with push-by-digest=true From 7ba72d1cc1f66f0d81c688af220377c057e2a37a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 17:36:08 +0100 Subject: [PATCH 101/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 5b018d8d..f9f76aab 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -88,18 +88,9 @@ jobs: id: versions run: | docker pull contrastsecurity/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} - docker image inspect contrastsecurity/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} - - # - name: Get currently installed Contrast agent version - # id: versions - # run: | - # docker compose up web-dev -d - # docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json - # CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') - CONTRAST_VERSION=1.1.1 + CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') + echo "Contrast agent version: ${CONTRAST_VERSION}" echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - # docker compose down - # echo "Contrast agent version: ${CONTRAST_VERSION}" - name: Extract metadata id: meta From fde1a1548e299a9b503bd94422befbf2bacb5f3c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 17:41:43 +0100 Subject: [PATCH 102/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index f9f76aab..a447a5e1 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -28,7 +28,9 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY_IMAGE }} + images: + ${{ env.REGISTRY_IMAGE }} + contrast/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} - name: Rename meta bake definition file run: | @@ -42,6 +44,14 @@ jobs: path: ${{ runner.temp }}/bake-meta.json if-no-files-found: error retention-days: 1 + + - name: Get the Contrast Agent Image + id: versions + run: | + docker pull contrast/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} + CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') + echo "Contrast agent version: ${CONTRAST_VERSION}" + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT build: name: Build Multi-Stage Docker Images @@ -84,14 +94,6 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 - - name: Get the Contrast Agent Image - id: versions - run: | - docker pull contrastsecurity/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} - CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') - echo "Contrast agent version: ${CONTRAST_VERSION}" - echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - - name: Extract metadata id: meta uses: docker/metadata-action@v5 From 8bfebbcbab30a4d5599af2eb14aa893688d7b464 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 17:58:40 +0100 Subject: [PATCH 103/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 40 ++++------------------ 1 file changed, 7 insertions(+), 33 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index a447a5e1..4bee626f 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -23,38 +23,20 @@ jobs: prepare: name: Prepare for multi-stage builds runs-on: ubuntu-latest + outputs: + contrast_version: ${{ steps.versions.outputs.contrast_version }} steps: - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: - ${{ env.REGISTRY_IMAGE }} - contrast/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} - - - name: Rename meta bake definition file - run: | - mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json" - echo ${{ runner.temp }}/bake-meta.json - - - name: Upload meta bake definition - uses: actions/upload-artifact@v4 - with: - name: bake-meta - path: ${{ runner.temp }}/bake-meta.json - if-no-files-found: error - retention-days: 1 - - - name: Get the Contrast Agent Image + - name: Check latest Contrast agent version id: versions run: | docker pull contrast/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') echo "Contrast agent version: ${CONTRAST_VERSION}" echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + build: - name: Build Multi-Stage Docker Images + name: Build Docker Images needs: - prepare runs-on: ubuntu-latest @@ -69,12 +51,6 @@ jobs: - name: Checkout branch uses: actions/checkout@v4 - - name: Download meta bake definition - uses: actions/download-artifact@v4 - with: - name: bake-meta - path: ${{ runner.temp }} - - name: Set up Docker daemon for multi-platform builds uses: docker/setup-docker-action@v4 with: @@ -95,7 +71,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Extract metadata - id: meta + id: docker-meta uses: docker/metadata-action@v5 with: images: | @@ -107,11 +83,9 @@ jobs: type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}}.{{patch}},value=${{ steps.versions.outputs.contrast_version}} + type=semver,pattern={{major}}.{{minor}}.{{patch}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }} type=raw,value=latest,enable={{is_default_branch}} - # Need to do two bake steps because load=true is not compatible with push-by-digest=true - # https://github.com/moby/buildkit/issues/5556 - name: Build all Docker images for this PR id: bake-pr uses: docker/bake-action@v6 From 933142c43df44ddae65e33c0615d97692846aa43 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 18:27:19 +0100 Subject: [PATCH 104/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 4bee626f..0cef784b 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -29,7 +29,7 @@ jobs: - name: Check latest Contrast agent version id: versions run: | - docker pull contrast/contrast-dotnet-agent:${{ github.event.inputs.contrast_agent_version || 'latest' }} + docker pull contrast/contrast-dotnet-core:${{ github.event.inputs.contrast_agent_version || 'latest' }} CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') echo "Contrast agent version: ${CONTRAST_VERSION}" echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT From b812dcae81ce5ed47ca375556db94fbe4d72ebfe Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 18:29:01 +0100 Subject: [PATCH 105/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 0cef784b..146a0266 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -29,7 +29,7 @@ jobs: - name: Check latest Contrast agent version id: versions run: | - docker pull contrast/contrast-dotnet-core:${{ github.event.inputs.contrast_agent_version || 'latest' }} + docker pull contrast/agent-dotnet-core:${{ github.event.inputs.contrast_agent_version || 'latest' }} CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') echo "Contrast agent version: ${CONTRAST_VERSION}" echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT From 6019ea586f043e11e2bcb03566741d71eac5c4cf Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 19:05:32 +0100 Subject: [PATCH 106/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 146a0266..30d060bd 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -76,15 +76,13 @@ jobs: with: images: | - contrastsecuritydemo/netflicks - flavor: | - latest=false - suffix=${{ matrix.image.name == 'runtime-with-contrast' && '-contrast' || null }} tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}}.{{patch}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }} - type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=branch,suffix=${{ matrix.image.name }} + type=ref,event=pr,suffix=${{ matrix.image.name }} + type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable={{is_default_branch}} - name: Build all Docker images for this PR id: bake-pr @@ -92,6 +90,7 @@ jobs: with: files: | docker-bake.hcl + cwd://${{ steps.docker-meta.outputs.bake-file}} targets: | ${{ matrix.image.name }} push: false From 81ab17e75b0ec2d3afc8bca492e56548cc640d95 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 19:12:22 +0100 Subject: [PATCH 107/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 30d060bd..34450364 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -77,8 +77,10 @@ jobs: images: | - contrastsecuritydemo/netflicks tags: | - type=ref,event=branch,suffix=${{ matrix.image.name }} - type=ref,event=pr,suffix=${{ matrix.image.name }} + type=ref,event=branch,suffix=-${{ matrix.image.name }} + type=ref,event=branch,suffix=-${{ matrix.image.name }}-${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + type=ref,event=pr,suffix=-${{ matrix.image.name }} + type=ref,event=pr,suffix=-${{ matrix.image.name }}-${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} From f991edd8402e1252d6c40e1dd24a5812e38dfba1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 19:15:29 +0100 Subject: [PATCH 108/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 34450364..50337f2f 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -78,7 +78,7 @@ jobs: - contrastsecuritydemo/netflicks tags: | type=ref,event=branch,suffix=-${{ matrix.image.name }} - type=ref,event=branch,suffix=-${{ matrix.image.name }}-${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} type=ref,event=pr,suffix=-${{ matrix.image.name }} type=ref,event=pr,suffix=-${{ matrix.image.name }}-${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} From 13ebbf398b98525714c1c365688be29f1882f1a9 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 19:24:58 +0100 Subject: [PATCH 109/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 50337f2f..15257a14 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -76,11 +76,13 @@ jobs: with: images: | - contrastsecuritydemo/netflicks + flavor: | + latest=false tags: | type=ref,event=branch,suffix=-${{ matrix.image.name }} type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} type=ref,event=pr,suffix=-${{ matrix.image.name }} - type=ref,event=pr,suffix=-${{ matrix.image.name }}-${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} From d69e72cb5790af04132a71c0837d763fbe103e47 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 19:50:35 +0100 Subject: [PATCH 110/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 37 +++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 15257a14..5abc8c0c 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -40,6 +40,11 @@ jobs: needs: - prepare runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write strategy: fail-fast: false matrix: @@ -51,6 +56,13 @@ jobs: - name: Checkout branch uses: actions/checkout@v4 + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Docker daemon for multi-platform builds uses: docker/setup-docker-action@v4 with: @@ -75,9 +87,12 @@ jobs: uses: docker/metadata-action@v5 with: images: | - - contrastsecuritydemo/netflicks + - ghcr.io/${{ github.repository }} flavor: | latest=false + labels: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security tags: | type=ref,event=branch,suffix=-${{ matrix.image.name }} type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} @@ -119,3 +134,23 @@ jobs: # username: ${{ secrets.DOCKERHUB_USERNAME }} # password: ${{ secrets.DOCKERHUB_TOKEN }} + # - name: Extract metadata + # id: docker-meta + # uses: docker/metadata-action@v5 + # with: + # images: | + # - contrastsecuritydemo/netflicks + # flavor: | + # latest=false + # labels: | + # org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + # org.opencontainers.image.vendor=Contrast Security + # tags: | + # type=ref,event=branch,suffix=-${{ matrix.image.name }} + # type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + # type=ref,event=pr,suffix=-${{ matrix.image.name }} + # type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + # type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + # type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + # type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + # type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable={{is_default_branch}} From 5d112f2737695a0339956db803a49473c5c5fc2c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 19:56:06 +0100 Subject: [PATCH 111/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 5abc8c0c..6c6595a5 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -90,7 +90,7 @@ jobs: - ghcr.io/${{ github.repository }} flavor: | latest=false - labels: | + annotations: | org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos org.opencontainers.image.vendor=Contrast Security tags: | @@ -98,11 +98,7 @@ jobs: type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} type=ref,event=pr,suffix=-${{ matrix.image.name }} type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable={{is_default_branch}} - + - name: Build all Docker images for this PR id: bake-pr uses: docker/bake-action@v6 @@ -112,8 +108,7 @@ jobs: cwd://${{ steps.docker-meta.outputs.bake-file}} targets: | ${{ matrix.image.name }} - push: false - load: true + push: true set: | *.platform=linux/amd64 *.platform=linux/arm64 From f8f3b7b5eabee4d8083456d6a510d33670bd6e7e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 8 Jul 2025 20:12:25 +0100 Subject: [PATCH 112/234] switching back to linear builds --- docker-bake.hcl | 35 +++++++---------------------------- 1 file changed, 7 insertions(+), 28 deletions(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index 14c80db8..55482bea 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -8,11 +8,10 @@ group "default" { targets = ["runtime", "runtime-with-contrast", "tests"] } -group "multiarch" { - targets = ["runtime-multiarch", "runtime-with-contrast-multiarch", "tests-multiarch"] -} +target "docker-metadata-action" {} target "runtime" { + inherits = ["docker-metadata-action"] context = "." dockerfile = "Dockerfile" target = "runtime" @@ -22,44 +21,24 @@ target "runtime" { ] } -target "runtime-multiarch" { - inherits = ["runtime"] - platforms = [ - "linux/amd64", - "linux/arm64" - ] -} - target "runtime-with-contrast" { + inherits = ["docker-metadata-action"] context = "." dockerfile = "Dockerfile" target = "runtime-with-contrast" args = { CONTRAST_AGENT_VERSION = CONTRAST_AGENT_VERSION } - tags = ["contrastsecuritydemo/netflicks:latest-contrast"] -} - -target "runtime-with-contrast-multiarch" { - inherits = ["runtime-with-contrast"] - platforms = [ - "linux/amd64", - "linux/arm64" + tags = [ + "contrastsecuritydemo/netflicks:latest-contrast" ] } target "tests" { + inherits = ["docker-metadata-action"] context = "./tests" dockerfile = "Dockerfile" tags = [ - "e2e-tests/netflicks:latest" - ] -} - -target "tests-multiarch" { - inherits = ["tests"] - platforms = [ - "linux/amd64", - "linux/arm64" + "contrastsecuritydemo/netflicks:e2e-tests" ] } From b70beb104d58f9770f7f8bc9e9027c9f42ee6af0 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 08:37:38 +0100 Subject: [PATCH 113/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 6c6595a5..7f21f847 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -112,6 +112,7 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 + *.tags=${{ steps.docker-meta.outputs.tags }} # - name: Run docker-compose tests # run: | From ff081c58f41d2adf2d2a08bb1a0cb350bf448486 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 08:54:22 +0100 Subject: [PATCH 114/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 1 - docker-bake.hcl | 9 --------- 2 files changed, 10 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 7f21f847..6c6595a5 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -112,7 +112,6 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.tags=${{ steps.docker-meta.outputs.tags }} # - name: Run docker-compose tests # run: | diff --git a/docker-bake.hcl b/docker-bake.hcl index 55482bea..30758184 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -16,9 +16,6 @@ target "runtime" { dockerfile = "Dockerfile" target = "runtime" no-cache = true - tags = [ - "contrastsecuritydemo/netflicks:latest" - ] } target "runtime-with-contrast" { @@ -29,16 +26,10 @@ target "runtime-with-contrast" { args = { CONTRAST_AGENT_VERSION = CONTRAST_AGENT_VERSION } - tags = [ - "contrastsecuritydemo/netflicks:latest-contrast" - ] } target "tests" { inherits = ["docker-metadata-action"] context = "./tests" dockerfile = "Dockerfile" - tags = [ - "contrastsecuritydemo/netflicks:e2e-tests" - ] } From f7110381ed196708aee883b9b5406871ab219f6c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 08:58:41 +0100 Subject: [PATCH 115/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 3 ++- docker-bake.hcl | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 6c6595a5..107fb7e6 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -87,7 +87,7 @@ jobs: uses: docker/metadata-action@v5 with: images: | - - ghcr.io/${{ github.repository }} + ghcr.io/${{ github.repository }} flavor: | latest=false annotations: | @@ -112,6 +112,7 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 + *.tags=${{ steps.docker-meta.outputs.tags }} # - name: Run docker-compose tests # run: | diff --git a/docker-bake.hcl b/docker-bake.hcl index 30758184..55482bea 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -16,6 +16,9 @@ target "runtime" { dockerfile = "Dockerfile" target = "runtime" no-cache = true + tags = [ + "contrastsecuritydemo/netflicks:latest" + ] } target "runtime-with-contrast" { @@ -26,10 +29,16 @@ target "runtime-with-contrast" { args = { CONTRAST_AGENT_VERSION = CONTRAST_AGENT_VERSION } + tags = [ + "contrastsecuritydemo/netflicks:latest-contrast" + ] } target "tests" { inherits = ["docker-metadata-action"] context = "./tests" dockerfile = "Dockerfile" + tags = [ + "contrastsecuritydemo/netflicks:e2e-tests" + ] } From 738ad92a2f0796626c7a36b7830c0345bfe7a74b Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 09:12:36 +0100 Subject: [PATCH 116/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 107fb7e6..b48c1156 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -112,7 +112,6 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.tags=${{ steps.docker-meta.outputs.tags }} # - name: Run docker-compose tests # run: | From ccd854076d8600c23c3ef2c54aee9d110a617a75 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 09:20:09 +0100 Subject: [PATCH 117/234] switching back to linear builds --- docker-bake.hcl | 9 --------- 1 file changed, 9 deletions(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index 55482bea..30758184 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -16,9 +16,6 @@ target "runtime" { dockerfile = "Dockerfile" target = "runtime" no-cache = true - tags = [ - "contrastsecuritydemo/netflicks:latest" - ] } target "runtime-with-contrast" { @@ -29,16 +26,10 @@ target "runtime-with-contrast" { args = { CONTRAST_AGENT_VERSION = CONTRAST_AGENT_VERSION } - tags = [ - "contrastsecuritydemo/netflicks:latest-contrast" - ] } target "tests" { inherits = ["docker-metadata-action"] context = "./tests" dockerfile = "Dockerfile" - tags = [ - "contrastsecuritydemo/netflicks:e2e-tests" - ] } From 6316f58e6467cff4b8b910b6604a12a7485e6cf1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 10:32:15 +0100 Subject: [PATCH 118/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 19 ++++++++++++++++--- docker-compose.ci.yml | 14 ++++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 docker-compose.ci.yml diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index b48c1156..f75fe91c 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -34,7 +34,9 @@ jobs: echo "Contrast agent version: ${CONTRAST_VERSION}" echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - + #TODO: Add a job to build the base image first + #TODO: Then share the base image with other jobs via cache + build: name: Build Docker Images needs: @@ -119,8 +121,19 @@ jobs: - name: Inspect the created images run: | - docker image ls -a - + $staging_image_contrast=${{ matrix.image.name == 'runtime_with_contrast' && steps.bake-pr.outputs.metadata.runtime-with-contrast.image.name || null }} + $staging_image_test=${{ matrix.image.name == 'tests' && steps.bake-pr.outputs.metadata.tests.image.name || null }} + + if $staging_image_contrast; then + echo "Staging Contrast image: $staging_image_contrast" + echo staging_image_contrast=$staging_image_contrast >> $GITHUB_ENV + fi + + if $staging_image_test; then + echo "Staging Test image: $staging_image_test" + echo staging_image_test=$staging_image_test >> $GITHUB_ENV + fi + # docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.tags }} # - name: Login to Docker Hub diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml new file mode 100644 index 00000000..2b1c6bcf --- /dev/null +++ b/docker-compose.ci.yml @@ -0,0 +1,14 @@ + +services: + + # Development environment for Contrast Assess demos + web-dev: + image: $staging_image_contrast + + web-prod: + image: $staging_image_contrast + + # Testing service + tests: + build: + image: $staging_image_tests From 0dd6f91b29b33a91ce5eee2d940bb533ae601efe Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 10:43:54 +0100 Subject: [PATCH 119/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index f75fe91c..c61b7b5c 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -121,8 +121,8 @@ jobs: - name: Inspect the created images run: | - $staging_image_contrast=${{ matrix.image.name == 'runtime_with_contrast' && steps.bake-pr.outputs.metadata.runtime-with-contrast.image.name || null }} - $staging_image_test=${{ matrix.image.name == 'tests' && steps.bake-pr.outputs.metadata.tests.image.name || null }} + $staging_image_contrast=${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || null }} + $staging_image_test=${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || null }} if $staging_image_contrast; then echo "Staging Contrast image: $staging_image_contrast" From c818c27bebd80d8900d434f5713c8c85afb526d0 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 10:47:37 +0100 Subject: [PATCH 120/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index c61b7b5c..4ffe2824 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -124,14 +124,14 @@ jobs: $staging_image_contrast=${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || null }} $staging_image_test=${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || null }} - if $staging_image_contrast; then - echo "Staging Contrast image: $staging_image_contrast" - echo staging_image_contrast=$staging_image_contrast >> $GITHUB_ENV + if [ -z $staging_image_contrast ]; then + echo "Staging Contrast image: $staging_image_contrast"; + echo staging_image_contrast=$staging_image_contrast >> $GITHUB_ENV; fi - if $staging_image_test; then - echo "Staging Test image: $staging_image_test" - echo staging_image_test=$staging_image_test >> $GITHUB_ENV + if [ -z $staging_image_test ]; then + echo "Staging Test image: $staging_image_test"; + echo staging_image_test=$staging_image_test >> $GITHUB_ENV; fi # docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.tags }} From d4f9eba72ace0f1e6d80a98682343e2d3f05441a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 10:50:50 +0100 Subject: [PATCH 121/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 