diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2c7d170 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml new file mode 100644 index 0000000..da112d5 --- /dev/null +++ b/.github/workflows/cicd.yml @@ -0,0 +1,138 @@ +name: cicd + +on: + release: + types: [published] + +jobs: + build: + runs-on: ubuntu-latest + steps: + # Check out code + - name: Checkout + uses: actions/checkout@v2 + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Prepare + id: prep + run: | + TAG=${GITHUB_REF#refs/*/} + IMAGE="thetonio96/wildfly" + echo ::set-output name=tagged_image::${IMAGE}:${TAG} + echo ::set-output name=tag::${TAG} + # This is the a separate action that sets up buildx runner + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1.6.0 + with: + install: true + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-single-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-single-buildx + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build production image + uses: docker/build-push-action@v2 + with: + context: . + builder: ${{ steps.buildx.outputs.name }} + file: ./Dockerfile + push: true + tags: ${{ steps.prep.outputs.tagged_image }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new + platforms: linux/amd64,linux/arm64,linux/arm/v7 + # This ugly bit is necessary if you don't want your cache to grow forever + # till it hits GitHub's limit of 5GB. + # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ steps.prep.outputs.tagged_image }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: "trivy-results.sarif" + - name: Move cache + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache + build-ffmpeg: + runs-on: ubuntu-latest + steps: + # Check out code + - name: Checkout + uses: actions/checkout@v2 + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Prepare + id: prep + run: | + TAG=${GITHUB_REF#refs/*/} + IMAGE="thetonio96/wildfly" + echo ::set-output name=tagged_image::${IMAGE}:ffmpeg-${TAG} + echo ::set-output name=tag::${TAG} + # This is the a separate action that sets up buildx runner + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1.6.0 + with: + install: true + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-ffmpeg-cache + key: ${{ runner.os }}-single-buildx-ffmpeg-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-single-buildx-ffmpeg + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build production image + uses: docker/build-push-action@v2 + with: + context: . + builder: ${{ steps.buildx.outputs.name }} + file: ./Dockerfile-ffmpeg + push: true + tags: ${{ steps.prep.outputs.tagged_image }} + cache-from: type=local,src=/tmp/.buildx-ffmpeg-cache + cache-to: type=local,dest=/tmp/.buildx-ffmpeg-cache-new + platforms: linux/amd64,linux/arm64,linux/arm/v7 + # This ugly bit is necessary if you don't want your cache to grow forever + # till it hits GitHub's limit of 5GB. + # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ steps.prep.outputs.tagged_image }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: "trivy-results.sarif" + - name: Move cache + run: | + rm -rf /tmp/.buildx-ffmpeg-cache + mv /tmp/.buildx-ffmpeg-cache-new /tmp/.buildx-ffmpeg-cache + +# Document was created using the following as an example: +# https://evilmartians.com/chronicles/build-images-on-github-actions-with-docker-layer-caching diff --git a/Dockerfile b/Dockerfile index 89c6486..733cc9e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,25 +1,47 @@ -FROM adoptopenjdk:11.0.11_9-jdk-hotspot-focal +FROM eclipse-temurin:11.0.13_8-jdk-focal # explicitly set user/group IDs RUN groupadd -r wildfly --gid=1023 && useradd -r -g wildfly --uid=1023 -d /opt/wildfly wildfly +RUN apt-get update \ + && apt-get install -y gnupg netcat-openbsd unzip \ + && rm -rf /var/lib/apt/lists/* + # grab gosu for easy step-down from root ENV GOSU_VERSION 1.13 -RUN arch="$(dpkg --print-architecture)" \ - && set -x \ - && apt-get update \ - && apt-get install -y gnupg netcat-openbsd unzip \ - && rm -rf /var/lib/apt/lists/* \ - && curl -o /usr/local/bin/gosu -fSL "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \ - && curl -o /usr/local/bin/gosu.asc -fSL "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ - && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ - && gpgconf --kill all \ - && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu \ - && gosu --version \ - && gosu nobody true +RUN set -eux; \ + # save list of currently installed packages for later so we can clean up + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update; \ + apt-get install -y --no-install-recommends ca-certificates wget; \ + if ! command -v gpg; then \ + apt-get install -y --no-install-recommends gnupg2 dirmngr; \ + elif gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \ + # "This package provides support for HKPS keyservers." (GnuPG 1.x only) + apt-get install -y --no-install-recommends gnupg-curl; \ + fi; \ + rm -rf /var/lib/apt/lists/*; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + \ + # verify the signature + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + command -v gpgconf && gpgconf --kill all || :; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + # clean up fetch dependencies + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + \ + chmod +x /usr/local/bin/gosu; \ + # verify that the binary works + gosu --version; \ + gosu nobody true ENV WILDFLY_VERSION=24.0.1.Final \ KEYCLOAK_VERSION=15.0.2 \ diff --git a/Dockerfile-ffmpeg b/Dockerfile-ffmpeg index 5e004bf..d3b1e68 100644 --- a/Dockerfile-ffmpeg +++ b/Dockerfile-ffmpeg @@ -1,25 +1,47 @@ -FROM adoptopenjdk:11.0.11_9-jdk-hotspot-focal +FROM eclipse-temurin:11.0.13_8-jdk-focal # explicitly set user/group IDs RUN groupadd -r wildfly --gid=1023 && useradd -r -g wildfly --uid=1023 -d /opt/wildfly wildfly +RUN apt-get update \ + && apt-get install -y gnupg netcat-openbsd unzip ffmpeg \ + && rm -rf /var/lib/apt/lists/* + # grab gosu for easy step-down from root ENV GOSU_VERSION 1.13 -RUN arch="$(dpkg --print-architecture)" \ - && set -x \ - && apt-get update \ - && apt-get install -y gnupg netcat-openbsd unzip ffmpeg \ - && rm -rf /var/lib/apt/lists/* \ - && curl -o /usr/local/bin/gosu -fSL "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \ - && curl -o /usr/local/bin/gosu.asc -fSL "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ - && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ - && gpgconf --kill all \ - && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu \ - && gosu --version \ - && gosu nobody true +RUN set -eux; \ + # save list of currently installed packages for later so we can clean up + savedAptMark="$(apt-mark showmanual)"; \ + apt-get update; \ + apt-get install -y --no-install-recommends ca-certificates wget; \ + if ! command -v gpg; then \ + apt-get install -y --no-install-recommends gnupg2 dirmngr; \ + elif gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \ + # "This package provides support for HKPS keyservers." (GnuPG 1.x only) + apt-get install -y --no-install-recommends gnupg-curl; \ + fi; \ + rm -rf /var/lib/apt/lists/*; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + \ + # verify the signature + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + command -v gpgconf && gpgconf --kill all || :; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ + # clean up fetch dependencies + apt-mark auto '.*' > /dev/null; \ + [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + \ + chmod +x /usr/local/bin/gosu; \ + # verify that the binary works + gosu --version; \ + gosu nobody true ENV WILDFLY_VERSION=24.0.1.Final \ KEYCLOAK_VERSION=15.0.2 \ diff --git a/README.md b/README.md new file mode 100644 index 0000000..3f9f8f3 --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# WildFly + +## Development + +### Requirments +- [Docker](https://docs.docker.com/get-docker/) +- [buildx](https://docs.docker.com/buildx/working-with-buildx/) + +### Building + +Without ffmpeg +```bash +docker build --platform linux/amd64,linux/arm64,linux/arm/v7 -t thetonio96/wildfly:my-tag --push -f Dockerfile . +``` + +With ffmpeg +```bash +docker build --platform linux/amd64,linux/arm64,linux/arm/v7 -t thetonio96/wildfly:ffmpeg-my-tag --push -f Dockerfile-ffmpeg . +```