Merge pull request #67 from underdog-tech/feat/improved-dockerfile

feat: Improved Dockerfile / build / test
underdog-tech · Jun 26, 2023 · 075bc43 · 075bc43
2 parents 9fd00e9 + 2102abd
commit 075bc43
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 26 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,7 @@
+.editorconfig
+.env
+.git/
+.github/
+coverage*
+*.md
+*.toml
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @underdog-tech/vulnbot-contributors
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -19,6 +19,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
       - name: Log in to the Container registry
         uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
         with:
@@ -36,6 +42,7 @@ jobs:
         uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
         with:
           context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -2,38 +2,69 @@ name: Go
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 jobs:
+  docker-tests:
+    strategy:
+      matrix:
+        arch: ["linux/arm64", "linux/amd64"]
+    name: Docker Tests for ${{ matrix.arch }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Test Docker Image
+        uses: docker/build-push-action@v4
+        with:
+          platforms: ${{ matrix.arch }}
+          push: false
+          target: test
 
   build:
     strategy:
       matrix:
-        go: ['1.18', '1.19', '1.20']
-        os: ['windows-2019', 'windows-2022', 'ubuntu-20.04', 'ubuntu-22.04', 'macos-11', 'macos-12']
+        go: ["1.18", "1.19", "1.20"]
+        os:
+          [
+            "windows-2019",
+            "windows-2022",
+            "ubuntu-20.04",
+            "ubuntu-22.04",
+            "macos-11",
+            "macos-12",
+            "macos-13",
+          ]
     env:
       OS: ${{ matrix.os }}
       GO: ${{ matrix.go }}
     runs-on: ${{ matrix.os }}
     name: Build & test with Go ${{ matrix.go }} on ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+      - uses: actions/checkout@v3
 
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ matrix.go }}
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go }}
 
-    - name: Build
-      run: go build -v ./...
+      - name: Build
+        run: go build -v ./...
 
-    - name: Test
-      run: go test -v -race -covermode=atomic -coverprofile="coverage.out" -coverpkg=./... ./...
+      - name: Test
+        run: go test -v -race -covermode=atomic -coverprofile="coverage.out" -coverpkg=./... ./...
 
-    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@v3
-      with:
-        env_vars: OS,GO
-        flags: unittests
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          env_vars: OS,GO
+          flags: unittests
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,35 @@
-FROM alpine:3.17 AS base
+# We want to build on a canonical Golang image to easily use the latest/greatest
+FROM golang:1.20 AS build
 
 WORKDIR /app
 
-FROM base AS builder
+# Set up pieces necessary for our final release image
+RUN echo "nonroot:x:65534:65534:Nonroot:/:" > /etc/passwd.min
+
+# Make sure the dependency downloading can be cached
+COPY go.mod go.sum ./
+RUN go mod download
 
 COPY . .
+RUN CGO_ENABLED=0 GOOS=linux go build -o ./vulnbot
+
+# This stage is by default un-used, but allows us to easily run our tests inside
+# of an actual Docker image.
+FROM build as test
+
+# We do not use -race here because it is not supported on arm64
+# https://github.com/golang/go/issues/29948
+RUN go test -v ./...
+
+# Final image uses a barebones image
+FROM scratch AS release
 
-RUN apk update && apk upgrade && apk add go
-RUN go build .
+WORKDIR /
+COPY --from=build /etc/passwd.min /etc/passwd
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-FROM base AS final
+USER nonroot
 
-COPY --from=builder /app/vulnbot /app/
+COPY --from=build /app/vulnbot /vulnbot
 
-ENTRYPOINT [ "./vulnbot" ]
+ENTRYPOINT [ "/vulnbot" ]