Merge pull request #44 from trailofbits/dev

New container image variant for CI use
trailofbits · Dec 18, 2024 · 23f3891 · 23f3891
2 parents cb26811 + d0a5dfd
commit 23f3891
Show file tree

Hide file tree

Showing 3 changed files with 136 additions and 15 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -31,7 +31,7 @@ jobs:
         with:
           install: true
 
-      - name: Set Docker metadata
+      - name: Set Docker metadata (interactive variant)
         id: metadata
         uses: docker/metadata-action@v5
         with:
@@ -45,6 +45,19 @@ jobs:
             type=ref,event=branch,prefix=testing-
             type=edge
 
+      - name: Set Docker metadata (CI variant)
+        id: metadata-ci
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}/ci
+          tags: |
+            type=schedule
+            type=schedule,pattern=nightly-{{date 'YYYYMMDD'}}
+            type=ref,event=tag
+            type=ref,event=branch,prefix=testing-
+            type=edge
+
       - name: GitHub Container Registry Login
         uses: docker/login-action@v3
         with:
@@ -59,7 +72,7 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
 
-      - name: Docker Build and Push
+      - name: Docker Build and Push (interactive variant)
         uses: docker/build-push-action@v6
         with:
           platforms: linux/amd64,linux/arm64/v8
@@ -71,3 +84,16 @@ jobs:
           labels: ${{ steps.metadata.outputs.labels }}
           cache-from: ${{ (github.event_name != 'schedule' && 'type=gha') || '' }}
           cache-to: type=gha,mode=max
+
+      - name: Docker Build and Push (CI variant)
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64
+          target: toolbox-ci
+          file: Dockerfile
+          pull: true
+          push: true
+          tags: ${{ steps.metadata-ci.outputs.tags }}
+          labels: ${{ steps.metadata-ci.outputs.labels }}
+          cache-from: ${{ (github.event_name != 'schedule' && 'type=gha') || '' }}
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
@@ -23,32 +23,23 @@ RUN chmod 755 /usr/local/bin/echidna
 
 
 ###
-### ETH Security Toolbox
+### ETH Security Toolbox - base
 ###
-FROM ubuntu:jammy AS toolbox
+FROM ubuntu:jammy AS toolbox-base
 
 # Add common tools
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
     bash-completion \
     curl \
     git \
     jq \
-    python3-dev \
     python3-pip \
     python3-venv \
     sudo \
     unzip \
     wget \
     && rm -rf /var/lib/apt/lists/*
 
-# improve compatibility with amd64 solc in non-amd64 environments (e.g. Docker Desktop on M1 Mac)
-ENV QEMU_LD_PREFIX=/usr/x86_64-linux-gnu
-RUN if [ ! "$(uname -m)" = "x86_64" ]; then \
-    export DEBIAN_FRONTEND=noninteractive \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends libc6-amd64-cross \
-    && rm -rf /var/lib/apt/lists/*; fi
-
 # Add n (node version manager), lts node, npm, and yarn
 RUN curl -fsSL https://raw.githubusercontent.com/tj/n/v10.1.0/bin/n -o n && \
     if [ ! "a09599719bd38af5054f87b8f8d3e45150f00b7b5675323aa36b36d324d087b9  n" = "$(sha256sum n)" ]; then \
@@ -57,7 +48,7 @@ RUN curl -fsSL https://raw.githubusercontent.com/tj/n/v10.1.0/bin/n -o n && \
     fi && \
     cat n | bash -s lts && rm n && \
     npm install -g n yarn && \
-    n stable && n prune && npm --force cache clean
+    n stable --cleanup && n prune && npm --force cache clean
 
 # Include echidna
 COPY --chown=root:root --from=echidna /usr/local/bin/echidna /usr/local/bin/echidna
@@ -66,6 +57,22 @@ COPY --chown=root:root --from=echidna /usr/local/bin/echidna /usr/local/bin/echi
 COPY --chown=root:root --from=medusa /usr/local/bin/medusa /usr/local/bin/medusa
 RUN medusa completion bash > /etc/bash_completion.d/medusa
 
+CMD ["/bin/bash"]
+
+
+###
+### ETH Security Toolbox - interactive variant
+###
+FROM toolbox-base AS toolbox
+
+# improve compatibility with amd64 solc in non-amd64 environments (e.g. Docker Desktop on M1 Mac)
+ENV QEMU_LD_PREFIX=/usr/x86_64-linux-gnu
+RUN if [ ! "$(uname -m)" = "x86_64" ]; then \
+    export DEBIAN_FRONTEND=noninteractive \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends libc6-amd64-cross \
+    && rm -rf /var/lib/apt/lists/*; fi
+
 # Add a user with passwordless sudo
 RUN useradd -m ethsec && \
     usermod -aG sudo ethsec && \
@@ -114,4 +121,39 @@ RUN git clone --depth 1 https://github.com/crytic/building-secure-contracts.git
 COPY --link --chown=root:root motd /etc/motd
 RUN echo '\ncat /etc/motd\n' >> ~/.bashrc
 
