ci: PLT-567: fix docker builds (#6713)

.github/workflows/docker-build-ontop.yml

@@ -68,6 +68,7 @@ jobs:
             core.setOutput("active", membership.state == "active");
 
       - name: Checkout
+        id: checkout
         uses: actions/checkout@v4
         with:
           submodules: 'recursive'
@@ -77,18 +78,9 @@ jobs:
       - name: Calculate Docker tags
         id: calculate-docker-tags
         uses: actions/github-script@v7
-        env:
-          TAGS: ${{ inputs.tags }}
-          IMAGE_NAME: ${{ env.IMAGE_NAME }}
         with:
           script: |
-            const raw_tags_input = process.env.TAGS;
-            const image_name = process.env.IMAGE_NAME;
-            
-            const tags = raw_tags_input.split(',').map(x => x.trim());
-            const docker_tags = tags.map(x => `${image_name}:${x}`).join(',');
-            console.log(docker_tags);
-            core.setOutput("docker-tags", docker_tags);
+            core.setOutput('docker-tags', `${{ inputs.tags }}`.split(",").join("\n"))
 
       - name: Edit Dockerfile
         env:
@@ -107,6 +99,16 @@ jobs:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.revision=${{ steps.checkout.outputs.commit }}
+          tags: |
+            ${{ steps.calculate-docker-tags.outputs.docker-tags }}
+
       - name: Push Docker image
         uses: docker/[email protected]
         id: docker_build_and_push
@@ -115,6 +117,9 @@ jobs:
           file: ${{ inputs.dockerfile_path }}
           platforms: linux/amd64,linux/arm64
           push: ${{ steps.actor-membership.outputs.active }}
-          tags: ${{ steps.calculate-docker-tags.outputs.docker-tags }}
+          sbom: true
+          provenance: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max

.github/workflows/docker-build.yml

@@ -117,6 +117,17 @@ jobs:
             exit 1
           fi
 
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.revision=${{ inputs.sha }}
+          tags: |
+            type=raw,value=${{ steps.version.outputs.image_version }}
+            type=raw,value=${{ steps.version.outputs.build_version }}
+
       - name: Push Docker image
         uses: docker/[email protected]
         id: docker_build_and_push
@@ -125,7 +136,10 @@ jobs:
           file: Dockerfile
           platforms: linux/amd64,linux/arm64
           push: ${{ steps.actor-membership.outputs.active }}
-          tags: ${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_version }},${{ env.IMAGE_NAME }}:${{ steps.version.outputs.build_version }}
+          sbom: true
+          provenance: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |

.github/workflows/docker-release-promote.yml

@@ -62,16 +62,14 @@ jobs:
         with:
           ref: ${{ inputs.release_tag }}
 
-      - name: Check is latest tag needs to be updated
+      - name: Check if the latest tag needs to be updated
         uses: actions/github-script@v7
         id: generate-tags
         with:
           github-token: ${{ secrets.GIT_PAT }}
           script: |
             const {repo, owner} = context.repo;
             const newTag = '${{ inputs.release_tag }}';
-            const dockerHubImageName = '${{ env.IMAGE_NAME }}';
-            const redHatImageName = 'quay.io/redhat-isv-containers/${{ secrets.REDHAT_MARKETPLACE_LS_PROJECT_ID }}';
             const regexp = '^[v]?([0-9]+)\.([0-9]+)\.([0-9]+)(\.post([0-9]+))?$';
 
             function compareVersions(a, b) {
@@ -109,36 +107,22 @@ jobs:
             console.log(`Newest tag: ${newestVersion[0]}`)
 
             let dockerHubUbuntuRawTags = [newTag];
-            let dockerHubUbiRawTags = [`ubi_${newTag}`];
-            let redHatUbiRawTags = [newTag];
-
 
             if (compareVersions(newTag.match(regexp), newestVersion) >= 0) {
               console.log(`new tag ${newTag} is higher that all existing tags`)
               console.log(dockerHubUbuntuRawTags)
               dockerHubUbuntuRawTags.push('latest')
-              dockerHubUbiRawTags.push('ubi_latest')
-              redHatUbiRawTags.push('latest')
               core.setOutput("latest", true);
             } else {
               console.log('not latest')
               core.setOutput("latest", false);
             }
 
