👷 Add docker support

llaumgui · Dec 18, 2023 · be69ade · be69ade
1 parent c005028
commit be69ade
Show file tree

Hide file tree

Showing 8 changed files with 235 additions and 70 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+.github
+.git
diff --git a/.github/workflows/devops.yml b/.github/workflows/devops.yml
@@ -3,64 +3,87 @@ on:
   [push, pull_request]
 
 env:
-  pythonLastVersion: '3.10'
+  pythonLastVersion: '3.11'
+  GHCR_REGISTRY: ghcr.io
+  IMAGE_NAME: llaumgui/seedboxsync
 
 jobs:
 
   ##############################################################################
-  # Test job
+  # Test python application
   #
   test_python:
     runs-on: ubuntu-latest
     name: Test Python
-
     strategy:
       fail-fast: false
       matrix:
         python-version: ['3.8', '3.9', '3.10', '3.11']
-
     steps:
     - name: Git checkout
       uses: actions/checkout@v4
-      with:
-        fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
-
     - uses: actions/cache@v3
       with:
         path: ${{ env.pythonLocation }}
         key: ${{ env.pythonLocation }}-${{ hashFiles('setup.py') }}-${{ hashFiles('dev-requirements.txt') }}
-
     - name: Install Dependencies
       run: |
         python -m pip install --upgrade pip
         pip install -r requirements.txt
         pip install -r requirements-dev.txt
-
     - name: Make all tests with make
       run: make test
 
+  ##############################################################################
+  # Markdownlint
+  #
+  test_markdownlint:
+    runs-on: ubuntu-latest
+    name: MarkdownLint
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v4
+    - name: markdownlint-cli
+      uses: nosborn/[email protected]
+      with:
+        files: "*.md docs/*.md"
+        config_file: ".markdownlint.yaml"
+
+  ##############################################################################
+  # Dockerfile tests
+  #
+  test_dockerfiles:
+    runs-on: ubuntu-latest
+    name: Linters for Dockerfile
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v4
+    - name: hadolint
+      if: github.event.schedule == ''
+      uses: hadolint/[email protected]
+      with:
+        recursive: true
 
   ##############################################################################
   # SonarCloud job
   #
   test_sonar:
     needs: [
-      test_python
+      test_python,
+      test_markdownlint,
+      test_dockerfiles
     ]
     runs-on: ubuntu-latest
     name: SonarCloud analyse
-
     steps:
     - name: Git checkout
       uses: actions/checkout@v4
       with:
         fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-
     - name: SonarCloud Scan
       if: github.event_name != 'pull_request'
       uses: sonarsource/sonarcloud-github-action@master
@@ -71,72 +94,152 @@ jobs:
         args: >
           -Dsonar.verbose=true
 
-
-  ##############################################################################
-  # Markdownlint job
-  #
-  test_markdownlint:
-    runs-on: ubuntu-latest
-    name: MarkdownLint
-
-    steps:
-
-    - name: Git checkout
-      uses: actions/checkout@v4
-
-    - name: markdownlint-cli
-      uses: nosborn/[email protected]
-      with:
-        files: "*.md docs/*.md"
-        config_file: ".markdownlint.yaml"
-
-
   ##############################################################################
-  # SonarCloud job
+  # Package job
   #
   package:
     needs: [
-      test_python,
-      test_sonar,
-      test_markdownlint
+      test_sonar
     ]
     runs-on: ubuntu-latest
     name: Build package
-
     steps:
     - name: Git checkout
       uses: actions/checkout@v4
-      with:
-        fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-
     - name: Set up Python ${{ env.pythonLastVersion }}
       uses: actions/setup-python@v5
       with:
         python-version: ${{ env.pythonLastVersion }}
-
     - uses: actions/cache@v3
       with:
         path: ${{ env.pythonLocation }}
         key: ${{ env.pythonLocation }}-${{ hashFiles('setup.py') }}-${{ hashFiles('dev-requirements.txt') }}
-
     - name: Install Dependencies
       run: |
         python -m pip install --upgrade pip
         pip install -r requirements.txt
         pip install -r requirements-dev.txt
-
     - name: Package
       run: make dist
-
     - name: Archive package
       uses: actions/upload-artifact@v4
       with:
         name: seedboxsync-${{ github.sha }}.tar.gz
         path: dist/*.tar.gz
 
