Skip to content

Commit 236ab79

Browse files
emmabyteemmabyte
committed
fix: fixed dockerfile vuln and updated build workflow
1 parent 44244a8 commit 236ab79

File tree

2 files changed

+35
-25
lines changed

2 files changed

+35
-25
lines changed

.github/workflows/build-and-release.yaml

Lines changed: 18 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@ on:
1212

1313
env:
1414
IMAGE_NAME: shawn636/mini-ftp
15-
MINORS_TO_KEEP: 3
1615

1716
jobs:
1817
build-and-release:
@@ -56,38 +55,35 @@ jobs:
5655
uses: docker/setup-buildx-action@v2
5756
with:
5857
driver: docker-container
59-
buildkitd-flags: --allow-insecure-entitlement security.insecure
60-
61-
- name: Cache Docker Buildx
62-
uses: actions/cache@v3
63-
with:
64-
path: /tmp/.buildx-cache
65-
key: docker-buildx-cache-${{ runner.os }}-${{ github.sha }}
66-
restore-keys: |
67-
docker-buildx-cache-${{ runner.os }}-
6858

6959
- name: Log in to Docker Hub
7060
uses: docker/login-action@v2
7161
with:
7262
username: ${{ secrets.DOCKER_HUB_USERNAME }}
7363
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
7464

75-
- name: Build and Push Docker Image
65+
- name: Build and Push Images
7666
run: |
7767
VERSION=$(cat VERSION)
78-
echo "Building image with version: $VERSION"
68+
ALPINE_LATEST="latest"
69+
ALPINE_VERSIONS=("3.21" "3.20" "3.19")
70+
71+
echo "Building and pushing images for version: $VERSION"
72+
73+
# Build and push the default version (alpine:latest)
7974
docker buildx build --push \
80-
--platform linux/amd64,linux/arm64 \
81-
--tag ${{ env.IMAGE_NAME }}:$VERSION \
82-
--cache-to type=inline \
83-
--cache-from type=registry,ref=${{ env.IMAGE_NAME }}:build-cache \
84-
.
75+
--platform linux/amd64,linux/arm64 \
76+
--tag ${{ env.IMAGE_NAME }}:$VERSION \
77+
--tag ${{ env.IMAGE_NAME }}:$VERSION-alpine-$ALPINE_LATEST \
78+
--build-arg ALPINE_VERSION=$ALPINE_LATEST .
8579
86-
- name: Cleanup Old Docker Images
87-
run: |
88-
old_versions=$(docker images ${{ env.IMAGE_NAME }} --format '{{.Tag}}' | sort -r | tail -n +${{ env.MINORS_TO_KEEP }})
89-
for version in $old_versions; do
90-
docker rmi ${{ env.IMAGE_NAME }}:$version || true
80+
# Build and push for each specific Alpine version
81+
for version in "${ALPINE_VERSIONS[@]}"; do
82+
TAG_SUFFIX="alpine-$version"
83+
docker buildx build --push \
84+
--platform linux/amd64,linux/arm64 \
85+
--tag ${{ env.IMAGE_NAME }}:$VERSION-$TAG_SUFFIX \
86+
--build-arg ALPINE_VERSION=$version .
9187
done
9288
9389
- name: Finalize Release

Dockerfile

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,23 @@ FROM $BASE_IMG
3333
COPY --from=pidproxy /usr/bin/pidproxy /usr/bin/pidproxy
3434

3535
# Install runtime dependencies
36-
RUN apk --no-cache add vsftpd tini bash shadow jq curl \
37-
&& curl -sL $(curl -s https://api.github.com/repos/mikefarah/yq/releases/latest | jq -r '.assets[] | select(.name | contains("linux_amd64")) | .browser_download_url') -o /usr/bin/yq \
38-
&& chmod +x /usr/bin/yq
36+
RUN apk --no-cache add vsftpd tini bash shadow jq curl
37+
38+
# Install yq
39+
# Install yq dynamically based on architecture
40+
RUN arch=$(uname -m) \
41+
&& case "$arch" in \
42+
x86_64) yq_arch="yq_linux_amd64";; \
43+
aarch64) yq_arch="yq_linux_arm64";; \
44+
armv7l) yq_arch="yq_linux_arm";; \
45+
*) echo "Unsupported architecture: $arch"; exit 1;; \
46+
esac \
47+
&& curl -sL https://github.com/mikefarah/yq/releases/latest/download/$yq_arch -o /usr/bin/yq \
48+
&& chmod +x /usr/bin/yq \
49+
# Verify yq version is at least 4.44.0
50+
&& yq_version=$(yq --version | awk '{print $3}') \
51+
&& min_version="4.44.0" \
52+
&& [ "$(printf '%s\n' "$min_version" "$yq_version" | sort -V | head -n1)" = "$min_version" ] || { echo "yq version must be >= 4.44.0. Found $yq_version"; exit 1; }
3953

4054
COPY config/vsftpd.conf /etc/vsftpd/vsftpd.conf
4155

0 commit comments

Comments
 (0)