-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: Docker CI - Security added & Tagging updates - 2 #1327
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 👍
Can you resolve the conflicts please?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1327: unexpected status: 403 Forbidden
are we still seeing the issues that we saw with #1320 with the failed docker build CI?
besides fixing the linters, this LGTM
@jrmanes suggested me trying this since PR since I write permissions, so I'm closing here for now to let me open up a PR from the same branch |
I've added the changes that we discuss last Friday for fixing the issues with the forks and so far the CI looks better.
Let me know if you find anything that you would like to add :) thanks in advance! |
Does it mean that latest tag is always == to what is merged on main, right? @jrmanes |
Yes, we'll build it alway, but only push the new images when the branch is |
Update:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few last questions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are a lot of commits, what was the thing that allowed this to work now 😅 ?
# refer to it later | ||
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:local | ||
|
||
- name: Run Trivy vulnerability scanner |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we run this locally if it fails?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## Overview ℹ️ Same content as: [1320](#1320), I had an issue and the PR was closed... Hello team, Hope you’re doing well The following PR contains some changes in the Docker CI, build & publish. I’ve added some features: - File renamed: `amd64-docker-build.yml` -> `docker-build-publish.yml` *We will be able to use a matrix for building the container in different architectures.* - This CI is triggered when - When push to any branch - When creating `PRs` - When there's a new hotfix (when push to main branch) - When push tags `(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)` - Only push new Docker images when they are in `main` or `v*` (blocking forks for security) - Security: [Trivy](https://www.aquasec.com/products/trivy/) added to the CI, this is the first step during the build, it scans the image and provide us a table summary in case we have any CVE, if everything goes well, it continues with the next step. *It’s not going to block the CI in case of bugs, though I think it will be good for us, stop it and fix them.* - Docker tagging: - Git short SHA => for example: `a594b69` - Tag ID => for example: `0.0.1` - Provided some additional metadata to the images: - Maintainer => "maintainer": "CelestiaOrg" - Description => "CelestiaOrg repository celestiaorg/celestia-app" - URL to the specific commit => "commit_url": "a594b69" - Docker pull command => "docker_pull_command": "docker pull ghcr.io/celestiaorg/celestia-app:a594b691" --- ## Checklist - [x] Required CI checks are passing - [x] Linked issues closed with keywords --- ## Blockers Hello team! I'll need to add some permissions to allow the CI to have the access to the packages. This is an error that I'm having: [link](https://github.com/celestiaorg/celestia-app/actions/runs/4058197292/jobs/6984898432) ``` ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden ``` Thanks in advance! cc: @evan-forbes @rootulp @Bidon15 @sysrex Please, ping me when you'll going to merge it, just to check that everything goes fine 😊 Thank you team! --- Closes Issue: [37](celestiaorg/devops#37)
…1327) ## Overview ℹ️ Same content as: [1320](celestiaorg#1320), I had an issue and the PR was closed... Hello team, Hope you’re doing well The following PR contains some changes in the Docker CI, build & publish. I’ve added some features: - File renamed: `amd64-docker-build.yml` -> `docker-build-publish.yml` *We will be able to use a matrix for building the container in different architectures.* - This CI is triggered when - When push to any branch - When creating `PRs` - When there's a new hotfix (when push to main branch) - When push tags `(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)` - Only push new Docker images when they are in `main` or `v*` (blocking forks for security) - Security: [Trivy](https://www.aquasec.com/products/trivy/) added to the CI, this is the first step during the build, it scans the image and provide us a table summary in case we have any CVE, if everything goes well, it continues with the next step. *It’s not going to block the CI in case of bugs, though I think it will be good for us, stop it and fix them.