Skip to content

Dockerfile#110

Open
abhishekagrawal-atlan wants to merge 47 commits intomainfrom
dockerfile
Open

Dockerfile#110
abhishekagrawal-atlan wants to merge 47 commits intomainfrom
dockerfile

Conversation

@abhishekagrawal-atlan
Copy link
Copy Markdown
Contributor

@abhishekagrawal-atlan abhishekagrawal-atlan commented Nov 13, 2025

Changelog

  • to be added

Additional context (e.g. screenshots, logs, links)

  • to be added

Checklist

  • Additional tests added
  • All CI checks passed
  • Relevant documentation updated

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 13, 2025
edited
Loading

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines Covered Coverage Threshold Status
391 384 98% 0% 🟢

New Files

No new covered files...

Modified Files

No covered modified files...

updated for commit: 7702c0b by action🐍

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 13, 2025
edited
Loading

📦 Trivy Vulnerability Scan Results

Schema Version Created At Artifact Type
2 2026-01-06T11:59:50.5173711Z . filesystem

Report Summary

Target Type Vulnerabilities . filesystem ✅ None found

Scan Result Details

✅ No vulnerabilities found during the scan for ..

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 13, 2025
edited
Loading

📦 Trivy Secret Scan Results

Schema Version Created At Artifact Type
2 2026-01-06T12:00:04.925444235Z . filesystem

Report Summary

Target Type Secrets . filesystem ✅ None found

Scan Result Details

✅ No secrets found during the scan for ..

github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 13, 2025
View reviewed changes
Comment thread .github/workflows/build-image.yaml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 13, 2025
View reviewed changes
Comment thread .github/workflows/build-image.yaml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 13, 2025
View reviewed changes
Comment thread .github/workflows/verify-snyk-status.yaml Outdated
github-advanced-security[bot]
github-advanced-security AI found potential problems Nov 14, 2025
View reviewed changes
Comment thread .github/workflows/build-image.yaml Outdated
Comment on lines +17 to +120
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.app }}
cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
timeout-minutes: 20
strategy:
matrix:
app:
- quickstart/ai_giphy
- quickstart/giphy
- quickstart/hello_world
- quickstart/polyglot
- connectors/mysql
- connectors/anaplan
- templates/generic

steps:
# Checkout current repo (your app)
- uses: actions/checkout@v4.0.0
with:
fetch-depth: 0
token: ${{ secrets.ORG_PAT_GITHUB }}

# Checkout the private atlanhq/.github repo to a folder
- name: Checkout private action repo
uses: actions/checkout@v4
with:
repository: atlanhq/.github
token: ${{ secrets.ORG_PAT_GITHUB }}
path: private_github

- name: Get branch name
run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
id: get_branch

- run: echo "REPOSITORY_NAME=`echo "$GITHUB_REPOSITORY" | awk -F / '{print $2}' | sed -e "s/:refs//"`" >> $GITHUB_ENV
shell: bash

- name: Get version tag
run: echo "version=$(echo `git ls-remote https://${{ secrets.ORG_PAT_GITHUB }}@github.com/atlanhq/${REPOSITORY_NAME}.git ${{ steps.get_branch.outputs.branch }} | awk '{ print $1}' | cut -c1-7`)abcd" >> $GITHUB_OUTPUT
id: get_version

- name: Lowercase branch name
run: echo "lowercase_branch=$(echo '${{ steps.get_branch.outputs.branch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
id: get_lowercase_branch

- name: Normalize app name for image tags
run: echo "app_name=$(echo '${{ matrix.app }}' | tr '/' '-')" >> $GITHUB_OUTPUT
id: get_app_name

- name: Set up Buildx
id: buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2

- name: Login to GitHub Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with:
registry: ghcr.io
username: $GITHUB_ACTOR
password: ${{ secrets.ORG_PAT_GITHUB }}

- name: Build and push docker image to GHCR
id: ghcr_docker_build
uses: ./private_github/.github/actions/secure-build-push-apps
with:
branch: ${{ github.ref_name }}
snyk-token: ${{ secrets.SNYK_TOKEN_BU_APPS }}
context: ./${{ matrix.app }}
file: ./${{ matrix.app }}/Dockerfile
push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/atlanhq/${{ github.event.repository.name }}-${{ steps.get_app_name.outputs.app_name }}-${{ steps.get_lowercase_branch.outputs.lowercase_branch }}:latest
ghcr.io/atlanhq/${{ github.event.repository.name }}-${{ steps.get_app_name.outputs.app_name }}-${{ steps.get_lowercase_branch.outputs.lowercase_branch }}:${{ steps.get_version.outputs.version }}
build-args: |
ACCESS_TOKEN_USR=$GITHUB_ACTOR
ACCESS_TOKEN_PWD=${{ secrets.ORG_PAT_GITHUB }}
env:
DOCKER_CLIENT_TIMEOUT: 600
COMPOSE_HTTP_TIMEOUT: 600

# Login to Docker Hub
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: atlanhq
password: ${{ secrets.DOCKER_HUB_PAT_RW }}

