fix: fix distroless container and update ci

This includes more requirements in the distroless container for git and updates CI and the actionfile to better use docker images. This will also move to pushing images to ghcr
andrewthetechie · Jan 19, 2024 · 4995b1e · 4995b1e
1 parent ef79875
commit 4995b1e
Show file tree

Hide file tree

Showing 7 changed files with 145 additions and 102 deletions.
diff --git a/.github/workflows/integration.yml → .github/workflows/action-integration.yml b/.github/workflows/integration.yml → .github/workflows/action-integration.yml
@@ -1,24 +1,28 @@
-name: Integration Test
+# Tests athe github action on each push
+name: Action Integration Test
 on:
   push:
-    branches:
-      - main
   pull_request:
 jobs:
-  integration-testing:
-    name: Integration Testing
+  action-integration-testing:
+    name: Action Integration Testing
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
         name: Checkout
-      - name: Copy in Dockerfile
-        run: cp Docker/Dockerfile Dockerfile
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Update action.yml to use dockerfile
+        uses: rmeneely/update-yaml@v1
+        with:
+          infile: action.yml
+          varlist: "runs.image=Dockerfile"
       - name: Test action
         id: test-action
         # test with the local checkout of the action
         uses: ./
         with:
-          template: https://github.com/cjolowicz/cookiecutter-hypermodern-python
+          template: https://github.com/cjolowicz/cookiecutter-hypermodern-python.git
           cookiecutterValues: '{
             "project_name": "integration-test"
           }'

diff --git a/.github/workflows/release-docker-images.yml b/.github/workflows/release-docker-images.yml
@@ -0,0 +1,55 @@
+# Runs after release-please creates a new release
+# Builds and pushes the docker images for the release
+name: Release Docker Images
+on:
+  release:
+    types: [released]
+
+jobs:
+  build-and-push-dockerimage:
+    name: Buld and push dockerimage
+    if: github.repository_owner == 'andrewthetechie'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.THIS_PAT }}
+      - name: Docker metadata
+        uses: docker/metadata-action@v4
+        id: meta
+        with:
+          images: |
+            ${{ github.repository }}
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=raw,value=${{ github.ref_name }}
+            # minimal (short sha)
+            type=sha,prefix=
+            # full length sha
+            type=sha,format=long,prefix=
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#registry-cache
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/release-major-version-tag.yml b/.github/workflows/release-major-version-tag.yml
@@ -0,0 +1,15 @@
+# Updates major version tag for GHA ease of use
+name: Update Major Version Tag
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  update-majorver:
+    name: Update Major Version Tag
+    if: github.repository_owner == 'andrewthetechie'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: nowactions/update-majorver@v1
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -5,9 +5,12 @@ on:
 name: release-please
 jobs:
   release-please:
+    if: github.repository_owner == 'andrewthetechie'
     runs-on: ubuntu-latest
     steps:
       - uses: google-github-actions/release-please-action@v3
         with:
           token: ${{ secrets.THIS_PAT }}
-          release-type: simple
+          release-type: python
+          extra-files: |
+            action.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,58 @@
-# This file is generated from Docker/ActionDockerfile.j2 as part of the release ci
-# Don't modify it directly
-FROM andrewthetechie/gha-cookiecutter:v1.2.0
+# Distroless runs python 3.9.2
+FROM python:3.11-slim-bullseye as python-base
+ADD Docker/builder/rootfs /
+ADD main.py /app/main.py
+ADD action.yml /app/action.yml
+
+# We are installing a dependency here directly into our app source dir
+RUN pip install --target=/app -r /requirements.txt
+RUN cd /tmp && \
+    apt-get update && \
+    apt-get download git $(apt-cache depends --recurse --no-recommends --no-suggests \
+    --no-conflicts --no-breaks --no-replaces --no-enhances \
+    --no-pre-depends git | grep "^\w") libcurl3-gnutls $(apt-cache depends --recurse --no-recommends --no-suggests \
+    --no-conflicts --no-breaks --no-replaces --no-enhances \
+    --no-pre-depends libcurl3-gnutls | grep "^\w") && \
+    mkdir /dpkg && \
+    for deb in *.deb; do dpkg --extract $deb /dpkg || exit 10; done
+
+# use distroless/cc as the base for our final image
+# lots of python depends on glibc
+FROM gcr.io/distroless/cc-debian11
+
+# Copy python from the python-builder
+# this carries more risk than installing it fully, but makes the image a lot smaller
+COPY --from=python-base /usr/local/lib/ /usr/local/lib/
+COPY --from=python-base /usr/local/bin/python /usr/local/bin/python
+COPY --from=python-base /etc/ld.so.cache /etc/ld.so.cache
+
+# Add some common compiled libraries
+# If seeing ImportErrors, check if in the python-base already and copy as below
+# required by lots of packages - e.g. six, numpy, wsgi
+# *-linux-gnu makes this builder work with either linux/arm64 or linux/amd64
+COPY --from=python-base /lib/*-linux-gnu/libz.so.1 /lib/libs/
+COPY --from=python-base /lib/*-linux-gnu/libcom_err.so.2 /lib/libs/
+COPY --from=python-base /usr/lib/*-linux-gnu/libffi* /lib/libs/
+COPY --from=python-base /lib/*-linux-gnu/libexpat* /lib/libs/
+
+# Add some git libs
+COPY --from=python-base /lib/*-linux-gnu/libcom_err.so.2 /lib/libs/
+
+# Copy over the app
+COPY --from=python-base /app /app
+COPY --from=python-base /dpkg /
+WORKDIR /app
+
+# Add /lib/libs to our path
+ENV LD_LIBRARY_PATH="/lib/libs:${LD_LIBRARY_PATH}" \
+# Add the app path to our path
+    PATH="/app/bin:${PATH}" \
+# Add the app path to your python path
+    PYTHONPATH="/app:${PYTHONPATH}" \
+# standardise on locale, don't generate .pyc, enable tracebacks on seg faults
+    LANG=C.UTF-8 \
+    LC_ALL=C.UTF-8 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONFAULTHANDLER=1
+
+CMD ["python", "/app/main.py"]
diff --git a/action.yml b/action.yml
@@ -39,7 +39,7 @@ outputs:
     description: "Directory the cookiecutter outputted to"
 runs:
   using: "docker"
-  image: "Dockerfile"
+  image: "docker://ghcr.io/andrewthetechie/gha-cookiecutter:v1.3.0" # x-release-please-version
 branding:
   icon: 'layers'
   color: 'blue'