-
Notifications
You must be signed in to change notification settings - Fork 0
ci: Use ubuntu-slim machine #381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
912fbad
a5e9e58
6f2d3bf
fad7d5b
148a23c
e1cd9d3
0e6f0f1
814d625
f4d4b62
b99876b
817b4de
c4c31e3
bdb9445
41d7e13
120fa85
c0de707
2148953
1b0d482
a12dca2
6dbc1f3
ef441ef
80d0366
3cb06aa
8f7fe8e
7992710
85efc13
2db62f2
7ceea6f
70f2784
3214fee
07d1e02
04700f6
0b73358
fd1aa6d
8afdf15
c84ccfa
5f9213b
a9955ca
ad72b0f
7c4492c
3ed987f
e04c478
170be57
dfa5bfc
5170284
84c4fe6
b7f3262
13da411
96ac93a
af28826
f8c5b15
93f041a
724b64d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,19 +22,28 @@ permissions: | |
| jobs: | ||
| check_dockerfile: | ||
| name: Validate Dockerfile | ||
| runs-on: ubuntu-latest | ||
| runs-on: ubuntu-slim | ||
|
coderabbitai[bot] marked this conversation as resolved.
|
||
| if: ${{ inputs.is_test }} | ||
| environment: | ||
| name: code_quality | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | ||
| - name: Install APT packages | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y docker.io | ||
| sudo systemctl start docker | ||
| - name: Log in to ${{ inputs.registry }} Registry | ||
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 | ||
| with: | ||
| registry: ${{ inputs.registry }} | ||
| username: mh0386 | ||
| password: ${{ inputs.registry == 'ghcr.io' && secrets.GH_TOKEN || inputs.registry == 'docker.io' && secrets.TOKEN_KEY_DOCKER }} | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 | ||
| - name: Validate build configuration | ||
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 | ||
| with: | ||
|
|
@@ -55,23 +64,32 @@ jobs: | |
| name: Build and push Docker image to ${{ inputs.registry }} | ||
| needs: check_dockerfile | ||
| if: ${{ always() && !cancelled() }} | ||
| runs-on: ubuntu-latest | ||
| runs-on: ubuntu-slim | ||
| outputs: | ||
| image_tag: ${{ steps.tag.outputs.TAG }} | ||
| environment: | ||
| name: docker_image | ||
| url: ${{inputs.registry}}/${{github.repository}} | ||
| steps: | ||
| - name: Free Disk Space | ||
| if: github.event_name != 'pull_request' | ||
| uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 | ||
| - name: Checkout repository | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | ||
| - name: Get Python version from pyproject.toml | ||
| id: get_python_version | ||
| uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 | ||
| with: | ||
| cmd: yq -roy '.project.requires-python' pyproject.toml | ||
| - name: Install APT packages | ||
| run: sudo apt-get update && sudo apt-get install -y docker.io | ||
| - name: Set up Docker | ||
| uses: docker/setup-docker-action@v4.5.0 | ||
| with: | ||
| daemon-config: | | ||
| { | ||
| "debug": true, | ||
| "features": { | ||
| "containerd-snapshotter": true | ||
| } | ||
| } | ||
|
Comment on lines
+84
to
+92
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Pin Lines 84 and 161 use the mutable tag Apply this diff to both locations: - name: Set up Docker
- uses: docker/setup-docker-action@v4.5.0
+ uses: docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 # v4.5.0
with:
daemon-config: |
{
"debug": true,
"features": {
"containerd-snapshotter": true
}
}Use commit SHA Also applies to: 161-169 🤖 Prompt for AI Agents |
||
| - name: Log in to ${{ inputs.registry }} Registry | ||
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 | ||
| with: | ||
|
|
@@ -126,7 +144,7 @@ jobs: | |
| name: Docker Scout (${{ matrix.commands }}) | ||
| needs: build_image | ||
| if: ${{ always() && !cancelled() }} | ||
| runs-on: ubuntu-latest | ||
| runs-on: ubuntu-slim | ||
| environment: | ||
| name: docker_image | ||
| strategy: | ||
|
|
@@ -137,6 +155,18 @@ jobs: | |
| - cves | ||
| - recommendations | ||
| steps: | ||
| - name: Install APT packages | ||
| run: sudo apt-get update && sudo apt-get install -y docker.io | ||
| - name: Set up Docker | ||
| uses: docker/setup-docker-action@v4.5.0 | ||
| with: | ||
| daemon-config: | | ||
| { | ||
| "debug": true, | ||
| "features": { | ||
| "containerd-snapshotter": true | ||
| } | ||
| } | ||
|
Comment on lines
+161
to
+169
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Pin Line 158 has the same unpinned action issue. This must also be updated to use the full commit SHA instead of the version tag Apply this diff: - - name: Set up Docker
- uses: docker/setup-docker-action@v4.5.0
+ - name: Set up Docker
+ uses: docker/setup-docker-action@<FULL_COMMIT_SHA> # v4.5.0
with:
daemon-config: |
{
"debug": true,
"features": {
"containerd-snapshotter": true
}
}Use the same commit SHA as you pin in the build_image job (line 81).
🤖 Prompt for AI Agents |
||
| - name: Log in to ${{ inputs.registry }} Registry | ||
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 | ||
| with: | ||
|
|
@@ -155,7 +185,7 @@ jobs: | |
| api_test: | ||
| name: API Test | ||
| needs: build_image | ||
| runs-on: ubuntu-latest | ||
| runs-on: ubuntu-slim | ||
| if: ${{ always() && !cancelled() && inputs.is_test }} | ||
| environment: | ||
| name: api_test | ||
|
|
@@ -194,7 +224,7 @@ jobs: | |
| - api_test | ||
| - docker_scout | ||
| if: ${{ always() && !cancelled() && inputs.registry == 'ghcr.io' }} | ||
| runs-on: ubuntu-latest | ||
| runs-on: ubuntu-slim | ||
| environment: | ||
| name: docker_image | ||
| steps: | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enabling OSV vulnerability alerts is a great security enhancement. However, with
pyproject.tomlcurrently inignorePaths(line 16), Renovate will not scan or update the Python dependencies defined in that file. This means you won't get vulnerability alerts for them, which largely defeats the purpose of these new settings. To make these alerts effective, you should consider removingpyproject.tomlfrom theignorePathslist.