+  ##############################################################################
+  # Build and tests Docker image
+  #
+  test_docker:
+    needs: [
+      test_sonar
+    ]
+    runs-on: ubuntu-latest
+    name: Build and test docker images
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v4
+    # Extract metadata (tags, labels) for Docker
+    # https://github.com/docker/metadata-action
+    - name: Extract Docker metadata
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images:
+          ${{ env.IMAGE_NAME }}
+    # Build and push Docker image with Buildx (don't push on PR)
+    # https://github.com/docker/build-push-action
+    - name: Build Docker image
+      uses: docker/build-push-action@v5
+      with:
+        tags: |
+          ${{ env.IMAGE_NAME }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=registry,ref=${{ env.IMAGE_NAME }}
+        cache-to: type=inline
+    # Test with Trivy
+    # https://github.com/aquasecurity/trivy-action
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ env.IMAGE_NAME }}
+        format: 'template'
+        template: '@/contrib/sarif.tpl'
+        output: 'trivy-results.sarif'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+  ##############################################################################
+  # Build and deploy job (only on main)
+  #
+  docker_build_deploy:
+    if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags/v')
+    needs: [
+      test_docker
+    ]
+    runs-on: ubuntu-latest
+    name: Build and deploy docker images
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v4
+    # Login against 2 Docker registries except on PR
+    # https://github.com/docker/login-action
+    - name: Log in to Docker Hub
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Log into registry ${{ env.GHCR_REGISTRY }}
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.GHCR_REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    # Extract metadata (tags, labels) for Docker
+    # https://github.com/docker/metadata-action
+    - name: Extract Docker metadata
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: |
+          ${{ env.IMAGE_NAME }}
+          ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
+    # Build and push Docker image with Buildx (don't push on PR)
+    # https://github.com/docker/build-push-action
+    - name: Build and push Docker image
+      if: github.ref == 'refs/heads/main'
+      uses: docker/build-push-action@v5
+      with:
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: |
+          ${{ env.IMAGE_NAME }}:main
+          ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:main
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:main
+        cache-to: type=inline
+    - name: Set env
+      if: contains(github.ref, 'refs/tags/v')
+      run: echo "RELEASE_VERSION=${GITHUB_REF:11}" >> $GITHUB_ENV
+    - name: Build and push Docker image
+      if: github.ref == 'refs/heads/main'
+      uses: docker/build-push-action@v5
+      with:
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: |
+          ${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
+          ${{ env.IMAGE_NAME }}:latest
+          ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
+          ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:latest
+        cache-to: type=inline
 
   ##############################################################################
-  # Realse job
+  # Release job
   #
   release:
     needs: [
@@ -145,33 +248,26 @@ jobs:
     runs-on: ubuntu-latest
     if: contains(github.ref, 'refs/tags/v')
     name: Release on GitHub and PyPi
-
     steps:
     - name: Git checkout
       uses: actions/checkout@v4
-
     - name: Set env
       run: echo "RELEASE_VERSION=${GITHUB_REF:11}" >> $GITHUB_ENV
-
     - name: Set up Python ${{ env.pythonLastVersion }}
       uses: actions/setup-python@v5
       with:
         python-version: ${{ env.pythonLastVersion }}
-
     - uses: actions/cache@v3
       with:
         path: ${{ env.pythonLocation }}
         key: ${{ env.pythonLocation }}-${{ hashFiles('setup.py') }}-${{ hashFiles('dev-requirements.txt') }}
-
     - name: Install Dependencies
       run: |
         python -m pip install --upgrade pip
         pip install -r requirements.txt
         pip install -r requirements-dev.txt
-
     - name: Package
       run: make dist
-
     - name: Create GitHub release
       id: create_release
       uses: actions/create-release@v1
@@ -186,7 +282,6 @@ jobs:
           - Second Change
         draft: true
         prerelease: false
-
     - name: Upload asset in GitHub release
       id: upload-release-asset
       uses: actions/upload-release-asset@v1
@@ -197,7 +292,6 @@ jobs:
         asset_path: dist/seedboxsync-${{ env.RELEASE_VERSION }}.tar.gz
         asset_name: seedboxsync-${{ env.RELEASE_VERSION }}.tar.gz
         asset_content_type: application/tar+gzip
-
     - name: Publish package
       uses: pypa/gh-action-pypi-publish@master
       with:

diff --git a/.hadolint.yaml b/.hadolint.yaml
@@ -0,0 +1,7 @@
+ignored:
+  - DL3018
+  - DL3003
+  - DL3008
+  - DL3013
+  - DL3059
+  - SC2086
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,13 +1,14 @@
 # ChangeLog
 
-## 3.0.2 - Dec 18, 2023
+## Next release
 
 * ⬆️ Update Cement framework.
 * 📦 Fix packaging issues.
 * 📝 Add Changelog and Contributors files.
 * 💚 Fix SonarCloud.
 * 👷 Drop Python 3.7 support.
 * ⬆️ Now support Python version from 3.8 to 3.11.
+* 👷 Add docker support and provide docker images.
 
 ## 3.0.1 - Feb 14, 2022