- name: Build and push docker image to Docker Hub
id: docker_build
uses: ./private_github/.github/actions/secure-build-push-apps
with:
branch: ${{ github.ref_name }}
snyk-token: ${{ secrets.SNYK_TOKEN_BU_APPS }}
context: ./${{ matrix.app }}
file: ./${{ matrix.app }}/Dockerfile
push: true
platforms: linux/amd64,linux/arm64
tags: |
registry-1.docker.io/atlanhq/${{ github.event.repository.name }}-${{ steps.get_app_name.outputs.app_name }}:${{ steps.get_branch.outputs.branch }}-${{ steps.get_version.outputs.version }}
registry-1.docker.io/atlanhq/${{ github.event.repository.name }}-${{ steps.get_app_name.outputs.app_name }}:${{ steps.get_branch.outputs.branch }}-latest
env:
DOCKER_CLIENT_TIMEOUT: 300
COMPOSE_HTTP_TIMEOUT: 300

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}
@abhishekagrawal-atlan
chore: adding Dockerfile for all the utility apps
d253805
@abhishekagrawal-atlan
chore: making generic app use chainguard image
6867a7a
@abhishekagrawal-atlan
chore: updated the base-image and added secure-build-push action
ce688f4
@abhishekagrawal-atlan
fix: build-image wf
dc3eba0
@abhishekagrawal-atlan
fix: Dockerfile
b8daba8
@abhishekagrawal-atlan
chore: removing upload image to dockerhub
0cc2320 
- lack of permissions on the token to upload the image.

#42 exporting to image
#42 pushing layers 0.8s done
#42 ERROR: failed to push registry-1.docker.io/atlanhq/atlan-sample-apps-utilities-workflows_observability:dockerfile-b8daba8abcd: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fatlan-sample-apps-utilities-workflows_observability%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes
------
 > exporting to image:
------
ERROR: failed to build: failed to solve: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fatlan-sample-apps-utilities-workflows_observability%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes
Reference
Check build summary support
Error: buildx failed with: ERROR: failed to build: failed to solve: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fatlan-sample-apps-utilities-workflows_observability%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes
@abhishekagrawal-atlan
chore: adding uv.lock for polyglot app
9bb82ec
@abhishekagrawal-atlan abhishekagrawal-atlan marked this pull request as ready for review December 15, 2025 13:39
Copilot AI review requested due to automatic review settings December 15, 2025 13:39
Copilot AI reviewed Dec 15, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Dockerfiles for multiple applications and establishes comprehensive CI/CD workflows including security scanning with Snyk and Trivy. The changes standardize containerization across quickstart examples, connectors, and utilities while introducing automated security checks.

  • Adds standardized Dockerfiles across 9 applications using Chainguard base images with Dapr integration
  • Implements GitHub Actions workflows for pre-commit checks, container scanning (Snyk/Trivy), and automated image builds
  • Removes uv.lock from .gitignore for the polyglot quickstart

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 35 comments.

Show a summary per file
File Description
utilities/workflows_observability/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
utilities/freshness_monitor/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
utilities/asset_descriptor_reminder/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
templates/generic/Dockerfile Refactored to use application-sdk-chainguard-image base and Dapr 1.16.2
quickstart/polyglot/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
quickstart/polyglot/.gitignore Removed uv.lock exclusion to track dependency locks
quickstart/hello_world/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
quickstart/giphy/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
quickstart/ai_giphy/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
connectors/mysql/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
connectors/anaplan/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
.github/workflows/verify-snyk-status.yaml Workflow to verify Snyk PR check status
.github/workflows/trivy-container.yaml Reusable workflow for Trivy container scanning
.github/workflows/snyk-container-scan.yaml Workflow for Snyk container scanning with Slack notifications
.github/workflows/schedule.yaml Scheduled workflow for stale PR cleanup and Trivy scans
.github/workflows/docstring-coverage.yaml Workflow to check docstring coverage on PRs
.github/workflows/commits.yaml Workflow to validate conventional commit format
.github/workflows/checks.yaml Pre-commit checks workflow with app discovery
.github/workflows/build-image.yaml Multi-app Docker image build and push workflow
.github/actions/secure_build_push_apps/action.yaml Composite action for building, scanning, and pushing Docker images with Snyk/Trivy
Comments suppressed due to low confidence (10)

utilities/workflows_observability/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

quickstart/polyglot/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

connectors/anaplan/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

utilities/asset_descriptor_reminder/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

templates/generic/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.2

quickstart/hello_world/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

quickstart/ai_giphy/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

connectors/mysql/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

utilities/freshness_monitor/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

quickstart/giphy/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread quickstart/giphy/Dockerfile Outdated
Comment thread .github/workflows/schedule.yaml
Comment thread quickstart/polyglot/Dockerfile Outdated
Comment thread quickstart/hello_world/Dockerfile Outdated
Comment thread .github/workflows/commits.yaml
Comment thread utilities/freshness_monitor/Dockerfile Outdated
Comment thread quickstart/hello_world/Dockerfile Outdated
Comment thread connectors/mysql/Dockerfile Outdated
Comment thread connectors/anaplan/Dockerfile Outdated
Comment thread utilities/asset_descriptor_reminder/Dockerfile Outdated
vishnub-atlan
vishnub-atlan previously approved these changes Dec 16, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vishnub-atlan vishnub-atlan vishnub-atlan left review comments

@firecast firecast Awaiting requested review from firecast

@inishchith inishchith Awaiting requested review from inishchith

@AtMrun AtMrun Awaiting requested review from AtMrun

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@abhishekagrawal-atlan @github-advanced-security @vishnub-atlan @nishantmunjal7 @AtMrun