4ffe2824..5e11b7f2 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -121,8 +121,8 @@ jobs: - name: Inspect the created images run: | - $staging_image_contrast=${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || null }} - $staging_image_test=${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || null }} + $staging_image_contrast=$(${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || null }}) + $staging_image_test=$(${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || null }}) if [ -z $staging_image_contrast ]; then echo "Staging Contrast image: $staging_image_contrast"; From 53ae872d8e72112a8a5a0a88746cbf84ab9289bd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 10:54:31 +0100 Subject: [PATCH 122/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 5e11b7f2..298282a4 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -121,8 +121,8 @@ jobs: - name: Inspect the created images run: | - $staging_image_contrast=$(${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || null }}) - $staging_image_test=$(${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || null }}) + $staging_image_contrast=$(${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || '' }}) + $staging_image_test=$(${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || '' }}) if [ -z $staging_image_contrast ]; then echo "Staging Contrast image: $staging_image_contrast"; From 7c4952cfc277223bedd8d154826eb4df8bc3231d Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 10:56:50 +0100 Subject: [PATCH 123/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 298282a4..eee93e94 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -121,8 +121,8 @@ jobs: - name: Inspect the created images run: | - $staging_image_contrast=$(${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || '' }}) - $staging_image_test=$(${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || '' }}) + $staging_image_contrast=${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || '' }} + $staging_image_test=${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || '' }} if [ -z $staging_image_contrast ]; then echo "Staging Contrast image: $staging_image_contrast"; From 1a628dab81d20e7fae782399c6ad4fbab49e98fd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 11:01:39 +0100 Subject: [PATCH 124/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index eee93e94..ada3c1de 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -120,16 +120,16 @@ jobs: # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - name: Inspect the created images - run: | - $staging_image_contrast=${{ matrix.image.name == 'runtime_with_contrast' && fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] || '' }} - $staging_image_test=${{ matrix.image.name == 'tests' && fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] || '' }} + run: | - if [ -z $staging_image_contrast ]; then + if [ -z ${{ matrix.image.name }} == 'runtime_with_contrast' ]; then + staging_image_contrast=${{ fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] }} echo "Staging Contrast image: $staging_image_contrast"; echo staging_image_contrast=$staging_image_contrast >> $GITHUB_ENV; fi - if [ -z $staging_image_test ]; then + if [ -z ${{ matrix.image.name }} == 'tests' ]; then + staging_image_test=${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }} echo "Staging Test image: $staging_image_test"; echo staging_image_test=$staging_image_test >> $GITHUB_ENV; fi From fb3e70bfb625632802e4cba68b03191f37678256 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 11:21:53 +0100 Subject: [PATCH 125/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 27 ++++++++++++++-------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index ada3c1de..68f872ee 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -121,18 +121,25 @@ jobs: - name: Inspect the created images run: | + echo "Inspecting the created images..." + echo "Matrix.Image.Name: ${{ matrix.image.name }}" + echo 'outputs.metadata.tests.containerimage.digest:' + echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['containerimage.digest'] }}' + echo '---' + echo 'outputs.metadata.digest: ${{ steps.bake-pr.outputs.metadata.digest }}' + - if [ -z ${{ matrix.image.name }} == 'runtime_with_contrast' ]; then - staging_image_contrast=${{ fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] }} - echo "Staging Contrast image: $staging_image_contrast"; - echo staging_image_contrast=$staging_image_contrast >> $GITHUB_ENV; - fi + # if [ -z ${{ matrix.image.name }} == 'runtime_with_contrast' ]; then + # staging_image_contrast=${{ fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] }} + # echo "Staging Contrast image: $staging_image_contrast"; + # echo staging_image_contrast=$staging_image_contrast >> $GITHUB_ENV; + # fi - if [ -z ${{ matrix.image.name }} == 'tests' ]; then - staging_image_test=${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }} - echo "Staging Test image: $staging_image_test"; - echo staging_image_test=$staging_image_test >> $GITHUB_ENV; - fi + # if [ -z ${{ matrix.image.name }} == 'tests' ]; then + # staging_image_test=${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }} + # echo "Staging Test image: $staging_image_test"; + # echo staging_image_test=$staging_image_test >> $GITHUB_ENV; + # fi # docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.tags }} From 0406b262ec55419f14cdda49e3fa8d62da00f8a8 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 11:34:57 +0100 Subject: [PATCH 126/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 68f872ee..6233647f 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -126,8 +126,15 @@ jobs: echo 'outputs.metadata.tests.containerimage.digest:' echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['containerimage.digest'] }}' echo '---' - echo 'outputs.metadata.digest: ${{ steps.bake-pr.outputs.metadata.digest }}' - + echo 'outputs.metadata.tests.image.name:' + echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }}' + + $image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'] }}' + $image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' + + echo "Image Name: $image_name" + echo "Image Digest: $image_digest" + # if [ -z ${{ matrix.image.name }} == 'runtime_with_contrast' ]; then # staging_image_contrast=${{ fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] }} From 5c9b4d0d31acdd374d59a5bb7fc52d306768f25a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 11:41:09 +0100 Subject: [PATCH 127/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 6233647f..8cc46933 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -129,8 +129,8 @@ jobs: echo 'outputs.metadata.tests.image.name:' echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }}' - $image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'] }}' - $image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' + $image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix.image.name['image.name'] }}' + $image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix.image.name['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" From 86fd0028d0cfa6b60ab034a78ab83568ab73aba1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 9 Jul 2025 11:47:00 +0100 Subject: [PATCH 128/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 8cc46933..6233647f 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -129,8 +129,8 @@ jobs: echo 'outputs.metadata.tests.image.name:' echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }}' - $image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix.image.name['image.name'] }}' - $image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix.image.name['containerimage.digest'] }}' + $image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'] }}' + $image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" From 26a775040edb100eb2200003d1370b0e2ba8b7bc Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 10:31:52 +0100 Subject: [PATCH 129/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 6233647f..e21b19d6 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -128,9 +128,11 @@ jobs: echo '---' echo 'outputs.metadata.tests.image.name:' echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }}' - - $image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'] }}' - $image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' + + $matrix_image_name = '${{ matrix.image.name }}' + echo "Matrix Image Name: $matrix_image_name" + $image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['image.name'] }}' + $image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" From c7ccc758ea7fb0f239dabaa9df31505d993ee593 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 10:37:52 +0100 Subject: [PATCH 130/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index e21b19d6..5a8483be 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -129,10 +129,10 @@ jobs: echo 'outputs.metadata.tests.image.name:' echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }}' - $matrix_image_name = '${{ matrix.image.name }}' + matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - $image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['image.name'] }}' - $image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['containerimage.digest'] }}' + image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['image.name'] }}' + image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" From 77d6c9ec40c899bae8e36cc672fb09f00002b51c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 10:40:32 +0100 Subject: [PATCH 131/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 5a8483be..c761ae97 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -131,8 +131,8 @@ jobs: matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - image_name = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['image.name'] }}' - image_digest = '${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['containerimage.digest'] }}' + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['image.name'] }}' + image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" From e7ffc02d8fba4690d3ee6c22dd211c0fdadcb615 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 10:53:22 +0100 Subject: [PATCH 132/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index c761ae97..f3cc755f 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -131,8 +131,8 @@ jobs: matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['image.name'] }}' - image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata).matrix_image_name['containerimage.digest'] }}' + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'] }}' + image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" From d25b1938db0a1c4cc29769c7cdb2df44edb7c874 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 11:53:41 +0100 Subject: [PATCH 133/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index f3cc755f..a2ac4f58 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -54,6 +54,16 @@ jobs: - name: runtime - name: runtime-with-contrast - name: tests + outputs: + image-name-runtime: ${{ steps.inspect.outputs['image-name-runtime'] }} + image-digest-runtime: ${{ steps.inspect.outputs['image-digest-runtime'] }} + image-artifact-runtime: ${{ steps.inspect.outputs['image-artifact-runtime'] }} + image-name-runtime-with-contrast: ${{ steps.inspect.outputs['image-name-runtime-with-contrast'] }} + image-digest-runtime-with-contrast: ${{ steps.inspect.outputs['image-digest-runtime-with-contrast'] }} + image-artifact-runtime-with-contrast: ${{ steps.inspect.outputs['image-artifact-runtime-with-contrast'] }} + image-name-tests: ${{ steps.inspect.outputs['image-name-tests'] }} + image-digest-tests: ${{ steps.inspect.outputs['image-digest-tests'] }} + image-artifact-tests: ${{ steps.inspect.outputs['image-artifact-tests'] }} steps: - name: Checkout branch uses: actions/checkout@v4 @@ -120,14 +130,8 @@ jobs: # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - name: Inspect the created images + id: inspect run: | - echo "Inspecting the created images..." - echo "Matrix.Image.Name: ${{ matrix.image.name }}" - echo 'outputs.metadata.tests.containerimage.digest:' - echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['containerimage.digest'] }}' - echo '---' - echo 'outputs.metadata.tests.image.name:' - echo '${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }}' matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" @@ -136,6 +140,9 @@ jobs: echo "Image Name: $image_name" echo "Image Digest: $image_digest" + "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT + "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT + "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT" # if [ -z ${{ matrix.image.name }} == 'runtime_with_contrast' ]; then From dc1f63fb0d090a0c17b377d80451dccf0e2c9d8c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 11:56:51 +0100 Subject: [PATCH 134/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index a2ac4f58..a97ab182 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -140,9 +140,9 @@ jobs: echo "Image Name: $image_name" echo "Image Digest: $image_digest" - "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT - "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT - "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT" + echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT + echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT + echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT" # if [ -z ${{ matrix.image.name }} == 'runtime_with_contrast' ]; then From 26d5f4c438e7e06304ec81389a577fb27ae625fe Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 11:58:44 +0100 Subject: [PATCH 135/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index a97ab182..2cefcd53 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -142,7 +142,7 @@ jobs: echo "Image Digest: $image_digest" echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT - echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT" + echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT # if [ -z ${{ matrix.image.name }} == 'runtime_with_contrast' ]; then From 2795f6567c0fb2f219784d74d5f60c6d816cf395 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 13:03:39 +0100 Subject: [PATCH 136/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 43 ++++++++++++---------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 2cefcd53..a1fd0e9d 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -124,10 +124,6 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - - # - name: Run docker-compose tests - # run: | - # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - name: Inspect the created images id: inspect @@ -140,25 +136,12 @@ jobs: echo "Image Name: $image_name" echo "Image Digest: $image_digest" + echo "Image Artifact: $image_name@$image_digest" + echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT - - # if [ -z ${{ matrix.image.name }} == 'runtime_with_contrast' ]; then - # staging_image_contrast=${{ fromJSON(steps.bake-pr.outputs.metadata).runtime-with-contrast['image.name'] }} - # echo "Staging Contrast image: $staging_image_contrast"; - # echo staging_image_contrast=$staging_image_contrast >> $GITHUB_ENV; - # fi - - # if [ -z ${{ matrix.image.name }} == 'tests' ]; then - # staging_image_test=${{ fromJSON(steps.bake-pr.outputs.metadata).tests['image.name'] }} - # echo "Staging Test image: $staging_image_test"; - # echo staging_image_test=$staging_image_test >> $GITHUB_ENV; - # fi - - # docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.tags }} - # - name: Login to Docker Hub # uses: docker/login-action@v3 # with: @@ -185,3 +168,25 @@ jobs: # type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} # type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} # type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable={{is_default_branch}} + + test: + name: Test Docker Images + needs: + - build + runs-on: ubuntu-latest + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Run tests + run: | + echo "IMAGE_NAME_RUNTIME=${{ needs.build.outputs.image-name-runtime }}" > .env + echo "IMAGE_NAME_RUNTIME_WITH_CONTRAST=${{ needs.build.outputs.image-name-runtime-with-contrast }}" >> .env + echo "IMAGE_NAME_TESTS=${{ needs.build.outputs.image-name-tests }}" >> .env + + docker pull $IMAGE_NAME_RUNTIME + docker pull $IMAGE_NAME_RUNTIME_WITH_CONTRAST + docker pull $IMAGE_NAME_TESTS + + echo "Running tests for the Docker images..." + docker compose -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests From eb652579fadbfc6feff680021a8c37ab3fe344fb Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 13:18:52 +0100 Subject: [PATCH 137/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index a1fd0e9d..38acee38 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -180,9 +180,9 @@ jobs: - name: Run tests run: | - echo "IMAGE_NAME_RUNTIME=${{ needs.build.outputs.image-name-runtime }}" > .env - echo "IMAGE_NAME_RUNTIME_WITH_CONTRAST=${{ needs.build.outputs.image-name-runtime-with-contrast }}" >> .env - echo "IMAGE_NAME_TESTS=${{ needs.build.outputs.image-name-tests }}" >> .env + echo 'IMAGE_NAME_RUNTIME=${{ needs.build.outputs.image-name-runtime }}' > .env + echo 'IMAGE_NAME_RUNTIME_WITH_CONTRAST=${{ needs.build.outputs.image-name-runtime-with-contrast }}' >> .env + echo 'IMAGE_NAME_TESTS=${{ needs.build.outputs.image-name-tests }}' >> .env docker pull $IMAGE_NAME_RUNTIME docker pull $IMAGE_NAME_RUNTIME_WITH_CONTRAST From 8b68bf483413c476ae1737550d6f4f6c9e259438 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 13:20:56 +0100 Subject: [PATCH 138/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 38acee38..161fe95a 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -180,9 +180,13 @@ jobs: - name: Run tests run: | - echo 'IMAGE_NAME_RUNTIME=${{ needs.build.outputs.image-name-runtime }}' > .env - echo 'IMAGE_NAME_RUNTIME_WITH_CONTRAST=${{ needs.build.outputs.image-name-runtime-with-contrast }}' >> .env - echo 'IMAGE_NAME_TESTS=${{ needs.build.outputs.image-name-tests }}' >> .env + IMAGE_NAME_RUNTIME=${{ needs.build.outputs.image-name-runtime }} + IMAGE_NAME_RUNTIME_WITH_CONTRAST=${{ needs.build.outputs.image-name-runtime-with-contrast }} + IMAGE_NAME_TESTS=${{ needs.build.outputs.image-name-tests }} + + echo "IMAGE_NAME_RUNTIME=$IMAGE_NAME_RUNTIME" > .env + echo "IMAGE_NAME_RUNTIME_WITH_CONTRAST=$IMAGE_NAME_RUNTIME_WITH_CONTRAST" >> .env + echo "IMAGE_NAME_TESTS=$IMAGE_NAME_TESTS" >> .env docker pull $IMAGE_NAME_RUNTIME docker pull $IMAGE_NAME_RUNTIME_WITH_CONTRAST From 241fadef8ef76b905929c9ea071118f77da70480 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 16:07:48 +0100 Subject: [PATCH 139/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 161fe95a..3c101d8b 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -189,7 +189,7 @@ jobs: echo "IMAGE_NAME_TESTS=$IMAGE_NAME_TESTS" >> .env docker pull $IMAGE_NAME_RUNTIME - docker pull $IMAGE_NAME_RUNTIME_WITH_CONTRAST + # docker pull $IMAGE_NAME_RUNTIME_WITH_CONTRAST docker pull $IMAGE_NAME_TESTS echo "Running tests for the Docker images..." From 70e3ee7c2bce45a0b7ff2a61555510519a17e44e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 16:25:24 +0100 Subject: [PATCH 140/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 3c101d8b..de2dfa9c 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -180,17 +180,17 @@ jobs: - name: Run tests run: | - IMAGE_NAME_RUNTIME=${{ needs.build.outputs.image-name-runtime }} - IMAGE_NAME_RUNTIME_WITH_CONTRAST=${{ needs.build.outputs.image-name-runtime-with-contrast }} - IMAGE_NAME_TESTS=${{ needs.build.outputs.image-name-tests }} + STAGING_IMAGE_RUNTIME=${{ needs.build.outputs.image-name-runtime }} + STAGING_IMAGE_RUNTIME_WITH_CONTRAST=${{ needs.build.outputs.image-name-runtime-with-contrast }} + STAGING_IMAGE_TESTS=${{ needs.build.outputs.image-name-tests }} - echo "IMAGE_NAME_RUNTIME=$IMAGE_NAME_RUNTIME" > .env - echo "IMAGE_NAME_RUNTIME_WITH_CONTRAST=$IMAGE_NAME_RUNTIME_WITH_CONTRAST" >> .env - echo "IMAGE_NAME_TESTS=$IMAGE_NAME_TESTS" >> .env + echo "STAGING_IMAGE_RUNTIME=$STAGING_IMAGE_RUNTIME" > .env + echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" >> .env + echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" >> .env - docker pull $IMAGE_NAME_RUNTIME - # docker pull $IMAGE_NAME_RUNTIME_WITH_CONTRAST - docker pull $IMAGE_NAME_TESTS + docker pull $STAGING_IMAGE_RUNTIME + # docker pull $STAGING_IMAGE_RUNTIME_WITH_CONTRAST + docker pull $STAGING_IMAGE_TESTS echo "Running tests for the Docker images..." docker compose -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests From 9ec7cb53aa2d850d5c5435bce8cda134536b42a6 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 16:39:23 +0100 Subject: [PATCH 141/234] switching back to linear builds --- docker-compose.ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 2b1c6bcf..53938fe3 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -3,12 +3,12 @@ services: # Development environment for Contrast Assess demos web-dev: - image: $staging_image_contrast + image: "${STAGING_IMAGE_CONTRAST}" web-prod: - image: $staging_image_contrast + image: "${STAGING_IMAGE_CONTRAST}" # Testing service tests: build: - image: $staging_image_tests + image: "${STAGING_IMAGE_TESTS}" From 73808cd8abbc8dbd97c0804067ef8240f813ebc6 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 16:50:53 +0100 Subject: [PATCH 142/234] switching back to linear builds --- docker-compose.ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 53938fe3..c3d3ba4b 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -3,10 +3,10 @@ services: # Development environment for Contrast Assess demos web-dev: - image: "${STAGING_IMAGE_CONTRAST}" + image: "${STAGING_IMAGE_RUNTIME}" web-prod: - image: "${STAGING_IMAGE_CONTRAST}" + image: "${STAGING_IMAGE_RUNTIME}" # Testing service tests: From 1b3b8e1d7eb4b46f3a4698170e9bf91ace5cf34c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 14 Jul 2025 17:00:23 +0100 Subject: [PATCH 143/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index de2dfa9c..cc37bee0 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -193,4 +193,4 @@ jobs: docker pull $STAGING_IMAGE_TESTS echo "Running tests for the Docker images..." - docker compose -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests + docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests From dded1b6a19efa005ea4f4ccce5be856bffa232d2 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 09:45:26 +0100 Subject: [PATCH 144/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index cc37bee0..4ff67257 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -174,23 +174,23 @@ jobs: needs: - build runs-on: ubuntu-latest + env: + STAGING_IMAGE_RUNTIME: ${{ needs.build.outputs.image-name-runtime }} + STAGING_IMAGE_RUNTIME_WITH_CONTRAST: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + STAGING_IMAGE_TESTS: ${{ needs.build.outputs.image-name-tests }} steps: - name: Checkout branch uses: actions/checkout@v4 - - name: Run tests + - name: Pull the staging docker images run: | - STAGING_IMAGE_RUNTIME=${{ needs.build.outputs.image-name-runtime }} - STAGING_IMAGE_RUNTIME_WITH_CONTRAST=${{ needs.build.outputs.image-name-runtime-with-contrast }} - STAGING_IMAGE_TESTS=${{ needs.build.outputs.image-name-tests }} - echo "STAGING_IMAGE_RUNTIME=$STAGING_IMAGE_RUNTIME" > .env echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" >> .env echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" >> .env - docker pull $STAGING_IMAGE_RUNTIME - # docker pull $STAGING_IMAGE_RUNTIME_WITH_CONTRAST - docker pull $STAGING_IMAGE_TESTS + docker compose pull + - name: Run e2e tests with Playwright + run: | echo "Running tests for the Docker images..." docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests From 2c9b4e58940acd0d56cf74118f95da9e330b4ebe Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 09:54:52 +0100 Subject: [PATCH 145/234] switching back to linear builds --- docker-compose.ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index c3d3ba4b..27f3d630 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -10,5 +10,4 @@ services: # Testing service tests: - build: image: "${STAGING_IMAGE_TESTS}" From f12d16f22d926b8fb031ebfdec4853f4a653ed77 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 10:36:28 +0100 Subject: [PATCH 146/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 7 +++++++ docker-compose.ci.yml | 3 +++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 4ff67257..d4994405 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -194,3 +194,10 @@ jobs: run: | echo "Running tests for the Docker images..." docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests + + - name: Save Playwright report + uses: actions/upload-artifact@v4 + with: + name: playwright-report + path: ./playwright-report + retention-days: 7 diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 27f3d630..ba9bccb6 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -11,3 +11,6 @@ services: # Testing service tests: image: "${STAGING_IMAGE_TESTS}" + volumes: ./playwright-report:./playwright-report + + From ce295e6e8861d6be4236b03c7f5d696bfa4ee8c1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 10:53:24 +0100 Subject: [PATCH 147/234] switching back to linear builds --- .github/workflows/docker-images-single.yml | 16 ++++---- .github/workflows/e2e-tests.yml | 47 ++++++++++++++++++++++ docker-compose.ci.yml | 3 +- 3 files changed, 57 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/e2e-tests.yml diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index d4994405..5e462156 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -1,14 +1,14 @@ name: Docker Image CI on: - push: - branches: - - main - tags: - - v* - pull_request: - branches: - - main + # push: + # branches: + # - main + # tags: + # - v* + # pull_request: + # branches: + # - main workflow_dispatch: inputs: contrast_agent_version: diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml new file mode 100644 index 00000000..ca2b5dc7 --- /dev/null +++ b/.github/workflows/e2e-tests.yml @@ -0,0 +1,47 @@ +name: Docker Image CI (Matrix) + +on: + # push: + # branches: + # - main + # tags: + # - v* + # pull_request: + # branches: + # - main + workflow_dispatch: + +env: + REGISTRY_IMAGE: contrastsecuritydemo/netflicks + +jobs: + test: + name: Test Docker Images + runs-on: ubuntu-latest + env: + STAGING_IMAGE_RUNTIME: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-runtime" + STAGING_IMAGE_RUNTIME_WITH_CONTRAST: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-runtime-with-contrast" + STAGING_IMAGE_TESTS: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-tests" + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Pull the staging docker images + run: | + echo "STAGING_IMAGE_RUNTIME=$STAGING_IMAGE_RUNTIME" > .env + echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" >> .env + echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" >> .env + + docker compose pull + + - name: Run e2e tests with Playwright + run: | + echo "Running tests for the Docker images..." + docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests + + - name: Save Playwright report + uses: actions/upload-artifact@v4 + with: + name: playwright-report + path: ./playwright-report + retention-days: 7 diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index ba9bccb6..f5989757 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -11,6 +11,7 @@ services: # Testing service tests: image: "${STAGING_IMAGE_TESTS}" - volumes: ./playwright-report:./playwright-report + volumes: + - ./playwright-report:./playwright-report From e0a0d68fe46ec0c8c6f6e54342d7682c0dbaf5e2 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 10:53:59 +0100 Subject: [PATCH 148/234] switching back to linear builds --- .github/workflows/e2e-tests.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index ca2b5dc7..dc5b4c84 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -1,14 +1,14 @@ -name: Docker Image CI (Matrix) +name: End-to-End Tests on: - # push: - # branches: - # - main - # tags: - # - v* - # pull_request: - # branches: - # - main + push: + branches: + - main + tags: + - v* + pull_request: + branches: + - main workflow_dispatch: env: From f3eef81a35c69007bef69b549440bda206591838 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 11:27:14 +0100 Subject: [PATCH 149/234] adding playwright report --- tests/playwright.config.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index ce151ded..3dd0a921 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -33,6 +33,7 @@ const config: PlaywrightTestConfig = { /* Reporter to use. See https://playwright.dev/docs/test-reporters */ reporter: [ ['list', { printSteps: true}], + ['html', { open: 'never' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From 95d3b03c3bf5db7e2de33f5b31498a6dd467dd52 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 11:29:24 +0100 Subject: [PATCH 150/234] adding playwright report --- .github/workflows/e2e-tests.yml | 2 +- docker-compose.ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index dc5b4c84..4b1ad503 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -43,5 +43,5 @@ jobs: uses: actions/upload-artifact@v4 with: name: playwright-report - path: ./playwright-report + path: /playwright-report retention-days: 7 diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index f5989757..39301eab 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -12,6 +12,6 @@ services: tests: image: "${STAGING_IMAGE_TESTS}" volumes: - - ./playwright-report:./playwright-report + - /tests/playwright-report:/playwright-report From 5a92b358c6d4381d3988435856dd5d40f56071ca Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 11:45:09 +0100 Subject: [PATCH 151/234] adding playwright report --- docker-compose.ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 39301eab..f9573e84 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -12,6 +12,6 @@ services: tests: image: "${STAGING_IMAGE_TESTS}" volumes: - - /tests/playwright-report:/playwright-report + - /playwright-report:/tests/playwright-report From fccc77d34ef7acd7eb64143a95c8b7833975ca73 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 13:58:20 +0100 Subject: [PATCH 152/234] e2e testing --- .github/workflows/e2e-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 4b1ad503..7acda0b3 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -43,5 +43,5 @@ jobs: uses: actions/upload-artifact@v4 with: name: playwright-report - path: /playwright-report + path: /playwright-report/ retention-days: 7 From d2dd12cfd325c70363f83a86e0a8b7eff27ec32a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 15 Jul 2025 15:41:07 +0100 Subject: [PATCH 153/234] e2e testing --- .github/workflows/docker-images-single.yml | 1 + .github/workflows/docker-images.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 5e462156..23551100 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -9,6 +9,7 @@ on: # pull_request: # branches: # - main + workflow_dispatch: inputs: contrast_agent_version: diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 3f8ab048..a701aa66 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -1,4 +1,4 @@ -name: Docker Image CI (Matrix) +name: Old Docker CI on: # push: From 00418d5fb0214e650c9b08a1508be83712ab7b76 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 12:46:27 +0100 Subject: [PATCH 154/234] e2e testing --- .github/workflows/e2e-tests.yml | 2 +- docker-compose.ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 7acda0b3..4805d7ae 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -43,5 +43,5 @@ jobs: uses: actions/upload-artifact@v4 with: name: playwright-report - path: /playwright-report/ + path: playwright-report/ retention-days: 7 diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index f9573e84..f59e02d6 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -12,6 +12,6 @@ services: tests: image: "${STAGING_IMAGE_TESTS}" volumes: - - /playwright-report:/tests/playwright-report + - playwright-report:/tests/playwright-report From 33db15df8e772e8b825e992913130ec8c09e6822 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 12:48:06 +0100 Subject: [PATCH 155/234] e2e testing --- .github/workflows/e2e-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 4805d7ae..ccec3143 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -43,5 +43,5 @@ jobs: uses: actions/upload-artifact@v4 with: name: playwright-report - path: playwright-report/ + path: /tests/playwright-report/ retention-days: 7 From efd01362a8163bbe2ec51dd121ab5fe18ab46c8a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 12:48:11 +0100 Subject: [PATCH 156/234] e2e testing --- docker-compose.ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index f59e02d6..15013e10 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -12,6 +12,6 @@ services: tests: image: "${STAGING_IMAGE_TESTS}" volumes: - - playwright-report:/tests/playwright-report + - /tests/playwright-report:/tests/playwright-report From 6b56cbfa61d5ec6d41d7dc0294be1e07649f66e4 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 13:12:57 +0100 Subject: [PATCH 157/234] e2e testing --- .github/workflows/e2e-tests.yml | 13 +++++++++++++ docker-compose.ci.yml | 1 + 2 files changed, 14 insertions(+) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index ccec3143..4d901dfb 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -45,3 +45,16 @@ jobs: name: playwright-report path: /tests/playwright-report/ retention-days: 7 + + - name: Save Playwright test results + uses: actions/upload-artifact@v4 + with: + name: playwright-test-results + path: /tests/test-results/ + retention-days: 7 + + - name: Generate Playwright test results summary + uses: daun/playwright-report-summary@v3.9.0 + with: + report-file: /tests/test-results/results.json + job-summary: true diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 15013e10..7d36f571 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -13,5 +13,6 @@ services: image: "${STAGING_IMAGE_TESTS}" volumes: - /tests/playwright-report:/tests/playwright-report + - /tests/test-results:/tests/test-results From 808ece8123c6b3202e673ff4ca3701a76019ce38 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 13:15:41 +0100 Subject: [PATCH 158/234] adding playwright json report for commenting --- tests/playwright.config.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index 3dd0a921..cbd556f1 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,6 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], + ['json', { outputFile: 'test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From bc9795b5efdd2bdfbac092c37327b568cdb858a6 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 13:19:49 +0100 Subject: [PATCH 159/234] adding playwright json report for commenting --- tests/playwright.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index cbd556f1..173c33a0 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: 'test-results/results.json' }], + ['json', { outputFile: 'results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From 8e8aac6109b99f744956d47d812a35191e1e05e7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 13:42:38 +0100 Subject: [PATCH 160/234] adding playwright json report for commenting --- docker-compose.yml | 15 --------------- tests/playwright.config.ts | 2 +- 2 files changed, 1 insertion(+), 16 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index f7a02b84..f0119f85 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,21 +17,6 @@ services: retries: 10 start_period: 10s - - web-no-contrast: - image: contrastsecuritydemo/netflicks:latest - build: - context: . - dockerfile: Dockerfile - target: runtime - depends_on: - database: - condition: service_healthy - ports: - - '8887:80' - environment: - - ConnectionStrings__DotNetFlicksConnection=Server=tcp:database,1433;Initial Catalog=DotNetFlicksDb;Persist Security Info=False;User ID=sa;Password=reallyStrongPwd123;MultipleActiveResultSets=False;TrustServerCertificate=yes; - # Development environment for Contrast Assess demos web-dev: image: contrastsecuritydemo/netflicks:latest-contrast diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index 173c33a0..cbd556f1 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: 'results.json' }], + ['json', { outputFile: 'test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From e4b7badfe158ff784d357a2b0e312e3bedc435e7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 13:51:23 +0100 Subject: [PATCH 161/234] adding playwright json report for commenting --- tests/playwright.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index cbd556f1..78c530d6 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: 'test-results/results.json' }], + ['json', { outputFile: '/tests/test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From 3c3b0cf46966814b03df4e767563b61d404ee2e7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 13:55:55 +0100 Subject: [PATCH 162/234] adding playwright json report for commenting --- docker-compose.ci.yml | 2 +- tests/playwright.config.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 7d36f571..02573c1a 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -13,6 +13,6 @@ services: image: "${STAGING_IMAGE_TESTS}" volumes: - /tests/playwright-report:/tests/playwright-report - - /tests/test-results:/tests/test-results + - ./tests/test-results:/tests/test-results diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index 78c530d6..cbd556f1 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: '/tests/test-results/results.json' }], + ['json', { outputFile: 'test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From b47d81d79bf7920d3073470d6dab6ee110142396 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 13:59:15 +0100 Subject: [PATCH 163/234] troubleshooting file issues with playwright --- .github/workflows/e2e-tests.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 4d901dfb..36ec4d5f 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -39,6 +39,16 @@ jobs: echo "Running tests for the Docker images..." docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests + - name: check files + run: | + echo "ls -la /tests/playwright-report" + ls -la /tests/playwright-report + echo "ls -la /tests/test-results" + ls -la /tests/test-results + echo "---" + echo "ls -la /tests" + ls -la /tests + - name: Save Playwright report uses: actions/upload-artifact@v4 with: From 9fbc3bd6611765237888d241630150ac937f11d3 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:16:27 +0100 Subject: [PATCH 164/234] problem finding test-resuts --- .github/workflows/e2e-tests.yml | 7 +++++-- docker-compose.ci.yml | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 36ec4d5f..3e24a22d 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -41,13 +41,16 @@ jobs: - name: check files run: | + echo "ls -la /tests" + ls -la /tests + echo "---" echo "ls -la /tests/playwright-report" ls -la /tests/playwright-report + echo "---" echo "ls -la /tests/test-results" ls -la /tests/test-results echo "---" - echo "ls -la /tests" - ls -la /tests + - name: Save Playwright report uses: actions/upload-artifact@v4 diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 02573c1a..7d36f571 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -13,6 +13,6 @@ services: image: "${STAGING_IMAGE_TESTS}" volumes: - /tests/playwright-report:/tests/playwright-report - - ./tests/test-results:/tests/test-results + - /tests/test-results:/tests/test-results From de92a13c6f9145773a3f2f4b153c54ecdcbfcd04 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:22:46 +0100 Subject: [PATCH 165/234] problem finding test-resuts --- .github/workflows/e2e-tests.yml | 4 ++-- tests/playwright.config.ts | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 3e24a22d..028abaed 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -32,12 +32,12 @@ jobs: echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" >> .env echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" >> .env - docker compose pull + docker compose pull --include-deps - name: Run e2e tests with Playwright run: | echo "Running tests for the Docker images..." - docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests + docker compose -f docker-compose.yml -f docker-compose.ci.yml --pull never --profile tests up --abort-on-container-exit --exit-code-from tests - name: check files run: | diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index cbd556f1..78c530d6 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: 'test-results/results.json' }], + ['json', { outputFile: '/tests/test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From f0bea4f0d55088d1445b219b3e7f2c4f85914b11 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:24:08 +0100 Subject: [PATCH 166/234] problem finding test-resuts --- .github/workflows/e2e-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 028abaed..8cea3d8b 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -37,7 +37,7 @@ jobs: - name: Run e2e tests with Playwright run: | echo "Running tests for the Docker images..." - docker compose -f docker-compose.yml -f docker-compose.ci.yml --pull never --profile tests up --abort-on-container-exit --exit-code-from tests + docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --pull never --abort-on-container-exit --exit-code-from tests - name: check files run: | From b79d4cbc3c569b0bf3db64f749ee4f9525a8d67a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:26:04 +0100 Subject: [PATCH 167/234] problem finding test-resuts --- .github/workflows/e2e-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 8cea3d8b..62b34998 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -37,7 +37,7 @@ jobs: - name: Run e2e tests with Playwright run: | echo "Running tests for the Docker images..." - docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --pull never --abort-on-container-exit --exit-code-from tests + docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --pull never --no-build --abort-on-container-exit --exit-code-from tests - name: check files run: | From 41d41d94f58a7d3c3bd5919fee1152645a964a79 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:30:57 +0100 Subject: [PATCH 168/234] problem finding test-resuts --- .github/workflows/e2e-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 62b34998..b95fdc62 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -32,7 +32,7 @@ jobs: echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" >> .env echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" >> .env - docker compose pull --include-deps + docker compose -f docker-compose.yml -f docker-compose.ci.yml pull --include-deps - name: Run e2e tests with Playwright run: | From 45acb4610054241ef98d5f719d1926c9169a183b Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:33:18 +0100 Subject: [PATCH 169/234] problem finding test-resuts --- .github/workflows/e2e-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index b95fdc62..06217d49 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -37,7 +37,7 @@ jobs: - name: Run e2e tests with Playwright run: | echo "Running tests for the Docker images..." - docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --pull never --no-build --abort-on-container-exit --exit-code-from tests + docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --no-build --abort-on-container-exit --exit-code-from tests - name: check files run: | From 6c558c523199d37cfad8f5a74d787b5f242b4871 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:36:26 +0100 Subject: [PATCH 170/234] problem finding test-resuts --- .github/workflows/e2e-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 06217d49..51443dfe 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -32,7 +32,7 @@ jobs: echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" >> .env echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" >> .env - docker compose -f docker-compose.yml -f docker-compose.ci.yml pull --include-deps + docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests pull --include-deps - name: Run e2e tests with Playwright run: | From 17de425dd10e52f82fa64c408fd89c1a722cd7a0 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:38:43 +0100 Subject: [PATCH 171/234] problem finding test-resuts --- tests/playwright.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index 78c530d6..cbd556f1 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: '/tests/test-results/results.json' }], + ['json', { outputFile: 'test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From 4aa95a92c8c53f252d60427e454ac9f4268d35bb Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:43:16 +0100 Subject: [PATCH 172/234] problem finding test-resuts --- tests/playwright.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index cbd556f1..78c530d6 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: 'test-results/results.json' }], + ['json', { outputFile: '/tests/test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From 7d8ac04860966990bc10262b80e457ea21b80edf Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:49:33 +0100 Subject: [PATCH 173/234] problem finding test-resuts --- docker-compose.ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 7d36f571..ecb9f9a2 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -12,7 +12,7 @@ services: tests: image: "${STAGING_IMAGE_TESTS}" volumes: - - /tests/playwright-report:/tests/playwright-report - - /tests/test-results:/tests/test-results + - .tests/playwright-report:/tests/playwright-report + - .tests/test-results:/tests/test-results From 29be048ce5fc75792d34166b5abe63671e0055ce Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:53:23 +0100 Subject: [PATCH 174/234] problem finding test-resuts --- docker-compose.ci.yml | 4 ++-- tests/playwright.config.ts | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index ecb9f9a2..f7458328 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -12,7 +12,7 @@ services: tests: image: "${STAGING_IMAGE_TESTS}" volumes: - - .tests/playwright-report:/tests/playwright-report - - .tests/test-results:/tests/test-results + - /tests/playwright-report:./tests/playwright-report + - /tests/test-results:./tests/test-results diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index 78c530d6..cbd556f1 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: '/tests/test-results/results.json' }], + ['json', { outputFile: 'test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From 4f7fd7709fd3f5b3f541f5f70e8cdac4a63a1b45 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 15:55:44 +0100 Subject: [PATCH 175/234] problem finding test-resuts --- docker-compose.ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index f7458328..7d36f571 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -12,7 +12,7 @@ services: tests: image: "${STAGING_IMAGE_TESTS}" volumes: - - /tests/playwright-report:./tests/playwright-report - - /tests/test-results:./tests/test-results + - /tests/playwright-report:/tests/playwright-report + - /tests/test-results:/tests/test-results From 1b0c38b323a0d9fbe432bda52aad23d0de2ab81a Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 16:11:33 +0100 Subject: [PATCH 176/234] problem finding test-resuts --- tests/playwright.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/playwright.config.ts b/tests/playwright.config.ts index cbd556f1..78c530d6 100644 --- a/tests/playwright.config.ts +++ b/tests/playwright.config.ts @@ -34,7 +34,7 @@ const config: PlaywrightTestConfig = { reporter: [ ['list', { printSteps: true}], ['html', { open: 'never' }], - ['json', { outputFile: 'test-results/results.json' }], + ['json', { outputFile: '/tests/test-results/results.json' }], ], /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */ use: { From ccdf2ab90afdaab648730105a5c134ca167ad310 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 16:32:13 +0100 Subject: [PATCH 177/234] problem finding test-resuts --- .github/workflows/docker-images-single.yml | 112 +++++++++++++++++++-- 1 file changed, 103 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 23551100..aad16a8e 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -1,14 +1,14 @@ name: Docker Image CI on: - # push: - # branches: - # - main - # tags: - # - v* - # pull_request: - # branches: - # - main + push: + branches: + - main + tags: + - v* + pull_request: + branches: + - main workflow_dispatch: inputs: @@ -36,12 +36,101 @@ jobs: echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT #TODO: Add a job to build the base image first + build-base: + name: Build Base Image + runs-on: ubuntu-latest + needs: + - prepare + permissions: + contents: read + packages: write + attestations: write + id-token: write + outputs: + image-name-base: ${{ steps.inspect.outputs['image-name-base'] }} + image-digest-base: ${{ steps.inspect.outputs['image-digest-base'] }} + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker daemon for multi-platform builds + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } + + - name: Docker Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: arm64 + + - name: Docker Setup Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract metadata + id: docker-meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=false + annotations: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security + tags: | + type=ref,event=branch,suffix=-base + type=ref,event=branch,suffix=-base + type=ref,event=pr,suffix=-base + type=ref,event=pr,suffix=-base + + - name: Build all Docker images for this PR + id: bake-pr + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + cwd://${{ steps.docker-meta.outputs.bake-file}} + targets: | + build + push: true + set: | + *.platform=linux/amd64 + *.platform=linux/arm64 + + - name: Inspect the created images + id: inspect + run: | + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata.base)['image.name'] }}' + image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata.base)['containerimage.digest'] }}' + + echo "Image Name: $image_name" + echo "Image Digest: $image_digest" + echo "Image Artifact: $image_name@$image_digest" + + echo "image-name-base=$image_name" >> $GITHUB_OUTPUT + echo "image-digest-base=$image_digest" >> $GITHUB_OUTPUT + echo "image-artifact-base=$image_name@$image_digest" >> $GITHUB_OUTPUT + #TODO: Then share the base image with other jobs via cache build: name: Build Docker Images needs: - prepare + - build-base runs-on: ubuntu-latest permissions: contents: read @@ -111,7 +200,12 @@ jobs: type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} type=ref,event=pr,suffix=-${{ matrix.image.name }} type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - + + - name: Pull base image + run: | + echo "Pulling base image: ${{ needs.build-base.outputs.image-name-base }}" + docker pull ${{ needs.build-base.outputs.image-name-base }} + - name: Build all Docker images for this PR id: bake-pr uses: docker/bake-action@v6 From dcb477271286cecd56ec5a2dca2b5169cde8f1d8 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 16:35:35 +0100 Subject: [PATCH 178/234] splitting base image build --- docker-bake.hcl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index 30758184..1f30d06c 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -10,12 +10,17 @@ group "default" { target "docker-metadata-action" {} +target "build" { + target = "build" + context = "." + dockerfile = "Dockerfile" +} + target "runtime" { inherits = ["docker-metadata-action"] context = "." dockerfile = "Dockerfile" target = "runtime" - no-cache = true } target "runtime-with-contrast" { From fb7e8b3927434007e2d016406db8059b46e5c12e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 16:37:56 +0100 Subject: [PATCH 179/234] splitting base image build --- docker-bake.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-bake.hcl b/docker-bake.hcl index 1f30d06c..42c22dd3 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -11,6 +11,7 @@ group "default" { target "docker-metadata-action" {} target "build" { + inherits = ["docker-metadata-action"] target = "build" context = "." dockerfile = "Dockerfile" From e16daf98535a87bee7c8235c9540963176d3ad14 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 16:46:28 +0100 Subject: [PATCH 180/234] splitting base image build --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index aad16a8e..156b8433 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -113,8 +113,8 @@ jobs: - name: Inspect the created images id: inspect run: | - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata.base)['image.name'] }}' - image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata.base)['containerimage.digest'] }}' + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata).base['image.name'] }}' + image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata).base['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" From 89b678e819e9bcab0d12570a2762234158f03933 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 16:56:38 +0100 Subject: [PATCH 181/234] splitting base image build --- .github/workflows/docker-images-single.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 156b8433..9ce97571 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -113,8 +113,8 @@ jobs: - name: Inspect the created images id: inspect run: | - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata).base['image.name'] }}' - image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata).base['containerimage.digest'] }}' + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata).build['image.name'] }}' + image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata).build['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" @@ -204,7 +204,7 @@ jobs: - name: Pull base image run: | echo "Pulling base image: ${{ needs.build-base.outputs.image-name-base }}" - docker pull ${{ needs.build-base.outputs.image-name-base }} + docker pull '${{ needs.build-base.outputs.image-name-base }}' - name: Build all Docker images for this PR id: bake-pr From 2b0328dd825b8648f9d90e1ec8845ddb2dbf8775 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 17:21:12 +0100 Subject: [PATCH 182/234] splitting base image build --- .github/workflows/docker-images-single.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 9ce97571..197b2283 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -183,6 +183,8 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 + with: + cache-from: type=gha,scope=ghcr.io/${{ github.repository }} - name: Extract metadata id: docker-meta @@ -219,6 +221,8 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 + *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }} + *.cache-to=inline - name: Inspect the created images id: inspect From 57b4f0ef1ca790d63859cae75dbf0d24aa6b2507 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 17:34:16 +0100 Subject: [PATCH 183/234] splitting base image build --- .github/workflows/docker-images-single.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 197b2283..3095ab2a 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -109,6 +109,8 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 + *.cache-from=type=gha + cache-to=type=gha,mode=max - name: Inspect the created images id: inspect From 1a70f476ede8a31169f860f338944ae42d7302a1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 16 Jul 2025 17:36:05 +0100 Subject: [PATCH 184/234] splitting base image build --- .github/workflows/docker-images-single.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 3095ab2a..1df1268b 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -110,7 +110,7 @@ jobs: *.platform=linux/amd64 *.platform=linux/arm64 *.cache-from=type=gha - cache-to=type=gha,mode=max + *.cache-to=type=gha,mode=max - name: Inspect the created images id: inspect From 97513e96fde5b66b4f52d4ebec16badd8cde574e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 17 Jul 2025 12:34:16 +0100 Subject: [PATCH 185/234] splitting base image build --- .github/workflows/docker-images-single.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 1df1268b..3816cad5 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -223,8 +223,10 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }} - *.cache-to=inline + *.cache-from=type=gha + *.cache-to=type=gha,mode=max + # *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }} + # *.cache-to=inline - name: Inspect the created images id: inspect From c3f7cb749c1d4756f38f13f39fa3049176ed0c56 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 17 Jul 2025 16:41:00 +0100 Subject: [PATCH 186/234] splitting base image build --- .github/workflows/docker-images-single.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 3816cad5..53bc6178 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -225,8 +225,6 @@ jobs: *.platform=linux/arm64 *.cache-from=type=gha *.cache-to=type=gha,mode=max - # *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }} - # *.cache-to=inline - name: Inspect the created images id: inspect From e90c2183d782c52bfa563d8925e3f55e2d3038e3 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Thu, 17 Jul 2025 16:54:03 +0100 Subject: [PATCH 187/234] splitting base image build --- .github/workflows/docker-images-single.yml | 35 ---------------------- .github/workflows/e2e-tests.yml | 14 ++++----- 2 files changed, 6 insertions(+), 43 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 53bc6178..6a7da72e 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -17,9 +17,6 @@ on: required: false default: 'latest' -env: - REGISTRY_IMAGE: contrastsecuritydemo/netflicks - jobs: prepare: name: Prepare for multi-stage builds @@ -270,35 +267,3 @@ jobs: # type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} # type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable={{is_default_branch}} - test: - name: Test Docker Images - needs: - - build - runs-on: ubuntu-latest - env: - STAGING_IMAGE_RUNTIME: ${{ needs.build.outputs.image-name-runtime }} - STAGING_IMAGE_RUNTIME_WITH_CONTRAST: ${{ needs.build.outputs.image-name-runtime-with-contrast }} - STAGING_IMAGE_TESTS: ${{ needs.build.outputs.image-name-tests }} - steps: - - name: Checkout branch - uses: actions/checkout@v4 - - - name: Pull the staging docker images - run: | - echo "STAGING_IMAGE_RUNTIME=$STAGING_IMAGE_RUNTIME" > .env - echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" >> .env - echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" >> .env - - docker compose pull - - - name: Run e2e tests with Playwright - run: | - echo "Running tests for the Docker images..." - docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile tests up --abort-on-container-exit --exit-code-from tests - - - name: Save Playwright report - uses: actions/upload-artifact@v4 - with: - name: playwright-report - path: ./playwright-report - retention-days: 7 diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 51443dfe..bec6c5eb 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -1,14 +1,11 @@ name: End-to-End Tests on: - push: - branches: - - main - tags: - - v* - pull_request: - branches: - - main + workflow_run: + workflows: ["Docker Image CI"] + branches: [main] + types: + - completed workflow_dispatch: env: @@ -22,6 +19,7 @@ jobs: STAGING_IMAGE_RUNTIME: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-runtime" STAGING_IMAGE_RUNTIME_WITH_CONTRAST: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-runtime-with-contrast" STAGING_IMAGE_TESTS: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-tests" + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Checkout branch uses: actions/checkout@v4 From bc0c2b9e93fbae7841d543f0d0a0fc29348d85fd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 21 Jul 2025 12:33:23 +0100 Subject: [PATCH 188/234] splitting base image build --- .github/workflows/docker-images-single.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 6a7da72e..535e5866 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -85,7 +85,7 @@ jobs: flavor: | latest=false annotations: | - org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.description=Base image buildcache for the netflicks application org.opencontainers.image.vendor=Contrast Security tags: | type=ref,event=branch,suffix=-base @@ -93,8 +93,8 @@ jobs: type=ref,event=pr,suffix=-base type=ref,event=pr,suffix=-base - - name: Build all Docker images for this PR - id: bake-pr + - name: Build the base docker image for this PR + id: bake-base-pr uses: docker/bake-action@v6 with: files: | @@ -106,8 +106,8 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.cache-from=type=gha - *.cache-to=type=gha,mode=max + *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.tags[0] }}-buildcache + *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.tags[0] }}-buildcache,mode=max - name: Inspect the created images id: inspect @@ -220,8 +220,8 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.cache-from=type=gha - *.cache-to=type=gha,mode=max + *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache + *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max - name: Inspect the created images id: inspect From 6dea1bd13f137c583952573bca785ac88524c5d7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 21 Jul 2025 12:35:29 +0100 Subject: [PATCH 189/234] splitting base image build --- .github/workflows/docker-images-single.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 535e5866..22a35dcc 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -106,8 +106,8 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.tags[0] }}-buildcache - *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.tags[0] }}-buildcache,mode=max + *.cache-from=type=registry,ref='${{ steps.docker-meta.outputs.tags[0] }}-buildcache' + *.cache-to=type=registry,ref='${{ steps.docker-meta.outputs.tags[0] }}-buildcache',mode=max - name: Inspect the created images id: inspect @@ -220,8 +220,8 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache - *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max + *.cache-from=type=registry,ref='${{ needs.build-base.outputs.image-name-base }}-buildcache' + *.cache-to=type=registry,ref='${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max' - name: Inspect the created images id: inspect From a99fa93d79c6e5f9cdaa9eaa34e66de119a221ae Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 21 Jul 2025 14:23:19 +0100 Subject: [PATCH 190/234] splitting base image build --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 22a35dcc..84634642 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -106,8 +106,8 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.cache-from=type=registry,ref='${{ steps.docker-meta.outputs.tags[0] }}-buildcache' - *.cache-to=type=registry,ref='${{ steps.docker-meta.outputs.tags[0] }}-buildcache',mode=max + *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache + *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache,mode=max - name: Inspect the created images id: inspect From b8764351cef6845f9bbbcb69d0d9844d941f2931 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 21 Jul 2025 16:06:30 +0100 Subject: [PATCH 191/234] splitting base image build --- .github/workflows/docker-images-single.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 84634642..d1f83195 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -112,8 +112,8 @@ jobs: - name: Inspect the created images id: inspect run: | - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata).build['image.name'] }}' - image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata).build['containerimage.digest'] }}' + image_name='${{ fromJSON(steps.bake-base-pr.outputs.metadata).build['image.name'] }}' + image_digest='${{ fromJSON(steps.bake-base-pr.outputs.metadata).build['containerimage.digest'] }}' echo "Image Name: $image_name" echo "Image Digest: $image_digest" From 3c88e75f5b88c5cf80692b6a6c48f2f8a3bb4524 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 21 Jul 2025 16:09:52 +0100 Subject: [PATCH 192/234] splitting base image build --- .github/workflows/docker-images-single.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index d1f83195..64cef85e 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -182,8 +182,6 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 - with: - cache-from: type=gha,scope=ghcr.io/${{ github.repository }} - name: Extract metadata id: docker-meta @@ -220,8 +218,8 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 - *.cache-from=type=registry,ref='${{ needs.build-base.outputs.image-name-base }}-buildcache' - *.cache-to=type=registry,ref='${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max' + *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache + *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max - name: Inspect the created images id: inspect From ef4670cfef409ce4378e4ed04ed5235df537d622 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Mon, 21 Jul 2025 16:29:15 +0100 Subject: [PATCH 193/234] splitting base image build --- .github/workflows/docker-images-single.yml | 8 +++++++ .github/workflows/e2e-tests.yml | 25 ++++++++++++---------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 64cef85e..86aaac15 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -265,3 +265,11 @@ jobs: # type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} # type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable={{is_default_branch}} + test: + needs: + - build + uses: ./.github/workflows/e2e-tests.yml + with: + staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} + staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + staging_image_tests: ${{ needs.build.outputs.image-name-tests }} diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index bec6c5eb..9405aa64 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -1,24 +1,27 @@ name: End-to-End Tests on: - workflow_run: - workflows: ["Docker Image CI"] - branches: [main] - types: - - completed + workflow_call: + inputs: + staging_image_runtime: + required: true + type: string + staging_image_runtime_with_contrast: + required: true + type: string + staging_image_tests: + required: true + type: string workflow_dispatch: -env: - REGISTRY_IMAGE: contrastsecuritydemo/netflicks - jobs: test: name: Test Docker Images runs-on: ubuntu-latest env: - STAGING_IMAGE_RUNTIME: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-runtime" - STAGING_IMAGE_RUNTIME_WITH_CONTRAST: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-runtime-with-contrast" - STAGING_IMAGE_TESTS: "ghcr.io/contrast-security-oss/demo-netflicks:pr-8-tests" + STAGING_IMAGE_RUNTIME: ${{ inputs.staging_image_runtime }} + STAGING_IMAGE_RUNTIME_WITH_CONTRAST: ${{ inputs.staging_image_runtime_with_contrast }} + STAGING_IMAGE_TESTS: ${{ inputs.staging_image_tests }} if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Checkout branch From 228448863632ec025184254a1ca993dbffdad271 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 22 Jul 2025 07:57:46 +0100 Subject: [PATCH 194/234] splitting base image build --- .github/workflows/e2e-tests.