* - Docker tagging: - Git short SHA => for example: `a594b69` - Tag ID => for example: `0.0.1` - Provided some additional metadata to the images: - Maintainer => "maintainer": "CelestiaOrg" - Description => "CelestiaOrg repository celestiaorg/celestia-app" - URL to the specific commit => "commit_url": "celestiaorg@a594b69" - Docker pull command => "docker_pull_command": "docker pull ghcr.io/celestiaorg/celestia-app:a594b691" --- ## Checklist - [x] Required CI checks are passing - [x] Linked issues closed with keywords --- ## Blockers Hello team! I'll need to add some permissions to allow the CI to have the access to the packages. This is an error that I'm having: [link](https://github.com/celestiaorg/celestia-app/actions/runs/4058197292/jobs/6984898432) ``` ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden ``` Thanks in advance! cc: @evan-forbes @rootulp @Bidon15 @sysrex Please, ping me when you'll going to merge it, just to check that everything goes fine 😊 Thank you team! --- Closes Issue: [37](celestiaorg/devops#37) (cherry picked from commit 67c90ed)
## Overview ℹ️ Same content as: [1320](#1320), I had an issue and the PR was closed... Hello team, Hope you’re doing well The following PR contains some changes in the Docker CI, build & publish. I’ve added some features: - File renamed: `amd64-docker-build.yml` -> `docker-build-publish.yml` *We will be able to use a matrix for building the container in different architectures.* - This CI is triggered when - When push to any branch - When creating `PRs` - When there's a new hotfix (when push to main branch) - When push tags `(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)` - Only push new Docker images when they are in `main` or `v*` (blocking forks for security) - Security: [Trivy](https://www.aquasec.com/products/trivy/) added to the CI, this is the first step during the build, it scans the image and provide us a table summary in case we have any CVE, if everything goes well, it continues with the next step. *It’s not going to block the CI in case of bugs, though I think it will be good for us, stop it and fix them.* - Docker tagging: - Git short SHA => for example: `a594b69` - Tag ID => for example: `0.0.1` - Provided some additional metadata to the images: - Maintainer => "maintainer": "CelestiaOrg" - Description => "CelestiaOrg repository celestiaorg/celestia-app" - URL to the specific commit => "commit_url": "a594b69" - Docker pull command => "docker_pull_command": "docker pull ghcr.io/celestiaorg/celestia-app:a594b691" --- ## Checklist - [x] Required CI checks are passing - [x] Linked issues closed with keywords --- ## Blockers Hello team! I'll need to add some permissions to allow the CI to have the access to the packages. This is an error that I'm having: [link](https://github.com/celestiaorg/celestia-app/actions/runs/4058197292/jobs/6984898432) ``` ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/celestiaorg/celestia-app:pr-1320: unexpected status: 403 Forbidden ``` Thanks in advance! cc: @evan-forbes @rootulp @Bidon15 @sysrex Please, ping me when you'll going to merge it, just to check that everything goes fine 😊 Thank you team! --- Closes Issue: [37](celestiaorg/devops#37) (cherry picked from commit 67c90ed)
Overview
ℹ️ Same content as: 1320, I had an issue and the PR was closed...
Hello team,
Hope you’re doing well
The following PR contains some changes in the Docker CI, build & publish.
I’ve added some features:
File renamed:
amd64-docker-build.yml
->docker-build-publish.yml
We will be able to use a matrix for building the container in different architectures.
This CI is triggered when
PRs
(v0.0.0/v0.0.0-alpha/v0.0.0-beta/v0.0.0-rcX)
main
orv*
(blocking forks for security)Security:
Trivy added to the CI, this is the first step during the build, it scans the image and provide us a table summary in case we have any CVE, if everything goes well, it continues with the next step.
It’s not going to block the CI in case of bugs, though I think it will be good for us, stop it and fix them.
Docker tagging:
a594b69
0.0.1
Provided some additional metadata to the images:
Checklist
Blockers
Hello team!
I'll need to add some permissions to allow the CI to have the access to the packages.
This is an error that I'm having: link
Thanks in advance!
cc: @evan-forbes @rootulp @Bidon15 @sysrex
Please, ping me when you'll going to merge it, just to check that everything goes fine 😊
Thank you team!
Closes Issue: 37