diff --git a/.github/actions/docker-build/action.yaml b/.github/actions/docker-build/action.yaml new file mode 100644 index 0000000..fa791be --- /dev/null +++ b/.github/actions/docker-build/action.yaml @@ -0,0 +1,57 @@ +name: Docker Build +description: Build Docker Image +inputs: + context: + description: Docker context path + required: true + default: dist + dockerfile: + description: Dockerfile path + required: true + registry: + description: Docker registry + required: true + image_name: + description: Docker image name + required: true + docker_user: + description: Docker user + required: true + docker_password: + description: Docker password + required: true +runs: + using: composite + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Log in to the Container registry + uses: docker/login-action@v2 + with: + registry: ${{ inputs.registry }} + username: ${{ inputs.docker_user }} + password: ${{ inputs.docker_password }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v3 + with: + images: ${{ inputs.registry }}/${{ inputs.image_name }} + tags: | + type=sha,prefix= + + - name: Build and push Docker image + uses: docker/build-push-action@v4 + with: + context: ${{ inputs.context }} + file: ${{ inputs.dockerfile }} + push: true + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/.github/actions/setup-node/action.yml b/.github/actions/setup-node/action.yml new file mode 100644 index 0000000..1e489c3 --- /dev/null +++ b/.github/actions/setup-node/action.yml @@ -0,0 +1,32 @@ +# based on https://github.com/hyperledger/aries-framework-javascript-ext/blob/main/.github/actions/setup-node/action.yml +name: Setup NodeJS +description: Setup NodeJS with caching +author: "timo@animo.id" + +inputs: + node-version: + description: Select the nodejs version to use + required: false + default: "18.18.2" + +runs: + using: composite + steps: + - name: Add package manager + shell: bash + run: | + corepack enable + + - uses: pnpm/action-setup@v4 + + - name: Setup node v${{ inputs.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ inputs.node-version }} + registry-url: "https://registry.npmjs.org/" + cache: "pnpm" + + - name: Node Version + shell: bash + run: | + node -v && pnpm -v diff --git a/.github/workflows/ci.yml b/.github/workflows/quality.yml similarity index 92% rename from .github/workflows/ci.yml rename to .github/workflows/quality.yml index e1fd723..879ebec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/quality.yml @@ -1,4 +1,4 @@ -name: Continuous Integration +name: Quality on: pull_request: @@ -16,12 +16,10 @@ jobs: - name: Checkout Repo uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 - name: Setup NodeJS - uses: actions/setup-node@v4 + uses: ./.github/actions/setup-node with: node-version: 20 - cache: "pnpm" - name: Install dependencies run: pnpm install --frozen-lockfile diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml deleted file mode 100644 index a462a9c..0000000 --- a/.github/workflows/release-image.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Release Image - -on: - push: - tags: - - v* - -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} - -jobs: - release-image: - name: Release Image to Github Registry - runs-on: ubuntu-20.04 - - permissions: - contents: read - packages: write - attestations: write - id-token: write - - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Log in to the Container registry - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - - name: Build and push Docker image - id: push - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 - with: - context: . - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v2 - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..e4c12cc --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,67 @@ +name: Release + +on: + # push: + # tags: + # - v* + workflow_run: + workflows: [Quality] + branches: [main] + types: + - completed +env: + REGISTRY: ghcr.io + +jobs: + release-image: + name: Publish Image + runs-on: ubuntu-20.04 + + permissions: + contents: read + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Build Docker image + uses: ./.github/actions/docker-build + with: + registry: ${{ env.REGISTRY }} + image_name: "${{ github.repository }}/mediator" + context: ./ + dockerfile: "Dockerfile" + docker_user: ${{ github.actor }} + docker_password: ${{ secrets.GITHUB_TOKEN }} + + # - name: Log in to the Container registry + # uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + # with: + # registry: ${{ env.REGISTRY }} + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + + # - name: Extract metadata (tags, labels) for Docker + # id: meta + # uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + # with: + # images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # - name: Build and push Docker image + # id: push + # uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + # with: + # context: . + # push: true + # tags: ${{ steps.meta.outputs.tags }} + # labels: ${{ steps.meta.outputs.labels }} + + # - name: Generate artifact attestation + # uses: actions/attest-build-provenance@v2 + # with: + # subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + # subject-digest: ${{ steps.push.outputs.digest }} + # push-to-registry: true diff --git a/Dockerfile b/Dockerfile index e20e221..b968dcf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,12 @@ -FROM node:20 as base +FROM node:20 AS base -workdir /app +WORKDIR /app -RUN corepack enable +RUN apt-get update && \ + apt-get upgrade -y && \ + corepack enable -FROM base as setup +FROM base AS setup # Copy root package files COPY package.json /app/package.json @@ -18,7 +20,7 @@ COPY . /app RUN pnpm build -FROM base as final +FROM base AS final WORKDIR /app @@ -29,15 +31,15 @@ COPY package.json /app/package.json COPY pnpm-lock.yaml /app/pnpm-lock.yaml COPY patches /app/patches -# Run yarn install -RUN pnpm install --production - -# Clean cache to reduce image size -RUN pnpm store prune +# Package yarn install and prune to +# reduce image size +RUN pnpm install --production && \ + pnpm store prune # Don't run production as root -RUN addgroup --system --gid 1001 agent -RUN adduser --system --uid 1001 agent +RUN addgroup --system --gid 1001 agent && \ + adduser --system --uid 1001 agent + USER agent ENTRYPOINT [ "node", "build/index.js" ]