From 1d65b010c0059c4c0a7ceb48f8bf0fb935f51337 Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 29 Nov 2023 15:02:00 +0000 Subject: [PATCH 1/7] =?UTF-8?q?=F0=9F=9B=A0=EF=B8=8F=20Parameterise=20`ent?= =?UTF-8?q?rypoint.sh`=20(#39)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🛠️ Parameterise entrypoint.sh * Linting --- scripts/container/entrypoint.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/container/entrypoint.sh b/scripts/container/entrypoint.sh index d376e00a..b2eee9db 100644 --- a/scripts/container/entrypoint.sh +++ b/scripts/container/entrypoint.sh @@ -1,18 +1,21 @@ #!/usr/bin/env sh MODE=${MODE:-"run"} +ADDRESS=${ADDRESS:-"0.0.0.0"} +PORT=${PORT:-"8000"} +WORKERS=${WORKERS:-"4"} case "$MODE" in "run") - echo "Running Django server" - gunicorn -b 0.0.0.0:8000 -k uvicorn.workers.UvicornWorker -w 4 controlpanel.asgi:application + echo "Running Django server on ${ADDRESS}:${PORT}" + gunicorn -b "${ADDRESS}":"${PORT}" -k uvicorn.workers.UvicornWorker -w "${WORKERS}" controlpanel.asgi:application ;; "migrate") echo "Running Django migrations" python manage.py migrate ;; *) - echo "Unknown mode: $MODE" + echo "Unknown mode: ${MODE}" exit 1 ;; esac From d530416028a8d7622b450be18acb668cff57b130 Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 29 Nov 2023 15:31:33 +0000 Subject: [PATCH 2/7] =?UTF-8?q?=F0=9F=A7=B1=20Add=20`build.yml`=20workflow?= =?UTF-8?q?=20(#40)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Edit yaml lint * Add image scanning * Squash me --- .github/workflows/build.yml | 59 ++++++++++++++++++++++++++++++ .github/workflows/super-linter.yml | 2 +- .yamllint | 9 +++++ 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/build.yml create mode 100644 .yamllint diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..24e40e34 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,59 @@ +--- +name: Build + +on: + pull_request: + branches: + - main + push: + branches: + - main + +permissions: {} + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout + id: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Build Image + id: build_image + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + push: false + load: true + tags: control-panel + + - name: Scan Image + id: scan_image + uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0 + with: + image-ref: control-panel + exit-code: 1 + format: sarif + output: trivy-results.sarif + severity: CRITICAL + limit-severities-for-sarif: true + + - name: Scan Image (On SARIF Scan Failure) + if: failure() && steps.scan_image.outcome == 'failure' + id: scan_image_on_failure + uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0 + with: + image-ref: control-panel + exit-code: 1 + format: table + severity: CRITICAL + + - name: Upload SARIF + if: always() + id: upload_sarif + uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.2.7 + with: + sarif_file: trivy-results.sarif diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 83e4dbfa..393bc8e5 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -1,7 +1,7 @@ --- name: Super-Linter -on: # yamllint disable-line rule:truthy +on: pull_request: branches: - main diff --git a/.yamllint b/.yamllint new file mode 100644 index 00000000..0db05bb9 --- /dev/null +++ b/.yamllint @@ -0,0 +1,9 @@ +--- +extends: default + +rules: + comments: disable + line-length: + level: warning + allow-non-breakable-inline-mappings: true + truthy: disable From 896f8eb3000c51d37c0fc733c89fb9da9eb3c11a Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 29 Nov 2023 16:06:06 +0000 Subject: [PATCH 3/7] =?UTF-8?q?=F0=9F=9B=A0=EF=B8=8F=20Add=20`release.yml`?= =?UTF-8?q?=20(#41)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🛠️ Add release.yml --- .github/workflows/release.yml | 51 +++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..6d5fb494 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,51 @@ +--- +name: Release + +on: + push: + tags: + - '*.*.*' + +permissions: {} + +jobs: + release: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + packages: write + steps: + - name: Checkout + id: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install cosign + id: install-cosign + uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + + - name: Login to GitHub Container Registry + id: login + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push + id: push + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: . + push: true + tags: ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }} + + - name: Sign + id: sign + run: | + cosign sign ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }} + + - name: Verify + id: verify + run: | + cosign verify ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }} From 62afdaaa24c2f0b1bee5fead40a50ad3f7f7a6a6 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 29 Nov 2023 16:22:10 +0000 Subject: [PATCH 4/7] =?UTF-8?q?=F0=9F=9A=91=20Fix=20cosign=20publishing=20?= =?UTF-8?q?(=F0=9F=A4=9E)=20(#42)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jacob Woffenden --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6d5fb494..4922911a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,7 +43,7 @@ jobs: - name: Sign id: sign run: | - cosign sign ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }} + cosign sign --yes ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }} - name: Verify id: verify From 218fc13bf4a11327bf45bb71cb6e6b2108a19922 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 29 Nov 2023 16:31:42 +0000 Subject: [PATCH 5/7] =?UTF-8?q?=F0=9F=94=A5=20Remove=20build=20on=20merge?= =?UTF-8?q?=20to=20`main`=20(#43)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove build on merge to main Signed-off-by: Jacob Woffenden --- .github/workflows/build.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 24e40e34..4a5a79d6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,9 +5,6 @@ on: pull_request: branches: - main - push: - branches: - - main permissions: {} From f01db6008f4f646e9b8a6826fca0c2fcc5894c15 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 29 Nov 2023 16:42:49 +0000 Subject: [PATCH 6/7] =?UTF-8?q?=F0=9F=9A=91=20Fix=20cosign=20verification?= =?UTF-8?q?=20(#44)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jacob Woffenden --- .github/workflows/release.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4922911a..deb25388 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,4 +48,7 @@ jobs: - name: Verify id: verify run: | - cosign verify ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }} + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity=https://github.com/${{ github.repository_owner }}/data-platform-control-panel/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} + ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }} From bb0eac36bf6b7897463d072a291607679fd2f1cf Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 29 Nov 2023 16:52:25 +0000 Subject: [PATCH 7/7] =?UTF-8?q?=F0=9F=8E=B8=20Add=20slash=20=F0=9F=A4=98?= =?UTF-8?q?=20(#45)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index deb25388..75ade887 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -50,5 +50,5 @@ jobs: run: | cosign verify \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/${{ github.repository_owner }}/data-platform-control-panel/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} + --certificate-identity=https://github.com/${{ github.repository_owner }}/data-platform-control-panel/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} \ ghcr.io/${{ github.repository_owner }}/data-platform-control-panel:${{ github.ref_name }}