-            const ubuntuTags = dockerHubUbuntuRawTags.map(e => `${dockerHubImageName}:${e}`)
-            const redHatTags = redHatUbiRawTags.map(e => `${redHatImageName}:${e}`)
-            const ubiTags = redHatTags.concat(
-              dockerHubUbiRawTags.map(e => `${dockerHubImageName}:${e}`)
-            )
-
+            const ubuntuTags = dockerHubUbuntuRawTags.join("\n");
             console.log('Ubuntu tags:')
             console.log(ubuntuTags)
-            console.log('Ubi tags:')
-            console.log(ubiTags)
 
-            core.setOutput("ubuntu-tags", ubuntuTags.join(','));
-            core.setOutput("redhat-tags", redHatTags.join(','));
-            core.setOutput("ubi-tags", ubiTags.join(','));
+            core.setOutput("ubuntu-tags", ubuntuTags);
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -178,13 +162,6 @@ jobs:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Login to RedHat Registry
-        uses: docker/[email protected]
-        with:
-          registry: quay.io
-          username: ${{ secrets.REDHAT_REGISTRY_LOGIN }}
-          password: ${{ secrets.REDHAT_REGISTRY_PASSWORD }}
-
       - name: Prepare Release Dockerfile
         id: release_dockerfile
         env:
@@ -207,14 +184,27 @@ jobs:
           COPY --chown=54546:0 ${{ env.LAUNCHDARKLY_DOWNLOAD_PATH }} /label-studio/label_studio/feature_flags.json
           EOF
 
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.revision=${{ steps.get_info.outputs.sha }}
+          tags: |
+            ${{ steps.generate-tags.outputs.ubuntu-tags }}
+
       - name: Build and Push Release Ubuntu Docker image
         uses: docker/[email protected]
         id: docker_build
         with:
           context: ${{ steps.release_dockerfile.outputs.release_dir }}
           file: ${{ steps.release_dockerfile.outputs.release_dir }}/${{ env.RELEASE_DOCKERFILE }}
           push: true
-          tags: ${{ steps.generate-tags.outputs.ubuntu-tags }}
+          sbom: true
+          provenance: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
@@ -231,7 +221,7 @@ jobs:
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_ORG: ${{ vars.SENTRY_ORG }}
         with:
           version: label-studio@${{ inputs.release_tag }}
           projects: opensource-v1-backend
@@ -241,7 +231,7 @@ jobs:
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_ORG: ${{ vars.SENTRY_ORG }}
         with:
           version: label-studio@${{ inputs.release_tag }}
           projects: opensource-v1-frontend

Dockerfile

@@ -121,14 +121,26 @@ ENV LS_DIR=/label-studio \
 
 WORKDIR $LS_DIR
 
-# incapsulate nginx install & configure to a single layer
+# install prerequisites for app
 RUN --mount=type=cache,target="/var/cache/apt",sharing=locked \
     --mount=type=cache,target="/var/lib/apt/lists",sharing=locked \
     set -eux; \
     apt-get update; \
     apt-get upgrade -y; \
     apt-get install --no-install-recommends -y libexpat1 \
-        nginx curl; \
+        gnupg2 curl; \
+    apt-get autoremove -y
+
+# install nginx
+RUN --mount=type=cache,target="/var/cache/apt",sharing=locked \
+    --mount=type=cache,target="/var/lib/apt/lists",sharing=locked \
+    set -eux; \
+    curl -sSL https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /etc/apt/keyrings/nginx-archive-keyring.gpg >/dev/null; \
+    DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release); \
+    printf "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian ${DEBIAN_VERSION} nginx\n" > /etc/apt/sources.list.d/nginx.list; \
+    printf "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" > /etc/apt/preferences.d/99nginx; \
+    apt-get update; \
+    apt-get install --no-install-recommends -y nginx; \
     apt-get autoremove -y
 
 RUN set -eux; \
@@ -144,8 +156,6 @@ COPY --chown=1001:0 README.md .
 COPY --chown=1001:0 LICENSE LICENSE
 COPY --chown=1001:0 licenses licenses
 COPY --chown=1001:0 deploy deploy
-# We need these files for security scanners
-COPY --chown=1001:0 web/yarn.lock $LS_DIR/web/yarn.lock
 
 # Copy files from build stages
 COPY --chown=1001:0 --from=venv-builder               $LS_DIR                                           $LS_DIR