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 9405aa64..152520c9 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -22,7 +22,6 @@ jobs: STAGING_IMAGE_RUNTIME: ${{ inputs.staging_image_runtime }} STAGING_IMAGE_RUNTIME_WITH_CONTRAST: ${{ inputs.staging_image_runtime_with_contrast }} STAGING_IMAGE_TESTS: ${{ inputs.staging_image_tests }} - if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Checkout branch uses: actions/checkout@v4 From 10fcc879eb4e9127778d3f9f4ea9b7675fda5c8f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Tue, 22 Jul 2025 09:26:03 +0100 Subject: [PATCH 195/234] splitting base image build --- .github/workflows/docker-images-single.yml | 23 ++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 86aaac15..0f8a4034 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -32,9 +32,10 @@ jobs: echo "Contrast agent version: ${CONTRAST_VERSION}" echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - #TODO: Add a job to build the base image first + # MULTISTAGE DOCKERFILE - first create and push the build stage to speed up + # subsequent builds. build-base: - name: Build Base Image + name: Create Docker Build Stage runs-on: ubuntu-latest needs: - prepare @@ -79,33 +80,42 @@ jobs: - name: Extract metadata id: docker-meta uses: docker/metadata-action@v5 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index with: images: | ghcr.io/${{ github.repository }} flavor: | latest=false annotations: | - org.opencontainers.image.description=Base image buildcache for the netflicks application + org.opencontainers.image.description=Base image - build stage and buildcache for the netflicks application org.opencontainers.image.vendor=Contrast Security tags: | type=ref,event=branch,suffix=-base type=ref,event=branch,suffix=-base type=ref,event=pr,suffix=-base type=ref,event=pr,suffix=-base - + + # To speed up the builds, we use caching of the docker image layers. + # Cache rules: + # - Use the existing base image cache from the main branch first for new PRs + # - After the first build in a PR, cache-to will save the cache to the registry under the PR name + # - Subsequent builds in the same PR will use the cache from the PR name + # - Otherwise, different PRs would cause cache pollution if they share the same base image cache - name: Build the base docker image for this PR id: bake-base-pr uses: docker/bake-action@v6 with: files: | docker-bake.hcl - cwd://${{ steps.docker-meta.outputs.bake-file}} + cwd://${{ steps.docker-meta.outputs.bake-file }} targets: | build push: true set: | *.platform=linux/amd64 *.platform=linux/arm64 + *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:base-buildcache *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache,mode=max @@ -126,7 +136,7 @@ jobs: #TODO: Then share the base image with other jobs via cache build: - name: Build Docker Images + name: Docker Build ${{ matrix.image.name }} needs: - prepare - build-base @@ -218,6 +228,7 @@ jobs: set: | *.platform=linux/amd64 *.platform=linux/arm64 + *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max From af47e17078177098952b8ae2ff23f7e76435aa5e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 10:49:08 +0100 Subject: [PATCH 196/234] splitting base image build --- .github/workflows/docker-images-single.yml | 69 +++++++++++++++------- 1 file changed, 49 insertions(+), 20 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 0f8a4034..eeb7e247 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -255,26 +255,7 @@ jobs: # username: ${{ secrets.DOCKERHUB_USERNAME }} # password: ${{ secrets.DOCKERHUB_TOKEN }} - # - name: Extract metadata - # id: docker-meta - # uses: docker/metadata-action@v5 - # with: - # images: | - # - contrastsecuritydemo/netflicks - # flavor: | - # latest=false - # labels: | - # org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos - # org.opencontainers.image.vendor=Contrast Security - # tags: | - # type=ref,event=branch,suffix=-${{ matrix.image.name }} - # type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - # type=ref,event=pr,suffix=-${{ matrix.image.name }} - # type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - # type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - # type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - # type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - # type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable={{is_default_branch}} + test: needs: @@ -284,3 +265,51 @@ jobs: staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} staging_image_tests: ${{ needs.build.outputs.image-name-tests }} + + # + # Release Internal + # + release-internal: + needs: + - prepare + - build + - test + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + strategy: + fail-fast: false + matrix: + image: + - name: runtime + - name: runtime-with-contrast + - name: tests + steps: + + - name: Extract metadata + id: release-meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=true + annotations: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security + tags: | + type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} + type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} + + - name: Release image (internal) + uses: akhilerm/tag-push-action@v2.1.0 + with: + src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} + dst: | + ${{ steps.release-meta.outputs.tags }} From 0ca12b246089cb5d7e6fa258ee73116f5166713e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 10:56:45 +0100 Subject: [PATCH 197/234] splitting base image build --- .github/workflows/docker-images-single.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index eeb7e247..703fdf81 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -307,6 +307,13 @@ jobs: type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Release image (internal) uses: akhilerm/tag-push-action@v2.1.0 with: From 3bff110910af2724e4234fbe8c2e496bf6364a8f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 11:09:28 +0100 Subject: [PATCH 198/234] splitting base image build --- .github/workflows/docker-images-single.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 703fdf81..535f84e4 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -319,4 +319,4 @@ jobs: with: src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} dst: | - ${{ steps.release-meta.outputs.tags }} + ${{ steps.release-meta.outputs.tags[0] }} From 6a1985442b75177a6a0f84daca2c0f57778838c8 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 11:34:21 +0100 Subject: [PATCH 199/234] splitting base image build --- .github/workflows/docker-images-single.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 535f84e4..8766e93e 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -238,7 +238,7 @@ jobs: matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'] }}' + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' echo "Image Name: $image_name" @@ -263,9 +263,19 @@ jobs: uses: ./.github/workflows/e2e-tests.yml with: staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} - staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} staging_image_tests: ${{ needs.build.outputs.image-name-tests }} + # test-contrast: + # needs: + # - build + # uses: ./.github/workflows/e2e-tests.yml + # with: + # staging_image_runtime: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + # staging_image_tests: ${{ needs.build.outputs.image-name-tests }} + # secrets: + # contrast_api_token: ${{ secrets.CONTRAST_API_TOKEN }} + + # # Release Internal # @@ -319,4 +329,4 @@ jobs: with: src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} dst: | - ${{ steps.release-meta.outputs.tags[0] }} + ${{ steps.release-meta.outputs.tags }} From 33cdfa082b1f6b8bef5cb5a48724ffeb5606914d Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 11:42:22 +0100 Subject: [PATCH 200/234] splitting base image build --- .github/workflows/docker-images-single.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 8766e93e..92e765a7 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -263,6 +263,7 @@ jobs: uses: ./.github/workflows/e2e-tests.yml with: staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} + staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} staging_image_tests: ${{ needs.build.outputs.image-name-tests }} # test-contrast: From 3c9f85500406f4303b64d0d2c801d3f8e7cf1a51 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 11:53:09 +0100 Subject: [PATCH 201/234] splitting base image build --- .github/workflows/docker-images-single.yml | 333 ----------- .github/workflows/docker-images.yml | 620 +++++++++------------ .github/workflows/release-testing.yml | 154 +++++ 3 files changed, 430 insertions(+), 677 deletions(-) delete mode 100644 .github/workflows/docker-images-single.yml create mode 100644 .github/workflows/release-testing.yml diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml deleted file mode 100644 index 92e765a7..00000000 --- a/.github/workflows/docker-images-single.yml +++ /dev/null @@ -1,333 +0,0 @@ -name: Docker Image CI - -on: - push: - branches: - - main - tags: - - v* - pull_request: - branches: - - main - - workflow_dispatch: - inputs: - contrast_agent_version: - description: 'Contrast .NET Core agent version to build with' - required: false - default: 'latest' - -jobs: - prepare: - name: Prepare for multi-stage builds - runs-on: ubuntu-latest - outputs: - contrast_version: ${{ steps.versions.outputs.contrast_version }} - steps: - - name: Check latest Contrast agent version - id: versions - run: | - docker pull contrast/agent-dotnet-core:${{ github.event.inputs.contrast_agent_version || 'latest' }} - CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') - echo "Contrast agent version: ${CONTRAST_VERSION}" - echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - - # MULTISTAGE DOCKERFILE - first create and push the build stage to speed up - # subsequent builds. - build-base: - name: Create Docker Build Stage - runs-on: ubuntu-latest - needs: - - prepare - permissions: - contents: read - packages: write - attestations: write - id-token: write - outputs: - image-name-base: ${{ steps.inspect.outputs['image-name-base'] }} - image-digest-base: ${{ steps.inspect.outputs['image-digest-base'] }} - steps: - - name: Checkout branch - uses: actions/checkout@v4 - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Docker daemon for multi-platform builds - uses: docker/setup-docker-action@v4 - with: - daemon-config: | - { - "debug": true, - "features": { - "containerd-snapshotter": true - } - } - - - name: Docker Setup QEMU - uses: docker/setup-qemu-action@v3 - with: - platforms: arm64 - - - name: Docker Setup Buildx - uses: docker/setup-buildx-action@v3 - - - name: Extract metadata - id: docker-meta - uses: docker/metadata-action@v5 - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - with: - images: | - ghcr.io/${{ github.repository }} - flavor: | - latest=false - annotations: | - org.opencontainers.image.description=Base image - build stage and buildcache for the netflicks application - org.opencontainers.image.vendor=Contrast Security - tags: | - type=ref,event=branch,suffix=-base - type=ref,event=branch,suffix=-base - type=ref,event=pr,suffix=-base - type=ref,event=pr,suffix=-base - - # To speed up the builds, we use caching of the docker image layers. - # Cache rules: - # - Use the existing base image cache from the main branch first for new PRs - # - After the first build in a PR, cache-to will save the cache to the registry under the PR name - # - Subsequent builds in the same PR will use the cache from the PR name - # - Otherwise, different PRs would cause cache pollution if they share the same base image cache - - name: Build the base docker image for this PR - id: bake-base-pr - uses: docker/bake-action@v6 - with: - files: | - docker-bake.hcl - cwd://${{ steps.docker-meta.outputs.bake-file }} - targets: | - build - push: true - set: | - *.platform=linux/amd64 - *.platform=linux/arm64 - *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:base-buildcache - *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache - *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache,mode=max - - - name: Inspect the created images - id: inspect - run: | - image_name='${{ fromJSON(steps.bake-base-pr.outputs.metadata).build['image.name'] }}' - image_digest='${{ fromJSON(steps.bake-base-pr.outputs.metadata).build['containerimage.digest'] }}' - - echo "Image Name: $image_name" - echo "Image Digest: $image_digest" - echo "Image Artifact: $image_name@$image_digest" - - echo "image-name-base=$image_name" >> $GITHUB_OUTPUT - echo "image-digest-base=$image_digest" >> $GITHUB_OUTPUT - echo "image-artifact-base=$image_name@$image_digest" >> $GITHUB_OUTPUT - - #TODO: Then share the base image with other jobs via cache - - build: - name: Docker Build ${{ matrix.image.name }} - needs: - - prepare - - build-base - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - attestations: write - id-token: write - strategy: - fail-fast: false - matrix: - image: - - name: runtime - - name: runtime-with-contrast - - name: tests - outputs: - image-name-runtime: ${{ steps.inspect.outputs['image-name-runtime'] }} - image-digest-runtime: ${{ steps.inspect.outputs['image-digest-runtime'] }} - image-artifact-runtime: ${{ steps.inspect.outputs['image-artifact-runtime'] }} - image-name-runtime-with-contrast: ${{ steps.inspect.outputs['image-name-runtime-with-contrast'] }} - image-digest-runtime-with-contrast: ${{ steps.inspect.outputs['image-digest-runtime-with-contrast'] }} - image-artifact-runtime-with-contrast: ${{ steps.inspect.outputs['image-artifact-runtime-with-contrast'] }} - image-name-tests: ${{ steps.inspect.outputs['image-name-tests'] }} - image-digest-tests: ${{ steps.inspect.outputs['image-digest-tests'] }} - image-artifact-tests: ${{ steps.inspect.outputs['image-artifact-tests'] }} - steps: - - name: Checkout branch - uses: actions/checkout@v4 - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Docker daemon for multi-platform builds - uses: docker/setup-docker-action@v4 - with: - daemon-config: | - { - "debug": true, - "features": { - "containerd-snapshotter": true - } - } - - - name: Docker Setup QEMU - uses: docker/setup-qemu-action@v3 - with: - platforms: arm64 - - - name: Docker Setup Buildx - uses: docker/setup-buildx-action@v3 - - - name: Extract metadata - id: docker-meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/${{ github.repository }} - flavor: | - latest=false - annotations: | - org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos - org.opencontainers.image.vendor=Contrast Security - tags: | - type=ref,event=branch,suffix=-${{ matrix.image.name }} - type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - type=ref,event=pr,suffix=-${{ matrix.image.name }} - type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - - - name: Pull base image - run: | - echo "Pulling base image: ${{ needs.build-base.outputs.image-name-base }}" - docker pull '${{ needs.build-base.outputs.image-name-base }}' - - - name: Build all Docker images for this PR - id: bake-pr - uses: docker/bake-action@v6 - with: - files: | - docker-bake.hcl - cwd://${{ steps.docker-meta.outputs.bake-file}} - targets: | - ${{ matrix.image.name }} - push: true - set: | - *.platform=linux/amd64 - *.platform=linux/arm64 - *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache - *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache - *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max - - - name: Inspect the created images - id: inspect - run: | - - matrix_image_name='${{ matrix.image.name }}' - echo "Matrix Image Name: $matrix_image_name" - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' - image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' - - echo "Image Name: $image_name" - echo "Image Digest: $image_digest" - echo "Image Artifact: $image_name@$image_digest" - - echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT - echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT - echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT - - # - name: Login to Docker Hub - # uses: docker/login-action@v3 - # with: - # username: ${{ secrets.DOCKERHUB_USERNAME }} - # password: ${{ secrets.DOCKERHUB_TOKEN }} - - - - test: - needs: - - build - uses: ./.github/workflows/e2e-tests.yml - with: - staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} - staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} - staging_image_tests: ${{ needs.build.outputs.image-name-tests }} - - # test-contrast: - # needs: - # - build - # uses: ./.github/workflows/e2e-tests.yml - # with: - # staging_image_runtime: ${{ needs.build.outputs.image-name-runtime-with-contrast }} - # staging_image_tests: ${{ needs.build.outputs.image-name-tests }} - # secrets: - # contrast_api_token: ${{ secrets.CONTRAST_API_TOKEN }} - - - # - # Release Internal - # - release-internal: - needs: - - prepare - - build - - test - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - attestations: write - id-token: write - strategy: - fail-fast: false - matrix: - image: - - name: runtime - - name: runtime-with-contrast - - name: tests - steps: - - - name: Extract metadata - id: release-meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/${{ github.repository }} - flavor: | - latest=true - annotations: | - org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos - org.opencontainers.image.vendor=Contrast Security - tags: | - type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} - type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Release image (internal) - uses: akhilerm/tag-push-action@v2.1.0 - with: - src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} - dst: | - ${{ steps.release-meta.outputs.tags }} diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index a701aa66..92e765a7 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -1,401 +1,333 @@ -name: Old Docker CI +name: Docker Image CI on: - # push: - # branches: - # - main - # tags: - # - v* - # pull_request: - # branches: - # - main + push: + branches: + - main + tags: + - v* + pull_request: + branches: + - main + workflow_dispatch: - -env: - REGISTRY_IMAGE: contrastsecuritydemo/netflicks + inputs: + contrast_agent_version: + description: 'Contrast .NET Core agent version to build with' + required: false + default: 'latest' jobs: prepare: + name: Prepare for multi-stage builds runs-on: ubuntu-latest outputs: - matrix: ${{ steps.platforms.outputs.matrix }} + contrast_version: ${{ steps.versions.outputs.contrast_version }} steps: - - name: Checkout branch - uses: actions/checkout@v4 - - - name: Create matrix - id: platforms + - name: Check latest Contrast agent version + id: versions run: | - echo "matrix=$(docker buildx bake runtime-multiarch --print | jq -cr '.target."runtime-multiarch".platforms')" >> ${GITHUB_OUTPUT} - echo "matrix=$(docker buildx bake runtime-with-contrast-multiarch --print | jq -cr '.target."runtime-with-contrast-multiarch".platforms')" >> ${GITHUB_OUTPUT} - echo "matrix=$(docker buildx bake tests-multiarch --print | jq -cr '.target."tests-multiarch".platforms')" >> ${GITHUB_OUTPUT} - echo ${GITHUB_OUTPUT} + docker pull contrast/agent-dotnet-core:${{ github.event.inputs.contrast_agent_version || 'latest' }} + CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') + echo "Contrast agent version: ${CONTRAST_VERSION}" + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - - name: Show matrix - run: echo "${{ steps.platforms.outputs.matrix }}" + # MULTISTAGE DOCKERFILE - first create and push the build stage to speed up + # subsequent builds. + build-base: + name: Create Docker Build Stage + runs-on: ubuntu-latest + needs: + - prepare + permissions: + contents: read + packages: write + attestations: write + id-token: write + outputs: + image-name-base: ${{ steps.inspect.outputs['image-name-base'] }} + image-digest-base: ${{ steps.inspect.outputs['image-digest-base'] }} + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker daemon for multi-platform builds + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } + + - name: Docker Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: arm64 + + - name: Docker Setup Buildx + uses: docker/setup-buildx-action@v3 - - name: Docker meta - id: meta + - name: Extract metadata + id: docker-meta uses: docker/metadata-action@v5 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index with: - images: ${{ env.REGISTRY_IMAGE }} + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=false + annotations: | + org.opencontainers.image.description=Base image - build stage and buildcache for the netflicks application + org.opencontainers.image.vendor=Contrast Security + tags: | + type=ref,event=branch,suffix=-base + type=ref,event=branch,suffix=-base + type=ref,event=pr,suffix=-base + type=ref,event=pr,suffix=-base - - name: Rename meta bake definition file + # To speed up the builds, we use caching of the docker image layers. + # Cache rules: + # - Use the existing base image cache from the main branch first for new PRs + # - After the first build in a PR, cache-to will save the cache to the registry under the PR name + # - Subsequent builds in the same PR will use the cache from the PR name + # - Otherwise, different PRs would cause cache pollution if they share the same base image cache + - name: Build the base docker image for this PR + id: bake-base-pr + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + cwd://${{ steps.docker-meta.outputs.bake-file }} + targets: | + build + push: true + set: | + *.platform=linux/amd64 + *.platform=linux/arm64 + *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:base-buildcache + *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache + *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache,mode=max + + - name: Inspect the created images + id: inspect run: | - mv "${{ steps.meta.outputs.bake-file }}" "${{ runner.temp }}/bake-meta.json" - echo ${{ runner.temp }}/bake-meta.json + image_name='${{ fromJSON(steps.bake-base-pr.outputs.metadata).build['image.name'] }}' + image_digest='${{ fromJSON(steps.bake-base-pr.outputs.metadata).build['containerimage.digest'] }}' + + echo "Image Name: $image_name" + echo "Image Digest: $image_digest" + echo "Image Artifact: $image_name@$image_digest" + + echo "image-name-base=$image_name" >> $GITHUB_OUTPUT + echo "image-digest-base=$image_digest" >> $GITHUB_OUTPUT + echo "image-artifact-base=$image_name@$image_digest" >> $GITHUB_OUTPUT + + #TODO: Then share the base image with other jobs via cache - - name: Upload meta bake definition - uses: actions/upload-artifact@v4 - with: - name: bake-meta - path: ${{ runner.temp }}/bake-meta.json - if-no-files-found: error - retention-days: 1 - - build: - name: Build Multi-Stage Docker Images + name: Docker Build ${{ matrix.image.name }} + needs: + - prepare + - build-base + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write strategy: fail-fast: false matrix: - platform: ${{ fromJson(needs.prepare.outputs.matrix) }} - include: - - platform: linux/amd64 - runner: ubuntu-latest - - platform: linux/arm64 - runner: macos-latest - runs-on: ${{ matrix.runner }} - needs: - - prepare - - # outputs: - # image-digest: ${{ steps.build.outputs.digest }} - # metadata: ${{ steps.meta.outputs.json }} - # contrast_version: ${{ steps.versions.outputs.contrast_version }} + image: + - name: runtime + - name: runtime-with-contrast + - name: tests + outputs: + image-name-runtime: ${{ steps.inspect.outputs['image-name-runtime'] }} + image-digest-runtime: ${{ steps.inspect.outputs['image-digest-runtime'] }} + image-artifact-runtime: ${{ steps.inspect.outputs['image-artifact-runtime'] }} + image-name-runtime-with-contrast: ${{ steps.inspect.outputs['image-name-runtime-with-contrast'] }} + image-digest-runtime-with-contrast: ${{ steps.inspect.outputs['image-digest-runtime-with-contrast'] }} + image-artifact-runtime-with-contrast: ${{ steps.inspect.outputs['image-artifact-runtime-with-contrast'] }} + image-name-tests: ${{ steps.inspect.outputs['image-name-tests'] }} + image-digest-tests: ${{ steps.inspect.outputs['image-digest-tests'] }} + image-artifact-tests: ${{ steps.inspect.outputs['image-artifact-tests'] }} steps: - - name: echo - run: | - echo "matrix.platform = ${{ matrix.platform}}" - echo "matrix.runner = ${{ matrix.runner}}" - echo "matrix.platform.runner = ${{ matrix.platform.runner}}" - - name: Checkout branch uses: actions/checkout@v4 - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - name: Download meta bake definition - uses: actions/download-artifact@v4 + - name: Login to GHCR + uses: docker/login-action@v3 with: - name: bake-meta - path: ${{ runner.temp }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - # - - # name: Set up Docker daemon for multi-platform builds - # uses: docker/setup-docker-action@v4 - # with: - # daemon-config: | - # { - # "debug": true, - # "features": { - # "containerd-snapshotter": true - # } - # } + - name: Set up Docker daemon for multi-platform builds + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } - # - name: Docker Setup QEMU - # uses: docker/setup-qemu-action@v3 - # with: - # platforms: all + - name: Docker Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: arm64 - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 + + - name: Extract metadata + id: docker-meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=false + annotations: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security + tags: | + type=ref,event=branch,suffix=-${{ matrix.image.name }} + type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + type=ref,event=pr,suffix=-${{ matrix.image.name }} + type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - - name: print the problem file + - name: Pull base image run: | - echo "bake-meta.json file: ${{ runner.temp }}/bake-meta.json" - cat "${{ runner.temp }}/bake-meta.json" + echo "Pulling base image: ${{ needs.build-base.outputs.image-name-base }}" + docker pull '${{ needs.build-base.outputs.image-name-base }}' - # Need to do two bake steps because load=true is not compatible with push-by-digest=true - # https://github.com/moby/buildkit/issues/5556 - - name: Build all image variants with Docker Buildx Bake (for local testing) - id: bake-local + - name: Build all Docker images for this PR + id: bake-pr uses: docker/bake-action@v6 with: files: | docker-bake.hcl + cwd://${{ steps.docker-meta.outputs.bake-file}} targets: | - multiarch - push: false - load: true - set: | - *.platform=${{ matrix.platform }} - - # - name: Run docker-compose tests - # run: | - # docker compose --profile tests up --abort-on-container-exit --exit-code-from tests - - - name: Export docker images as tar files + ${{ matrix.image.name }} + push: true + set: | + *.platform=linux/amd64 + *.platform=linux/arm64 + *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache + *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache + *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max + + - name: Inspect the created images + id: inspect run: | - mkdir -p ${{ runner.temp }}/images/runtime - mkdir -p ${{ runner.temp }}/images/contrast - mkdir -p ${{ runner.temp }}/images/tests - docker save contrastsecuritydemo/netflicks:latest -o ${{ runner.temp }}/images/runtime/${{ env.PLATFORM_PAIR }}.tar - docker save contrastsecuritydemo/netflicks:latest-contrast -o ${{ runner.temp }}/images/contrast/${{ env.PLATFORM_PAIR }}.tar - docker save e2e-tests/netflicks:latest -o ${{ runner.temp }}/images/tests/${{ env.PLATFORM_PAIR }}.tar + + matrix_image_name='${{ matrix.image.name }}' + echo "Matrix Image Name: $matrix_image_name" + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' + image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' - - name: Upload image tar - uses: actions/upload-artifact@v4 - with: - name: images-${{ env.PLATFORM_PAIR }} - path: ${{ runner.temp }}/images/* - if-no-files-found: error - retention-days: 1 + echo "Image Name: $image_name" + echo "Image Digest: $image_digest" + echo "Image Artifact: $image_name@$image_digest" + echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT + echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT + echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT - # - name: Extract metadata - # id: meta - # uses: docker/metadata-action@v5 + # - name: Login to Docker Hub + # uses: docker/login-action@v3 # with: - # images: contrastsecuritydemo/netflicks - # tags: | - # type=ref,event=branch - # type=ref,event=pr - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - # type=raw,value=latest,enable={{is_default_branch}} - - - name: Get currently installed Contrast agent version - id: versions - run: | - docker compose up web-dev -d - docker compose cp web-dev:/opt/contrast/image-manifest.json image-manifest.json - CONTRAST_VERSION=$(cat image-manifest.json | jq -r '.version') - echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - docker compose down - echo "Contrast agent version: ${CONTRAST_VERSION}" - - - name: Build all image variants with Docker Buildx Bake - id: bake - uses: docker/bake-action@v6 - with: - files: | - docker-bake.hcl - cwd://${{ runner.temp }}/bake-meta.json - targets: | - multiarch - load: false - set: | - *.platform=${{ matrix.platform }} - *.output=type=image,push-by-digest=true,name-canonical=true,push=false - - - name: Export digest - run: | - echo "DIGEST METADATA catted out via file" - touch metadata.json - echo '${{ steps.bake.outputs.metadata }}' > metadata.json - cat metadata.json | jq -r '.runtime["containerimage.digest"]' - echo "---------------------" - cat metadata.json - echo "FULL METADATA" - echo '${{ fromJSON(steps.bake.outputs.metadata) }}' - echo "---------------------" - echo "RUNTIME METADATA" - echo '${{ fromJSON(steps.bake.outputs.metadata).runtime }}' - - - mkdir -p ${{ runner.temp }}/digests/runtime - mkdir -p ${{ runner.temp }}/digests/contrast - mkdir -p ${{ runner.temp }}/digests/tests - runtime_digest="${{ fromJSON(steps.bake.outputs.metadata).runtime-multiarch['containerimage.digest'] }}" - contrast_digest="${{ fromJSON(steps.bake.outputs.metadata).runtime-with-contrast-multiarch['containerimage.digest'] }}" - tests_digest="${{ fromJSON(steps.bake.outputs.metadata).tests-multiarch['containerimage.digest'] }}" - echo "runtime_digest=${runtime_digest}" - echo "contrast_digest=${contrast_digest}" - echo "tests_digest=${tests_digest}" - touch "${{ runner.temp }}/digests/runtime/${runtime_digest#sha256:}" - touch "${{ runner.temp }}/digests/contrast/${contrast_digest#sha256:}" - touch "${{ runner.temp }}/digests/tests/${tests_digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: ${{ runner.temp }}/digests/* - if-no-files-found: error - retention-days: 1 + # username: ${{ secrets.DOCKERHUB_USERNAME }} + # password: ${{ secrets.DOCKERHUB_TOKEN }} - pre-merge: - name: Prepare to merge - runs-on: ubuntu-latest + test: needs: - build - steps: - - name: Docker Metadata action - id: metadata + uses: ./.github/workflows/e2e-tests.yml + with: + staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} + staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + staging_image_tests: ${{ needs.build.outputs.image-name-tests }} + + # test-contrast: + # needs: + # - build + # uses: ./.github/workflows/e2e-tests.yml + # with: + # staging_image_runtime: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + # staging_image_tests: ${{ needs.build.outputs.image-name-tests }} + # secrets: + # contrast_api_token: ${{ secrets.CONTRAST_API_TOKEN }} + + + # + # Release Internal + # + release-internal: + needs: + - prepare + - build + - test + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + strategy: + fail-fast: false + matrix: + image: + - name: runtime + - name: runtime-with-contrast + - name: tests + steps: + + - name: Extract metadata + id: release-meta uses: docker/metadata-action@v5 with: - images: contrastsecuritydemo/netflicks + images: | + ghcr.io/${{ github.repository }} flavor: | latest=true + annotations: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security tags: | - type=semver,pattern={{version}}, priority=100 - type=semver,pattern={{major}}.{{minor}}, priority=200 - - - name: Version number - run: | - echo Getting the build metadata - echo ${{ needs.build.outputs.contrast_version }} - - - name: Download meta bake definition - uses: actions/download-artifact@v4 + type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} + type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} + + - name: Login to GHCR + uses: docker/login-action@v3 with: - name: bake-meta - path: ${{ runner.temp }} - - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: ${{ runner.temp }}/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Create manifest list and push - working-directory: ${{ runner.temp }}/digests - run: | - ls -la - ls -la runtime - ls -la contrast - ls -la tests - # docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' ${{ runner.temp }}/bake-meta.json) \ - # $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Download images - uses: actions/download-artifact@v4 + - name: Release image (internal) + uses: akhilerm/tag-push-action@v2.1.0 with: - path: ${{ runner.temp }}/images - pattern: images-* - merge-multiple: true - - - name: Load images - run: | - echo "Loading images" - for folder in ${{ runner.temp }}/images/*; do - for file in "$folder"/*.tar; do - echo "Loading $file" - docker load --input $file - done - done - - - name: Check images are loaded - run: | - echo "Checking loaded images" - docker image ls -a - - - name: Inspect image - run: | - docker buildx imagetools inspect contrastsecuritydemo/netflicks:latest - docker buildx imagetools inspect contrastsecuritydemo/netflicks:latest-contrast - docker buildx imagetools inspect e2e-tests/netflicks:latest - # docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/bake-meta.json) - - - - # push: - # name: Push Images to Docker Hub - # if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) - # runs-on: ubuntu-latest - # needs: - # - test - # steps: - # - - # name: Checkout branch - # uses: actions/checkout@v4 - # - - # name: Docker Setup QEMU - # uses: docker/setup-qemu-action@v3 - # with: - # platforms: all - # - - # name: Docker Setup Buildx - # uses: docker/setup-buildx-action@v3 - # with: - # platforms: linux/amd64,linux/arm64 - # - - # name: Login to Docker Hub - # uses: docker/login-action@v3 - # with: - # username: ${{ secrets.DOCKERHUB_USERNAME }} - # password: ${{ secrets.DOCKERHUB_TOKEN }} - # - - # name: Extract metadata for no-agent variant - # id: meta-no-agent - # uses: docker/metadata-action@v5 - # with: - # images: contrastsecuritydemo/netflicks - # flavor: | - # latest=true - # suffix=-no-agent - # tags: | - # type=ref,event=branch - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - # type=raw,value=latest,enable={{is_default_branch}} - # - - # name: Extract metadata for agent variant - # id: meta-agent - # uses: docker/metadata-action@v5 - # with: - # images: contrastsecuritydemo/netflicks - # flavor: | - # latest=true - # suffix=-agent - # tags: | - # type=ref,event=branch - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - # type=raw,value=latest,enable={{is_default_branch}} - # - - # name: Build and push no-agent variant - # uses: docker/build-push-action@v5 - # with: - # context: . - # platforms: linux/amd64,linux/arm64 - # push: true - # cache-from: type=gha - # target: runtime - # tags: ${{ steps.meta-no-agent.outputs.tags }} - # labels: ${{ steps.meta-no-agent.outputs.labels }} - # - - # name: Build and push agent variant - # uses: docker/build-push-action@v5 - # with: - # context: . - # platforms: linux/amd64,linux/arm64 - # push: true - # cache-from: type=gha - # target: runtime-with-contrast - # tags: ${{ steps.meta-agent.outputs.tags }} - # labels: ${{ steps.meta-agent.outputs.labels }} - - - - - merge: - name: Merge if PR is merged and tests pass - if: github.event.pull_request.merged - runs-on: ubuntu-latest - needs: - - pre-merge - - steps: - - run: | - echo The PR was merged + src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} + dst: | + ${{ steps.release-meta.outputs.tags }} diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml new file mode 100644 index 00000000..7f77d30c --- /dev/null +++ b/.github/workflows/release-testing.yml @@ -0,0 +1,154 @@ +name: Docker Image CI + +on: + push: + branches: + - main + tags: + - v* + pull_request: + branches: + - main + + workflow_dispatch: + inputs: + contrast_agent_version: + description: 'Contrast .NET Core agent version to build with' + required: false + default: 'latest' + +jobs: + prepare: + name: Prepare for multi-stage builds + runs-on: ubuntu-latest + outputs: + contrast_version: ${{ steps.versions.outputs.contrast_version }} + steps: + - name: Check latest Contrast agent version + id: versions + run: | + docker pull contrast/agent-dotnet-core:${{ github.event.inputs.contrast_agent_version || 'latest' }} + CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') + echo "Contrast agent version: ${CONTRAST_VERSION}" + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + + #TODO: Then share the base image with other jobs via cache + + build: + name: Docker Build ${{ matrix.image.name }} + needs: + - prepare + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + strategy: + fail-fast: false + matrix: + image: + - name: runtime + - name: runtime-with-contrast + - name: tests + outputs: + image-name-runtime: ${{ steps.inspect.outputs['image-name-runtime'] }} + image-digest-runtime: ${{ steps.inspect.outputs['image-digest-runtime'] }} + image-artifact-runtime: ${{ steps.inspect.outputs['image-artifact-runtime'] }} + image-name-runtime-with-contrast: ${{ steps.inspect.outputs['image-name-runtime-with-contrast'] }} + image-digest-runtime-with-contrast: ${{ steps.inspect.outputs['image-digest-runtime-with-contrast'] }} + image-artifact-runtime-with-contrast: ${{ steps.inspect.outputs['image-artifact-runtime-with-contrast'] }} + image-name-tests: ${{ steps.inspect.outputs['image-name-tests'] }} + image-digest-tests: ${{ steps.inspect.outputs['image-digest-tests'] }} + image-artifact-tests: ${{ steps.inspect.outputs['image-artifact-tests'] }} + steps: + + - name: Extract metadata + id: docker-meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=false + annotations: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security + tags: | + type=ref,event=branch,suffix=-${{ matrix.image.name }} + type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + type=ref,event=pr,suffix=-${{ matrix.image.name }} + type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + + + - name: Inspect the created images + id: inspect + run: | + + matrix_image_name='${{ matrix.image.name }}' + echo "Matrix Image Name: $matrix_image_name" + image_name='ghcr.io/${{ github.repository }}:pr-8-${{ matrix.image.name }}' + image_digest='abcdefghijk' # Placeholder for actual digest + + echo "Image Name: $image_name" + echo "Image Digest: $image_digest" + echo "Image Artifact: $image_name@$image_digest" + + echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT + echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT + echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT + + + # + # Release Internal + # + release-internal: + needs: + - prepare + - build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + strategy: + fail-fast: false + matrix: + image: + - name: runtime + - name: runtime-with-contrast + - name: tests + steps: + + - name: Extract metadata + id: release-meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=true + annotations: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security + tags: | + type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} + type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Release image (internal) + uses: akhilerm/tag-push-action@v2.1.0 + with: + src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} + dst: | + ${{ steps.release-meta.outputs.tags }} From c4f838bddbbdf0fcb9346edc63df6df842b6b19f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 11:54:31 +0100 Subject: [PATCH 202/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 7f77d30c..28a308f2 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -1,4 +1,4 @@ -name: Docker Image CI +name: Release Docker Images on: push: From 3eedd8fa150259ab715974b1d1273bb72ddedea0 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 11:57:02 +0100 Subject: [PATCH 203/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 28a308f2..982ee1bd 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -147,7 +147,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Release image (internal) - uses: akhilerm/tag-push-action@v2.1.0 + uses: akhilerm/tag-push-action@v2.2.0 with: src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} dst: | From aed41bf85e649757c718d6fc74b9307362703324 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 11:59:58 +0100 Subject: [PATCH 204/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 982ee1bd..ba705de9 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -149,6 +149,6 @@ jobs: - name: Release image (internal) uses: akhilerm/tag-push-action@v2.2.0 with: - src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} + src: "${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }}" dst: | ${{ steps.release-meta.outputs.tags }} From 18be65655746634a9b3928df3a87f4f426628eb2 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:05:25 +0100 Subject: [PATCH 205/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index ba705de9..773e4eae 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -149,6 +149,6 @@ jobs: - name: Release image (internal) uses: akhilerm/tag-push-action@v2.2.0 with: - src: "${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }}" + src: ghcr.io/${{ github.repository }}:pr-8-${{ matrix.image.name }} dst: | ${{ steps.release-meta.outputs.tags }} From df5f5d81a93a82f42f2c1dedc479691fad4647a1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:07:35 +0100 Subject: [PATCH 206/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 773e4eae..529c9500 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -149,6 +149,6 @@ jobs: - name: Release image (internal) uses: akhilerm/tag-push-action@v2.2.0 with: - src: ghcr.io/${{ github.repository }}:pr-8-${{ matrix.image.name }} + src: ghcr.io/contrast-security-oss/demo-netflicks:pr-8-${{ matrix.image.name }} dst: | ${{ steps.release-meta.outputs.tags }} From 19daf49c2991e30b214d10408a3bb1fd5ee402a4 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:10:31 +0100 Subject: [PATCH 207/234] splitting base image build --- .github/workflows/release-testing.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 529c9500..b3d7dd6b 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -127,8 +127,6 @@ jobs: with: images: | ghcr.io/${{ github.repository }} - flavor: | - latest=true annotations: | org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos org.opencontainers.image.vendor=Contrast Security From d41b23211398d842db14a8440604c25ea04767c2 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:20:49 +0100 Subject: [PATCH 208/234] splitting base image build --- .github/workflows/release-testing.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index b3d7dd6b..b924eb9f 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -127,6 +127,8 @@ jobs: with: images: | ghcr.io/${{ github.repository }} + flavor: | + latest=false annotations: | org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos org.opencontainers.image.vendor=Contrast Security From db012c4557515a1aee17cc655ce072648f0a8531 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:27:03 +0100 Subject: [PATCH 209/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index b924eb9f..4d9981c5 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -87,7 +87,7 @@ jobs: matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - image_name='ghcr.io/${{ github.repository }}:pr-8-${{ matrix.image.name }}' + image_name='${{ steps.docker-meta.outputs.tags }}' image_digest='abcdefghijk' # Placeholder for actual digest echo "Image Name: $image_name" From 9fabecfa44249f8a7d0ca3751a0a51c2f479a3c7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:31:40 +0100 Subject: [PATCH 210/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 4d9981c5..dff00871 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -87,7 +87,7 @@ jobs: matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - image_name='${{ steps.docker-meta.outputs.tags }}' + image_name='${{ steps.docker-meta.outputs.tags[0] }}' image_digest='abcdefghijk' # Placeholder for actual digest echo "Image Name: $image_name" From 057cde939d677a66bbb802f6f96603fbcbeba20e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:38:32 +0100 Subject: [PATCH 211/234] splitting base image build --- .github/workflows/release-testing.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index dff00871..c250b93e 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -87,7 +87,14 @@ jobs: matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - image_name='${{ steps.docker-meta.outputs.tags[0] }}' + + # resolves to empty string + # image_name='${{ steps.docker-meta.outputs.tags[0] }}' + + image_name='${{ steps.docker-meta.outputs.tags }}' + echo "$image_name" + + image_digest='abcdefghijk' # Placeholder for actual digest echo "Image Name: $image_name" From dc69d3b8f2d4468672cd1c3355cc305c5766217c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:41:14 +0100 Subject: [PATCH 212/234] splitting base image build --- .github/workflows/release-testing.