feat(docker): Add dockerfile to run MCP with supergateway#2
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Login to DockerHub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: opentrace/eks-mcp-server | ||
| tags: | | ||
| type=semver,pattern={{version}} | ||
| type=semver,pattern={{major}}.{{minor}} | ||
| type=ref,event=branch | ||
|
|
||
| - name: Build and push Docker image | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: ./src/eks-mcp-server | ||
| file: ./src/eks-mcp-server/Dockerfile.supergateway | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, add a permissions block at the root of the workflow file. This block will define the minimal permissions required for the workflow to function. Based on the provided workflow, the contents: read permission is sufficient for most steps, while the packages: write permission is required for pushing Docker images to DockerHub.
The permissions block should be added immediately after the name field in the workflow file.
| @@ -1,2 +1,5 @@ | ||
| name: Build and Publish EKS MCP Docker Image | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
|
|
| @@ -0,0 +1,48 @@ | |||
| name: Build and Publish EKS MCP Docker Image | |||
Check failure
Code scanning / checkov
Ensure top-level permissions are not set to write-all Error
| FROM node:20-alpine | ||
|
|
||
| # Install supergateway | ||
| RUN npm install -g supergateway | ||
|
|
||
| # Install Python and uv | ||
| RUN apk add --no-cache python3 py3-pip | ||
| COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ | ||
|
|
||
| # Set up the EKS MCP server | ||
| WORKDIR /app | ||
|
|
||
| # Copy package metadata files first (for better layer caching) | ||
| COPY pyproject.toml uv.lock README.md LICENSE NOTICE ./ | ||
|
|
||
| # Install dependencies | ||
| RUN uv sync --frozen --no-install-project --no-dev --no-editable | ||
|
|
||
| # Copy source code | ||
| COPY awslabs/ ./awslabs/ | ||
|
|
||
| # Install the local package | ||
| RUN uv sync --frozen --no-dev --no-editable | ||
|
|
||
| # Set environment variables | ||
| ENV PYTHONPATH=/app | ||
| ENV PATH="/app/.venv/bin:$PATH" | ||
|
|
||
| # Configurable environment variables (secure defaults) | ||
| ENV SUPERGATEWAY_PORT=8000 | ||
| ENV MCP_ALLOW_WRITE=false | ||
| ENV MCP_ALLOW_SENSITIVE_DATA=false | ||
|
|
||
| # Expose port | ||
| EXPOSE 8000 | ||
|
|
||
| # Copy startup script | ||
| COPY docker-start.sh /usr/local/bin/ | ||
| RUN chmod +x /usr/local/bin/docker-start.sh | ||
|
|
||
| # Use supergateway as entrypoint | ||
| ENTRYPOINT ["docker-start.sh"] No newline at end of file |
Check failure
Code scanning / checkov
Ensure that HEALTHCHECK instructions have been added to container images Error
| FROM node:20-alpine | ||
|
|
||
| # Install supergateway | ||
| RUN npm install -g supergateway | ||
|
|
||
| # Install Python and uv | ||
| RUN apk add --no-cache python3 py3-pip | ||
| COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ | ||
|
|
||
| # Set up the EKS MCP server | ||
| WORKDIR /app | ||
|
|
||
| # Copy package metadata files first (for better layer caching) | ||
| COPY pyproject.toml uv.lock README.md LICENSE NOTICE ./ | ||
|
|
||
| # Install dependencies | ||
| RUN uv sync --frozen --no-install-project --no-dev --no-editable | ||
|
|
||
| # Copy source code | ||
| COPY awslabs/ ./awslabs/ | ||
|
|
||
| # Install the local package | ||
| RUN uv sync --frozen --no-dev --no-editable | ||
|
|
||
| # Set environment variables | ||
| ENV PYTHONPATH=/app | ||
| ENV PATH="/app/.venv/bin:$PATH" | ||
|
|
||
| # Configurable environment variables (secure defaults) | ||
| ENV SUPERGATEWAY_PORT=8000 | ||
| ENV MCP_ALLOW_WRITE=false | ||
| ENV MCP_ALLOW_SENSITIVE_DATA=false | ||
|
|
||
| # Expose port | ||
| EXPOSE 8000 | ||
|
|
||
| # Copy startup script | ||
| COPY docker-start.sh /usr/local/bin/ | ||
| RUN chmod +x /usr/local/bin/docker-start.sh | ||
|
|
||
| # Use supergateway as entrypoint | ||
| ENTRYPOINT ["docker-start.sh"] No newline at end of file |
Check failure
Code scanning / checkov
Ensure that a user for the container has been created Error
1 participant
Fixes
Summary
Changes
User experience
Checklist
If your change doesn't seem to apply, please leave them unchecked.
Is this a breaking change? (Y/N)
RFC issue number:
Checklist:
Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.