-CMD ["/bin/bash"]
+
+###
+### ETH Security Toolbox - CI variant
+### Differences:
+###   * Runs as root
+###   * No Foundry autocompletions
+###   * No pyevmasm
+###   * No preinstalled solc binaries
+###   * No BSC copy
+###
+FROM toolbox-base AS toolbox-ci
+
+ENV HOME="/root"
+ENV PATH="${PATH}:${HOME}/.crytic/bin:${HOME}/.vyper/bin:${HOME}/.foundry/bin"
+
+# Install vyper compiler
+RUN python3 -m venv ${HOME}/.vyper && \
+    ${HOME}/.vyper/bin/pip3 install --no-cache-dir vyper && \
+    echo '\nexport PATH=${PATH}:${HOME}/.vyper/bin' >> ~/.bashrc
+
+# Install foundry
+RUN curl -fsSL https://raw.githubusercontent.com/foundry-rs/foundry/27cabbd6c905b1273a5ed3ba7c10acce90833d76/foundryup/install -o install && \
+    if [ ! "e4456a15d43054b537b329f6ca6d00962242050d24de4c59657a44bc17ad8a0c  install" = "$(sha256sum install)" ]; then \
+        echo "Foundry installer does not match expected checksum! exiting"; \
+        exit 1; \
+    fi && \
+    cat install | SHELL=/bin/bash bash && rm install && \
+    foundryup
+
+# Install python tools
+RUN python3 -m venv ${HOME}/.crytic && \
+    ${HOME}/.crytic/bin/pip3 install --no-cache-dir \
+        solc-select \
+        crytic-compile \
+        slither-analyzer && \
+    echo '\nexport PATH=${PATH}:${HOME}/.crytic/bin' >> ~/.bashrc
diff --git a/README.md b/README.md
@@ -91,6 +91,59 @@ $ node --version
 v14.21.3
 ```
 
+## Usage in CI
+
+A variant of the image is published on GitHub Container Registry as
+[`ghcr.io/trailofbits/eth-security-toolbox/ci`](https://github.com/trailofbits/eth-security-toolbox/pkgs/container/eth-security-toolbox%2Fci).
+This variant is meant to be slightly lighter, and better suited for its use in
+CI contexts such as [GitHub workflow jobs](https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container):
+
+
+```yaml
+# workflow triggers, ...
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    container: ghcr.io/trailofbits/eth-security-toolbox/ci:nightly
+    steps:
+      # other steps ...
+      - run: medusa fuzz # or any tool from the image
+```
+
+The main differences are:
+ * The container does not have a dedicated non-root user. All tools are
+   installed under the root user.
+ * Most autocompletions are not installed.
+ * No solc binaries are preinstalled. You may continue to use `solc-select` to
+   install any binaries you may need.
+ * pyevmasm and the building secure contracts repository are not included.
+
+## Container image labels
+
+Both `eth-security-toolbox` and `eth-security-toolbox/ci` use the following
+label convention:
+
+| Label              | Description
+|--------------------|--------------------------------------------------------
+| `nightly-YYYYMMDD` | Image built from the code in `master` on day YYYY-MM-DD
+| `nightly`          | Alias for the latest `nightly-YYYYMMDD` container image
+| `testing-BRANCH`   | Image built when the tip of `BRANCH` was last updated
+| `edge`             | Alias for `testing-master`
+| `TAG`              | Image built when `TAG` was tagged
+| `latest`           | Alias for the latest `TAG` container image
+
+To keep tooling in CI predictable, we recommend picking a `nightly-YYYYMMDD`
+image and pinning it by hash on your workflow file. Then, establish a process
+to review the changes and update the container reference on a regular cadence,
+so that you can continue to benefit from tool improvements. The following
+snippet shows the syntax used to pin the image on a GitHub Actions workflow;
+the hashes may be obtained from the [container registry page](https://github.com/orgs/trailofbits/packages?repo_name=eth-security-toolbox).
+
+```yaml
+container: ghcr.io/trailofbits/eth-security-toolbox/ci:nightly-YYYYMMDD@sha256:HASH_GOES_HERE
+```
+
 ## Getting Help
 
 Feel free to stop by our [Slack channel](https://slack.empirehacking.nyc/) for