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index c250b93e..23ea6470 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -91,7 +91,10 @@ jobs: # resolves to empty string # image_name='${{ steps.docker-meta.outputs.tags[0] }}' - image_name='${{ steps.docker-meta.outputs.tags }}' + # returns a list with each string on a new line - breaks shit + # image_name='${{ steps.docker-meta.outputs.tags }}' + + image_name='${{ fromJSON(steps.docker-meta.outputs.tags) }}' echo "$image_name" From 5e52899e7a13692cfc9527d1b0b59cc315f0e770 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:48:23 +0100 Subject: [PATCH 213/234] splitting base image build --- .github/workflows/release-testing.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 23ea6470..e0de745c 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -94,7 +94,8 @@ jobs: # returns a list with each string on a new line - breaks shit # image_name='${{ steps.docker-meta.outputs.tags }}' - image_name='${{ fromJSON(steps.docker-meta.outputs.tags) }}' + image_name='$(echo '${{ steps.docker-meta.outputs.tags }}' | head -n1)' + echo "$image_name" From 743c2d4071a9aae1203fb4693abced2c890cad9f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:50:07 +0100 Subject: [PATCH 214/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index e0de745c..6c1f54a9 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -94,7 +94,7 @@ jobs: # returns a list with each string on a new line - breaks shit # image_name='${{ steps.docker-meta.outputs.tags }}' - image_name='$(echo '${{ steps.docker-meta.outputs.tags }}' | head -n1)' + image_name=$(echo '${{ steps.docker-meta.outputs.tags }}' | head -n1) echo "$image_name" From 00cfc3ae1d075344c56333939544f0e9b27dd1c1 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:53:54 +0100 Subject: [PATCH 215/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 6c1f54a9..e91ee759 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -94,7 +94,7 @@ jobs: # returns a list with each string on a new line - breaks shit # image_name='${{ steps.docker-meta.outputs.tags }}' - image_name=$(echo '${{ steps.docker-meta.outputs.tags }}' | head -n1) + image_name="$(echo '${{ steps.docker-meta.outputs.tags }}' | head -n1)" echo "$image_name" From b76a03cf4bfba2f31ece4bd8dc71b0222680c547 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 12:58:28 +0100 Subject: [PATCH 216/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index e91ee759..6c1f54a9 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -94,7 +94,7 @@ jobs: # returns a list with each string on a new line - breaks shit # image_name='${{ steps.docker-meta.outputs.tags }}' - image_name="$(echo '${{ steps.docker-meta.outputs.tags }}' | head -n1)" + image_name=$(echo '${{ steps.docker-meta.outputs.tags }}' | head -n1) echo "$image_name" From ea6befb3ed1c1d8388bad2d623fad650c79fa13f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 13:09:41 +0100 Subject: [PATCH 217/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 6c1f54a9..e2f2ca50 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -94,7 +94,7 @@ jobs: # returns a list with each string on a new line - breaks shit # image_name='${{ steps.docker-meta.outputs.tags }}' - image_name=$(echo '${{ steps.docker-meta.outputs.tags }}' | head -n1) + image_name=$(echo "${{ steps.docker-meta.outputs.tags }}" | head -n1) echo "$image_name" From cf3500c3aabb117ce46e3daa371553320f79733c Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 13:12:36 +0100 Subject: [PATCH 218/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index e2f2ca50..1754e15f 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -94,7 +94,7 @@ jobs: # returns a list with each string on a new line - breaks shit # image_name='${{ steps.docker-meta.outputs.tags }}' - image_name=$(echo "${{ steps.docker-meta.outputs.tags }}" | head -n1) + image_name=$(head -n1 <<< '${{ steps.docker-meta.outputs.tags }}') echo "$image_name" From cd0848650e581dba9b04730895d945c81b00b3d7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 13:13:36 +0100 Subject: [PATCH 219/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 1754e15f..8cd15555 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -94,7 +94,7 @@ jobs: # returns a list with each string on a new line - breaks shit # image_name='${{ steps.docker-meta.outputs.tags }}' - image_name=$(head -n1 <<< '${{ steps.docker-meta.outputs.tags }}') + image_name=$(head -n1 <<< "${{ steps.docker-meta.outputs.tags }}") echo "$image_name" From 4db4ebfc4174dbc7b73dc2c59a3c55789226e5d7 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 13:17:53 +0100 Subject: [PATCH 220/234] splitting base image build --- .github/workflows/release-testing.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 8cd15555..c91a205b 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -91,10 +91,8 @@ jobs: # resolves to empty string # image_name='${{ steps.docker-meta.outputs.tags[0] }}' - # returns a list with each string on a new line - breaks shit - # image_name='${{ steps.docker-meta.outputs.tags }}' - - image_name=$(head -n1 <<< "${{ steps.docker-meta.outputs.tags }}") + # Use the json output instead of the tags output + # image_name='${{ steps.docker-meta.outputs.json.tags }}' echo "$image_name" From e23215fcba2c8d2fa99417e4f93e742143da1a4b Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 13:19:11 +0100 Subject: [PATCH 221/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index c91a205b..f23982fc 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -92,7 +92,7 @@ jobs: # image_name='${{ steps.docker-meta.outputs.tags[0] }}' # Use the json output instead of the tags output - # image_name='${{ steps.docker-meta.outputs.json.tags }}' + image_name='${{ fromJSON(steps.docker-meta.outputs.json.tags)[0] }}' echo "$image_name" From 23da24f117bb4ab2dedfa83ee59c55591cea8325 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 13:20:07 +0100 Subject: [PATCH 222/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index f23982fc..80f66172 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -92,7 +92,7 @@ jobs: # image_name='${{ steps.docker-meta.outputs.tags[0] }}' # Use the json output instead of the tags output - image_name='${{ fromJSON(steps.docker-meta.outputs.json.tags)[0] }}' + image_name='${{ fromJSON(steps.docker-meta.outputs.json).tags }}' echo "$image_name" From 9631d38e62128d71da3846934620e239090e9624 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 13:21:45 +0100 Subject: [PATCH 223/234] splitting base image build --- .github/workflows/release-testing.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 80f66172..7fe066d1 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -84,19 +84,13 @@ jobs: - name: Inspect the created images id: inspect run: | - matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - # resolves to empty string - # image_name='${{ steps.docker-meta.outputs.tags[0] }}' - # Use the json output instead of the tags output image_name='${{ fromJSON(steps.docker-meta.outputs.json).tags }}' echo "$image_name" - - image_digest='abcdefghijk' # Placeholder for actual digest echo "Image Name: $image_name" From 9a80207fe669c7fad74f0529711d44c77abcecfe Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 13:22:18 +0100 Subject: [PATCH 224/234] splitting base image build --- .github/workflows/release-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index 7fe066d1..cbb91492 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -88,7 +88,7 @@ jobs: echo "Matrix Image Name: $matrix_image_name" # Use the json output instead of the tags output - image_name='${{ fromJSON(steps.docker-meta.outputs.json).tags }}' + image_name='${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}' echo "$image_name" image_digest='abcdefghijk' # Placeholder for actual digest From 42bd31cdd4c789bfa6aafd26ffc41b7c4c87ca2d Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 15:08:41 +0100 Subject: [PATCH 225/234] splitting base image build --- .github/workflows/e2e-tests.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 152520c9..58701a88 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -28,6 +28,10 @@ jobs: - name: Pull the staging docker images run: | + echo "STAGING_IMAGE_RUNTIME=$STAGING_IMAGE_RUNTIME" + echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" + echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" + echo "STAGING_IMAGE_RUNTIME=$STAGING_IMAGE_RUNTIME" > .env echo "STAGING_IMAGE_RUNTIME_WITH_CONTRAST=$STAGING_IMAGE_RUNTIME_WITH_CONTRAST" >> .env echo "STAGING_IMAGE_TESTS=$STAGING_IMAGE_TESTS" >> .env From 525af35ac0f895fcb9d684f5cb111ac6edccb419 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 15:21:17 +0100 Subject: [PATCH 226/234] splitting base image build --- .github/workflows/docker-images-single.yml | 333 +++++++++++++++++++++ .github/workflows/docker-images.yml | 2 +- 2 files changed, 334 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/docker-images-single.yml diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml new file mode 100644 index 00000000..92e765a7 --- /dev/null +++ b/.github/workflows/docker-images-single.yml @@ -0,0 +1,333 @@ +name: Docker Image CI + +on: + push: + branches: + - main + tags: + - v* + pull_request: + branches: + - main + + workflow_dispatch: + inputs: + contrast_agent_version: + description: 'Contrast .NET Core agent version to build with' + required: false + default: 'latest' + +jobs: + prepare: + name: Prepare for multi-stage builds + runs-on: ubuntu-latest + outputs: + contrast_version: ${{ steps.versions.outputs.contrast_version }} + steps: + - name: Check latest Contrast agent version + id: versions + run: | + docker pull contrast/agent-dotnet-core:${{ github.event.inputs.contrast_agent_version || 'latest' }} + CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') + echo "Contrast agent version: ${CONTRAST_VERSION}" + echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + + # MULTISTAGE DOCKERFILE - first create and push the build stage to speed up + # subsequent builds. + build-base: + name: Create Docker Build Stage + runs-on: ubuntu-latest + needs: + - prepare + permissions: + contents: read + packages: write + attestations: write + id-token: write + outputs: + image-name-base: ${{ steps.inspect.outputs['image-name-base'] }} + image-digest-base: ${{ steps.inspect.outputs['image-digest-base'] }} + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker daemon for multi-platform builds + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } + + - name: Docker Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: arm64 + + - name: Docker Setup Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract metadata + id: docker-meta + uses: docker/metadata-action@v5 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=false + annotations: | + org.opencontainers.image.description=Base image - build stage and buildcache for the netflicks application + org.opencontainers.image.vendor=Contrast Security + tags: | + type=ref,event=branch,suffix=-base + type=ref,event=branch,suffix=-base + type=ref,event=pr,suffix=-base + type=ref,event=pr,suffix=-base + + # To speed up the builds, we use caching of the docker image layers. + # Cache rules: + # - Use the existing base image cache from the main branch first for new PRs + # - After the first build in a PR, cache-to will save the cache to the registry under the PR name + # - Subsequent builds in the same PR will use the cache from the PR name + # - Otherwise, different PRs would cause cache pollution if they share the same base image cache + - name: Build the base docker image for this PR + id: bake-base-pr + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + cwd://${{ steps.docker-meta.outputs.bake-file }} + targets: | + build + push: true + set: | + *.platform=linux/amd64 + *.platform=linux/arm64 + *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:base-buildcache + *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache + *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache,mode=max + + - name: Inspect the created images + id: inspect + run: | + image_name='${{ fromJSON(steps.bake-base-pr.outputs.metadata).build['image.name'] }}' + image_digest='${{ fromJSON(steps.bake-base-pr.outputs.metadata).build['containerimage.digest'] }}' + + echo "Image Name: $image_name" + echo "Image Digest: $image_digest" + echo "Image Artifact: $image_name@$image_digest" + + echo "image-name-base=$image_name" >> $GITHUB_OUTPUT + echo "image-digest-base=$image_digest" >> $GITHUB_OUTPUT + echo "image-artifact-base=$image_name@$image_digest" >> $GITHUB_OUTPUT + + #TODO: Then share the base image with other jobs via cache + + build: + name: Docker Build ${{ matrix.image.name }} + needs: + - prepare + - build-base + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + strategy: + fail-fast: false + matrix: + image: + - name: runtime + - name: runtime-with-contrast + - name: tests + outputs: + image-name-runtime: ${{ steps.inspect.outputs['image-name-runtime'] }} + image-digest-runtime: ${{ steps.inspect.outputs['image-digest-runtime'] }} + image-artifact-runtime: ${{ steps.inspect.outputs['image-artifact-runtime'] }} + image-name-runtime-with-contrast: ${{ steps.inspect.outputs['image-name-runtime-with-contrast'] }} + image-digest-runtime-with-contrast: ${{ steps.inspect.outputs['image-digest-runtime-with-contrast'] }} + image-artifact-runtime-with-contrast: ${{ steps.inspect.outputs['image-artifact-runtime-with-contrast'] }} + image-name-tests: ${{ steps.inspect.outputs['image-name-tests'] }} + image-digest-tests: ${{ steps.inspect.outputs['image-digest-tests'] }} + image-artifact-tests: ${{ steps.inspect.outputs['image-artifact-tests'] }} + steps: + - name: Checkout branch + uses: actions/checkout@v4 + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker daemon for multi-platform builds + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } + + - name: Docker Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: arm64 + + - name: Docker Setup Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract metadata + id: docker-meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=false + annotations: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security + tags: | + type=ref,event=branch,suffix=-${{ matrix.image.name }} + type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + type=ref,event=pr,suffix=-${{ matrix.image.name }} + type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + + - name: Pull base image + run: | + echo "Pulling base image: ${{ needs.build-base.outputs.image-name-base }}" + docker pull '${{ needs.build-base.outputs.image-name-base }}' + + - name: Build all Docker images for this PR + id: bake-pr + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + cwd://${{ steps.docker-meta.outputs.bake-file}} + targets: | + ${{ matrix.image.name }} + push: true + set: | + *.platform=linux/amd64 + *.platform=linux/arm64 + *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache + *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache + *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max + + - name: Inspect the created images + id: inspect + run: | + + matrix_image_name='${{ matrix.image.name }}' + echo "Matrix Image Name: $matrix_image_name" + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' + image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' + + echo "Image Name: $image_name" + echo "Image Digest: $image_digest" + echo "Image Artifact: $image_name@$image_digest" + + echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT + echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT + echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT + + # - name: Login to Docker Hub + # uses: docker/login-action@v3 + # with: + # username: ${{ secrets.DOCKERHUB_USERNAME }} + # password: ${{ secrets.DOCKERHUB_TOKEN }} + + + + test: + needs: + - build + uses: ./.github/workflows/e2e-tests.yml + with: + staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} + staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + staging_image_tests: ${{ needs.build.outputs.image-name-tests }} + + # test-contrast: + # needs: + # - build + # uses: ./.github/workflows/e2e-tests.yml + # with: + # staging_image_runtime: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + # staging_image_tests: ${{ needs.build.outputs.image-name-tests }} + # secrets: + # contrast_api_token: ${{ secrets.CONTRAST_API_TOKEN }} + + + # + # Release Internal + # + release-internal: + needs: + - prepare + - build + - test + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + strategy: + fail-fast: false + matrix: + image: + - name: runtime + - name: runtime-with-contrast + - name: tests + steps: + + - name: Extract metadata + id: release-meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=true + annotations: | + org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + org.opencontainers.image.vendor=Contrast Security + tags: | + type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} + type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Release image (internal) + uses: akhilerm/tag-push-action@v2.1.0 + with: + src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} + dst: | + ${{ steps.release-meta.outputs.tags }} diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 92e765a7..2034a141 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -238,7 +238,7 @@ jobs: matrix_image_name='${{ matrix.image.name }}' echo "Matrix Image Name: $matrix_image_name" - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'] }}' image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' echo "Image Name: $image_name" From 6af44ec16d614b3cb86e245e51ca7b83bd4f6c3f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 15:33:48 +0100 Subject: [PATCH 227/234] splitting base image build --- .github/workflows/docker-images-single.yml | 55 ++++++++++++---------- 1 file changed, 30 insertions(+), 25 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 92e765a7..852e6331 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -1,4 +1,4 @@ -name: Docker Image CI +name: Single Build Docker on: push: @@ -23,6 +23,8 @@ jobs: runs-on: ubuntu-latest outputs: contrast_version: ${{ steps.versions.outputs.contrast_version }} + docker-meta-json: ${{ steps.docker-meta.outputs.json }} + docker-meta-bake-file: ${{ steps.docker-meta.outputs.bake-file }} steps: - name: Check latest Contrast agent version id: versions @@ -31,11 +33,27 @@ jobs: CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') echo "Contrast agent version: ${CONTRAST_VERSION}" echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT + + - name: Extract metadata + id: docker-meta + uses: docker/metadata-action@v5 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=false + annotations: | + org.opencontainers.image.vendor=Contrast Security + tags: | + type=ref,event=branch + type=ref,event=pr # MULTISTAGE DOCKERFILE - first create and push the build stage to speed up # subsequent builds. - build-base: - name: Create Docker Build Stage + docker-build: + name: Docker Build Images runs-on: ubuntu-latest needs: - prepare @@ -77,25 +95,12 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 - - name: Extract metadata - id: docker-meta - uses: docker/metadata-action@v5 - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - with: - images: | - ghcr.io/${{ github.repository }} - flavor: | - latest=false - annotations: | - org.opencontainers.image.description=Base image - build stage and buildcache for the netflicks application - org.opencontainers.image.vendor=Contrast Security - tags: | - type=ref,event=branch,suffix=-base - type=ref,event=branch,suffix=-base - type=ref,event=pr,suffix=-base - type=ref,event=pr,suffix=-base - + - name: Check tags + run: | + echo "Tags: ${{ needs.prepare.outputs.docker-meta-json.tags }}" + echo "JSON: ${{ needs.prepare.outputs.docker-meta-json }}" + echo "Bake file: ${{ needs.prepare.outputs.docker-meta-bake-file }}" + # To speed up the builds, we use caching of the docker image layers. # Cache rules: # - Use the existing base image cache from the main branch first for new PRs @@ -108,7 +113,7 @@ jobs: with: files: | docker-bake.hcl - cwd://${{ steps.docker-meta.outputs.bake-file }} + cwd://${{ needs.prepare.outputs.docker-meta-bake-file }} targets: | build push: true @@ -116,8 +121,8 @@ jobs: *.platform=linux/amd64 *.platform=linux/arm64 *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:base-buildcache - *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache - *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.tags }}-buildcache,mode=max + *.cache-from=type=registry,ref=${{ needs.prepare.outputs.docker-meta-json.tags }}-buildcache + *.cache-to=type=registry,ref=${{ needs.prepare.outputs.docker-meta-json.tags }}-buildcache,mode=max - name: Inspect the created images id: inspect From c396914299689d4adb0f5a6dce5c037c2cf51b9f Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 15:33:53 +0100 Subject: [PATCH 228/234] splitting base image build --- .github/workflows/docker-images-single.yml | 342 ++++++++++----------- 1 file changed, 171 insertions(+), 171 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 852e6331..4b16752d 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -140,199 +140,199 @@ jobs: #TODO: Then share the base image with other jobs via cache - build: - name: Docker Build ${{ matrix.image.name }} - needs: - - prepare - - build-base - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - attestations: write - id-token: write - strategy: - fail-fast: false - matrix: - image: - - name: runtime - - name: runtime-with-contrast - - name: tests - outputs: - image-name-runtime: ${{ steps.inspect.outputs['image-name-runtime'] }} - image-digest-runtime: ${{ steps.inspect.outputs['image-digest-runtime'] }} - image-artifact-runtime: ${{ steps.inspect.outputs['image-artifact-runtime'] }} - image-name-runtime-with-contrast: ${{ steps.inspect.outputs['image-name-runtime-with-contrast'] }} - image-digest-runtime-with-contrast: ${{ steps.inspect.outputs['image-digest-runtime-with-contrast'] }} - image-artifact-runtime-with-contrast: ${{ steps.inspect.outputs['image-artifact-runtime-with-contrast'] }} - image-name-tests: ${{ steps.inspect.outputs['image-name-tests'] }} - image-digest-tests: ${{ steps.inspect.outputs['image-digest-tests'] }} - image-artifact-tests: ${{ steps.inspect.outputs['image-artifact-tests'] }} - steps: - - name: Checkout branch - uses: actions/checkout@v4 + # build: + # name: Docker Build ${{ matrix.image.name }} + # needs: + # - prepare + # - build-base + # runs-on: ubuntu-latest + # permissions: + # contents: read + # packages: write + # attestations: write + # id-token: write + # strategy: + # fail-fast: false + # matrix: + # image: + # - name: runtime + # - name: runtime-with-contrast + # - name: tests + # outputs: + # image-name-runtime: ${{ steps.inspect.outputs['image-name-runtime'] }} + # image-digest-runtime: ${{ steps.inspect.outputs['image-digest-runtime'] }} + # image-artifact-runtime: ${{ steps.inspect.outputs['image-artifact-runtime'] }} + # image-name-runtime-with-contrast: ${{ steps.inspect.outputs['image-name-runtime-with-contrast'] }} + # image-digest-runtime-with-contrast: ${{ steps.inspect.outputs['image-digest-runtime-with-contrast'] }} + # image-artifact-runtime-with-contrast: ${{ steps.inspect.outputs['image-artifact-runtime-with-contrast'] }} + # image-name-tests: ${{ steps.inspect.outputs['image-name-tests'] }} + # image-digest-tests: ${{ steps.inspect.outputs['image-digest-tests'] }} + # image-artifact-tests: ${{ steps.inspect.outputs['image-artifact-tests'] }} + # steps: + # - name: Checkout branch + # uses: actions/checkout@v4 - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + # - name: Login to GHCR + # uses: docker/login-action@v3 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up Docker daemon for multi-platform builds - uses: docker/setup-docker-action@v4 - with: - daemon-config: | - { - "debug": true, - "features": { - "containerd-snapshotter": true - } - } + # - name: Set up Docker daemon for multi-platform builds + # uses: docker/setup-docker-action@v4 + # with: + # daemon-config: | + # { + # "debug": true, + # "features": { + # "containerd-snapshotter": true + # } + # } - - name: Docker Setup QEMU - uses: docker/setup-qemu-action@v3 - with: - platforms: arm64 + # - name: Docker Setup QEMU + # uses: docker/setup-qemu-action@v3 + # with: + # platforms: arm64 - - name: Docker Setup Buildx - uses: docker/setup-buildx-action@v3 + # - name: Docker Setup Buildx + # uses: docker/setup-buildx-action@v3 - - name: Extract metadata - id: docker-meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/${{ github.repository }} - flavor: | - latest=false - annotations: | - org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos - org.opencontainers.image.vendor=Contrast Security - tags: | - type=ref,event=branch,suffix=-${{ matrix.image.name }} - type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - type=ref,event=pr,suffix=-${{ matrix.image.name }} - type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + # - name: Extract metadata + # id: docker-meta + # uses: docker/metadata-action@v5 + # with: + # images: | + # ghcr.io/${{ github.repository }} + # flavor: | + # latest=false + # annotations: | + # org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + # org.opencontainers.image.vendor=Contrast Security + # tags: | + # type=ref,event=branch,suffix=-${{ matrix.image.name }} + # type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + # type=ref,event=pr,suffix=-${{ matrix.image.name }} + # type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - - name: Pull base image - run: | - echo "Pulling base image: ${{ needs.build-base.outputs.image-name-base }}" - docker pull '${{ needs.build-base.outputs.image-name-base }}' + # - name: Pull base image + # run: | + # echo "Pulling base image: ${{ needs.build-base.outputs.image-name-base }}" + # docker pull '${{ needs.build-base.outputs.image-name-base }}' - - name: Build all Docker images for this PR - id: bake-pr - uses: docker/bake-action@v6 - with: - files: | - docker-bake.hcl - cwd://${{ steps.docker-meta.outputs.bake-file}} - targets: | - ${{ matrix.image.name }} - push: true - set: | - *.platform=linux/amd64 - *.platform=linux/arm64 - *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache - *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache - *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max + # - name: Build all Docker images for this PR + # id: bake-pr + # uses: docker/bake-action@v6 + # with: + # files: | + # docker-bake.hcl + # cwd://${{ steps.docker-meta.outputs.bake-file}} + # targets: | + # ${{ matrix.image.name }} + # push: true + # set: | + # *.platform=linux/amd64 + # *.platform=linux/arm64 + # *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache + # *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache + # *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max - - name: Inspect the created images - id: inspect - run: | + # - name: Inspect the created images + # id: inspect + # run: | - matrix_image_name='${{ matrix.image.name }}' - echo "Matrix Image Name: $matrix_image_name" - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' - image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' + # matrix_image_name='${{ matrix.image.name }}' + # echo "Matrix Image Name: $matrix_image_name" + # image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' + # image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' - echo "Image Name: $image_name" - echo "Image Digest: $image_digest" - echo "Image Artifact: $image_name@$image_digest" + # echo "Image Name: $image_name" + # echo "Image Digest: $image_digest" + # echo "Image Artifact: $image_name@$image_digest" - echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT - echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT - echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT + # echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT + # echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT + # echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT - # - name: Login to Docker Hub - # uses: docker/login-action@v3 - # with: - # username: ${{ secrets.DOCKERHUB_USERNAME }} - # password: ${{ secrets.DOCKERHUB_TOKEN }} + # # - name: Login to Docker Hub + # # uses: docker/login-action@v3 + # # with: + # # username: ${{ secrets.DOCKERHUB_USERNAME }} + # # password: ${{ secrets.DOCKERHUB_TOKEN }} - test: - needs: - - build - uses: ./.github/workflows/e2e-tests.yml - with: - staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} - staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} - staging_image_tests: ${{ needs.build.outputs.image-name-tests }} - - # test-contrast: + # test: # needs: # - build # uses: ./.github/workflows/e2e-tests.yml # with: - # staging_image_runtime: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + # staging_image_runtime: ${{ needs.build.outputs.image-name-runtime }} + # staging_image_runtime_with_contrast: ${{ needs.build.outputs.image-name-runtime-with-contrast }} # staging_image_tests: ${{ needs.build.outputs.image-name-tests }} - # secrets: - # contrast_api_token: ${{ secrets.CONTRAST_API_TOKEN }} + + # # test-contrast: + # # needs: + # # - build + # # uses: ./.github/workflows/e2e-tests.yml + # # with: + # # staging_image_runtime: ${{ needs.build.outputs.image-name-runtime-with-contrast }} + # # staging_image_tests: ${{ needs.build.outputs.image-name-tests }} + # # secrets: + # # contrast_api_token: ${{ secrets.CONTRAST_API_TOKEN }} - # - # Release Internal - # - release-internal: - needs: - - prepare - - build - - test - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - attestations: write - id-token: write - strategy: - fail-fast: false - matrix: - image: - - name: runtime - - name: runtime-with-contrast - - name: tests - steps: + # # + # # Release Internal + # # + # release-internal: + # needs: + # - prepare + # - build + # - test + # runs-on: ubuntu-latest + # permissions: + # contents: read + # packages: write + # attestations: write + # id-token: write + # strategy: + # fail-fast: false + # matrix: + # image: + # - name: runtime + # - name: runtime-with-contrast + # - name: tests + # steps: - - name: Extract metadata - id: release-meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/${{ github.repository }} - flavor: | - latest=true - annotations: | - org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos - org.opencontainers.image.vendor=Contrast Security - tags: | - type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} - type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} + # - name: Extract metadata + # id: release-meta + # uses: docker/metadata-action@v5 + # with: + # images: | + # ghcr.io/${{ github.repository }} + # flavor: | + # latest=true + # annotations: | + # org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos + # org.opencontainers.image.vendor=Contrast Security + # tags: | + # type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + # type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + # type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} + # type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} + # type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + # - name: Login to GHCR + # uses: docker/login-action@v3 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} - - name: Release image (internal) - uses: akhilerm/tag-push-action@v2.1.0 - with: - src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} - dst: | - ${{ steps.release-meta.outputs.tags }} + # - name: Release image (internal) + # uses: akhilerm/tag-push-action@v2.1.0 + # with: + # src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} + # dst: | + # ${{ steps.release-meta.outputs.tags }} From 4b5100900cfc29672ed7e716089e55a3e6928a34 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 15:41:46 +0100 Subject: [PATCH 229/234] splitting base image build --- .github/workflows/docker-images-single.yml | 65 ++++++++++++++++------ 1 file changed, 49 insertions(+), 16 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 4b16752d..52dc2024 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -33,22 +33,7 @@ jobs: CONTRAST_VERSION=$(docker image inspect contrast/agent-dotnet-core:latest --format '{{ index .Config.Labels "org.opencontainers.image.version" }}') echo "Contrast agent version: ${CONTRAST_VERSION}" echo "contrast_version=${CONTRAST_VERSION}" >> $GITHUB_OUTPUT - - - name: Extract metadata - id: docker-meta - uses: docker/metadata-action@v5 - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - with: - images: | - ghcr.io/${{ github.repository }} - flavor: | - latest=false - annotations: | - org.opencontainers.image.vendor=Contrast Security - tags: | - type=ref,event=branch - type=ref,event=pr + # MULTISTAGE DOCKERFILE - first create and push the build stage to speed up # subsequent builds. @@ -95,6 +80,22 @@ jobs: - name: Docker Setup Buildx uses: docker/setup-buildx-action@v3 + - name: Extract metadata + id: docker-meta + uses: docker/metadata-action@v5 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + with: + images: | + ghcr.io/${{ github.repository }} + flavor: | + latest=false + annotations: | + org.opencontainers.image.vendor=Contrast Security + tags: | + type=ref,event=branch + type=ref,event=pr + - name: Check tags run: | echo "Tags: ${{ needs.prepare.outputs.docker-meta-json.tags }}" @@ -138,6 +139,38 @@ jobs: echo "image-digest-base=$image_digest" >> $GITHUB_OUTPUT echo "image-artifact-base=$image_name@$image_digest" >> $GITHUB_OUTPUT + - name: Build all Docker images for this PR + id: bake-pr + uses: docker/bake-action@v6 + with: + files: | + docker-bake.hcl + cwd://${{ steps.docker-meta.outputs.bake-file}} + push: false + set: | + *.platform=linux/amd64 + *.platform=linux/arm64 + *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache + *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache + *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max + + - name: Inspect the created images + id: inspect-pr + run: | + + matrix_image_name='${{ matrix.image.name }}' + echo "Matrix Image Name: $matrix_image_name" + image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' + image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' + + echo "Image Name: $image_name" + echo "Image Digest: $image_digest" + echo "Image Artifact: $image_name@$image_digest" + + echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT + echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT + echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT + #TODO: Then share the base image with other jobs via cache # build: From 6c714191d7c1c05e6a0a428a3ba6c4140ba1b45e Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 16:11:02 +0100 Subject: [PATCH 230/234] splitting base image build --- .github/workflows/docker-images.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 2034a141..95bb81f9 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -206,9 +206,7 @@ jobs: org.opencontainers.image.vendor=Contrast Security tags: | type=ref,event=branch,suffix=-${{ matrix.image.name }} - type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} type=ref,event=pr,suffix=-${{ matrix.image.name }} - type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} - name: Pull base image run: | @@ -249,6 +247,12 @@ jobs: echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT + # Add in semver tagging for agent versions (if desired) + # type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + # type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} + + + # - name: Login to Docker Hub # uses: docker/login-action@v3 # with: From c95a5cf011731b1639534db820461f6d38995513 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 16:18:46 +0100 Subject: [PATCH 231/234] splitting base image build --- .github/workflows/docker-images.yml | 11 +++-- .github/workflows/release-testing.yml | 68 ++++----------------------- 2 files changed, 15 insertions(+), 64 deletions(-) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 95bb81f9..77638bd7 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -247,6 +247,7 @@ jobs: echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT + # TODO: # Add in semver tagging for agent versions (if desired) # type=ref,event=branch,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} # type=ref,event=pr,suffix=-${{ matrix.image.name }}${{ matrix.image.name == 'runtime-with-contrast' && needs.prepare.outputs.contrast_version || null }} @@ -281,6 +282,9 @@ jobs: # contrast_api_token: ${{ secrets.CONTRAST_API_TOKEN }} + # + # Release Internal + # # # Release Internal # @@ -288,7 +292,6 @@ jobs: needs: - prepare - build - - test runs-on: ubuntu-latest permissions: contents: read @@ -311,7 +314,7 @@ jobs: images: | ghcr.io/${{ github.repository }} flavor: | - latest=true + latest=false annotations: | org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos org.opencontainers.image.vendor=Contrast Security @@ -330,8 +333,8 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Release image (internal) - uses: akhilerm/tag-push-action@v2.1.0 + uses: akhilerm/tag-push-action@v2.2.0 with: - src: ${{ needs.build.outputs[format('image-name-{0}', matrix.image.name)] }} + src: ghcr.io/contrast-security-oss/demo-netflicks:pr-8-${{ matrix.image.name }} dst: | ${{ steps.release-meta.outputs.tags }} diff --git a/.github/workflows/release-testing.yml b/.github/workflows/release-testing.yml index cbb91492..659be48d 100644 --- a/.github/workflows/release-testing.yml +++ b/.github/workflows/release-testing.yml @@ -1,14 +1,14 @@ name: Release Docker Images on: - push: - branches: - - main - tags: - - v* - pull_request: - branches: - - main + # push: + # branches: + # - main + # tags: + # - v* + # pull_request: + # branches: + # - main workflow_dispatch: inputs: @@ -102,56 +102,4 @@ jobs: echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT - # - # Release Internal - # - release-internal: - needs: - - prepare - - build - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - attestations: write - id-token: write - strategy: - fail-fast: false - matrix: - image: - - name: runtime - - name: runtime-with-contrast - - name: tests - steps: - - name: Extract metadata - id: release-meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/${{ github.repository }} - flavor: | - latest=false - annotations: | - org.opencontainers.image.description=A deliberately vulnerable .NET Core Application for Contrast Security demos - org.opencontainers.image.vendor=Contrast Security - tags: | - type=semver,pattern={{version}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=semver,pattern={{major}}.{{minor}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=semver,pattern={{major}},prefix=contrast,value=${{ needs.prepare.outputs.contrast_version }},enable=${{ matrix.image.name == 'runtime-with-contrast' }} - type=raw,value=${{ matrix.image.name == 'runtime-with-contrast' && 'latest-contrast' || 'latest' }},enable=${{ matrix.image.name != 'tests' }} - type=raw,value=tests,enable=${{ matrix.image.name == 'tests' }} - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Release image (internal) - uses: akhilerm/tag-push-action@v2.2.0 - with: - src: ghcr.io/contrast-security-oss/demo-netflicks:pr-8-${{ matrix.image.name }} - dst: | - ${{ steps.release-meta.outputs.tags }} From 627d3778e51876181503cb98a36af45148e1a574 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 16:39:07 +0100 Subject: [PATCH 232/234] splitting base image build --- .github/workflows/docker-images.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 77638bd7..36fce6f5 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -292,6 +292,7 @@ jobs: needs: - prepare - build + - test runs-on: ubuntu-latest permissions: contents: read From ee872b0b4548893855382969d2e2979b954b6b06 Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 16:45:37 +0100 Subject: [PATCH 233/234] splitting base image build --- .github/workflows/docker-images-single.yml | 66 +++++++++++----------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 52dc2024..736221cf 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -98,9 +98,9 @@ jobs: - name: Check tags run: | - echo "Tags: ${{ needs.prepare.outputs.docker-meta-json.tags }}" - echo "JSON: ${{ needs.prepare.outputs.docker-meta-json }}" - echo "Bake file: ${{ needs.prepare.outputs.docker-meta-bake-file }}" + echo "Tags: ${{ steps.docker-meta.outputs.tags }}" + echo "JSON: ${{ steps.docker-meta.outputs.json }}" + echo "Bake file: ${{ steps.docker-meta.outputs.bake-file }}" # To speed up the builds, we use caching of the docker image layers. # Cache rules: @@ -114,7 +114,7 @@ jobs: with: files: | docker-bake.hcl - cwd://${{ needs.prepare.outputs.docker-meta-bake-file }} + cwd://${{ steps.docker-meta.outputs.bake-file }} targets: | build push: true @@ -122,8 +122,8 @@ jobs: *.platform=linux/amd64 *.platform=linux/arm64 *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:base-buildcache - *.cache-from=type=registry,ref=${{ needs.prepare.outputs.docker-meta-json.tags }}-buildcache - *.cache-to=type=registry,ref=${{ needs.prepare.outputs.docker-meta-json.tags }}-buildcache,mode=max + *.cache-from=type=registry,ref=${{ steps.docker-meta.outputs.json.tags }}-buildcache + *.cache-to=type=registry,ref=${{ steps.docker-meta.outputs.json.tags }}-buildcache,mode=max - name: Inspect the created images id: inspect @@ -139,37 +139,37 @@ jobs: echo "image-digest-base=$image_digest" >> $GITHUB_OUTPUT echo "image-artifact-base=$image_name@$image_digest" >> $GITHUB_OUTPUT - - name: Build all Docker images for this PR - id: bake-pr - uses: docker/bake-action@v6 - with: - files: | - docker-bake.hcl - cwd://${{ steps.docker-meta.outputs.bake-file}} - push: false - set: | - *.platform=linux/amd64 - *.platform=linux/arm64 - *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache - *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache - *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max + # - name: Build all Docker images for this PR + # id: bake-pr + # uses: docker/bake-action@v6 + # with: + # files: | + # docker-bake.hcl + # cwd://${{ steps.docker-meta.outputs.bake-file}} + # push: false + # set: | + # *.platform=linux/amd64 + # *.platform=linux/arm64 + # *.cache-from=type=registry,ref=ghcr.io/${{ github.repository }}:${{ matrix.image.name }}-buildcache + # *.cache-from=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache + # *.cache-to=type=registry,ref=${{ needs.build-base.outputs.image-name-base }}-buildcache,mode=max - - name: Inspect the created images - id: inspect-pr - run: | + # - name: Inspect the created images + # id: inspect-pr + # run: | - matrix_image_name='${{ matrix.image.name }}' - echo "Matrix Image Name: $matrix_image_name" - image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' - image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' + # matrix_image_name='${{ matrix.image.name }}' + # echo "Matrix Image Name: $matrix_image_name" + # image_name='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['image.name'][0] }}' + # image_digest='${{ fromJSON(steps.bake-pr.outputs.metadata)[matrix.image.name]['containerimage.digest'] }}' - echo "Image Name: $image_name" - echo "Image Digest: $image_digest" - echo "Image Artifact: $image_name@$image_digest" + # echo "Image Name: $image_name" + # echo "Image Digest: $image_digest" + # echo "Image Artifact: $image_name@$image_digest" - echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT - echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT - echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT + # echo "image-name-${{ matrix.image.name }}=$image_name" >> $GITHUB_OUTPUT + # echo "image-digest-${{ matrix.image.name }}=$image_digest" >> $GITHUB_OUTPUT + # echo "image-artifact-${{ matrix.image.name }}=$image_name@$image_digest" >> $GITHUB_OUTPUT #TODO: Then share the base image with other jobs via cache From 61baaaf708fc528f9a660ec4a0745346cf4fb9cd Mon Sep 17 00:00:00 2001 From: Taylor Mowat Date: Wed, 23 Jul 2025 16:56:38 +0100 Subject: [PATCH 234/234] splitting base image build --- .github/workflows/docker-images-single.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/docker-images-single.yml b/.github/workflows/docker-images-single.yml index 736221cf..4a3913f0 100644 --- a/.github/workflows/docker-images-single.yml +++ b/.github/workflows/docker-images-single.yml @@ -139,6 +139,11 @@ jobs: echo "image-digest-base=$image_digest" >> $GITHUB_OUTPUT echo "image-artifact-base=$image_name@$image_digest" >> $GITHUB_OUTPUT + - name: Adding markdown + run: | + echo '### Internal Docker Images ready for testing! 🚀' >> $GITHUB_STEP_SUMMARY + echo ' - $image_name' >> $GITHUB_STEP_SUMMARY + # - name: Build all Docker images for this PR # id: bake-pr # uses: docker/bake-action@v6