Merge pull request #87 from cyber-dojo/add-base-image-to-dockerfile

Dockerfile: make base-image an ARG
cyber-dojo · Jan 25, 2025 · 8ee2b68 · 8ee2b68
2 parents a6be045 + 4523f7d
commit 8ee2b68
Show file tree

Hide file tree

Showing 15 changed files with 107 additions and 61 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -29,22 +29,17 @@ jobs:
       service_name: ${{ steps.vars.outputs.service_name }}
       image_tag: ${{ steps.vars.outputs.image_tag }}
       image_name: ${{ steps.vars.outputs.image_name }}
-      image_name_previous: ${{ steps.vars.outputs.image_name_previous }}
     steps:
       - uses: actions/checkout@v4
         with:
-          fetch-depth: 2
+          fetch-depth: 1
 
       - name: Prepare outputs for workflow jobs
         id: vars
         run: |
           IMAGE_TAG=${GITHUB_SHA:0:7}        
-          IMAGE_TAG_PREVIOUS=$(git rev-parse --short=7 HEAD^)
-
           ECR_REGISTRY="${AWS_ECR_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
-          
           IMAGE_NAME="${ECR_REGISTRY}/${{ env.SERVICE_NAME }}:${IMAGE_TAG}"
-          IMAGE_NAME_PREVIOUS="${ECR_REGISTRY}/${{ env.SERVICE_NAME }}:${IMAGE_TAG_PREVIOUS}"
           
           echo "aws_account_id=${AWS_ACCOUNT_ID}"             >> ${GITHUB_OUTPUT}
           echo "ecr_registry=${ECR_REGISTRY}"                 >> ${GITHUB_OUTPUT}
@@ -53,7 +48,6 @@ jobs:
           echo "service_name=${{ env.SERVICE_NAME }}"         >> ${GITHUB_OUTPUT}
           echo "image_tag=${IMAGE_TAG}"                       >> ${GITHUB_OUTPUT}
           echo "image_name=${IMAGE_NAME}"                     >> ${GITHUB_OUTPUT}
-          echo "image_name_previous=${IMAGE_NAME_PREVIOUS}"   >> ${GITHUB_OUTPUT}
 
       - name: Setup Kosli CLI
         if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
@@ -191,22 +185,27 @@ jobs:
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
 
+      - name: Output the base-image
+        id: vars
+        run: |
+          source ./bin/lib.sh
+          echo "base_image=$(echo_base_image)" >> ${GITHUB_OUTPUT}
+
       - name: Build and push Docker image to ECR
         id: docker_build
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           tags: ${{ env.IMAGE_NAME }}
-          cache-from: type=registry,ref=${{ needs.setup.outputs.image_name_previous }}
-          cache-to: type=inline,mode=max
-          build-args:
+          build-args: |
             COMMIT_SHA=${{ github.sha }}
+            BASE_IMAGE=${{ steps.vars.outputs.base_image }}
 
       - name: Tar Docker image
         run: |
-          docker pull ${{ env.IMAGE_NAME }}          
-          docker image save ${{ env.IMAGE_NAME }} --output ${{ env.IMAGE_TAR_FILENAME }}
+          docker pull ${IMAGE_NAME}          
+          docker image save ${IMAGE_NAME} --output ${IMAGE_TAR_FILENAME}
 
       - name: Cache Docker image
         uses: actions/cache@v4
@@ -229,14 +228,17 @@ jobs:
       - name: Attest image evidence to Kosli
         if: ${{ github.ref == 'refs/heads/main' }}
         run:
-          kosli attest artifact "${{ env.IMAGE_NAME }}"
+          kosli attest artifact "${IMAGE_NAME}"
             --artifact-type=docker          
             --name=runner
 
 
   unit-tests:
     runs-on: ubuntu-latest
     needs: [setup, build-image]
+    env:
+      IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
+      KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -246,11 +248,11 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ${{ env.IMAGE_TAR_FILENAME }}
-          key: ${{ needs.setup.outputs.image_name }}
+          key: ${{ env.IMAGE_NAME }}
 
       - name: Load Docker image
         run:
-          docker image load --input ${{ env.IMAGE_TAR_FILENAME }}
+          docker image load --input ${IMAGE_TAR_FILENAME}
 
       - name: Run unit tests
         run:
@@ -269,17 +271,13 @@ jobs:
 
       - name: Attest JUnit test evidence to Kosli
         if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        env:
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
         run:
           kosli attest junit
             --name=runner.unit-test
             --results-dir=./reports/server/junit
 
       - name: Attest coverage evidence to Kosli
         if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        env:
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
         run: |
           KOSLI_COMPLIANT=$([ "${{ steps.coverage.outcome }}" == 'success' ] && echo true || echo false)
           kosli attest generic \
@@ -291,6 +289,9 @@ jobs:
   integration-tests:
     runs-on: ubuntu-latest
     needs: [setup, build-image]
+    env:
+      IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
+      KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -300,11 +301,11 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ${{ env.IMAGE_TAR_FILENAME }}
-          key: ${{ needs.setup.outputs.image_name }}
+          key: ${{ env.IMAGE_NAME }}
 
       - name: Load Docker image
         run:
-          docker image load --input ${{ env.IMAGE_TAR_FILENAME }}
+          docker image load --input ${IMAGE_TAR_FILENAME}
 
       - name: Run integration tests
         run:
@@ -323,17 +324,13 @@ jobs:
 
       - name: Attest junit test evidence to Kosli
         if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        env:
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
         run:
           kosli attest junit
             --name=runner.integration-test
             --results-dir=./reports/client/junit
 
       - name: Attest coverage evidence to Kosli
         if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        env:
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
         run: |
           KOSLI_COMPLIANT=$([ "${{ steps.coverage.outcome }}" == 'success' ] && echo true || echo false)
           kosli attest generic \
@@ -346,6 +343,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [setup, build-image]
     env:
+      IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
+      KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
       SARIF_FILENAME: snyk.container.scan.json
     steps:
       - uses: actions/checkout@v4
@@ -360,14 +359,13 @@ jobs:
 
       - name: Load Docker image
         run:
-          docker image load --input ${{ env.IMAGE_TAR_FILENAME }}
+          docker image load --input ${IMAGE_TAR_FILENAME}
 
       - name: Setup Snyk
         uses: snyk/actions/setup@master
 
       - name: Run Snyk container scan
         env:
-          IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         run:
           make snyk_container_scan
@@ -380,8 +378,6 @@ jobs:
 
       - name: Attest evidence to Kosli
         if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        env:
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
         run:
           kosli attest snyk 
             --attachments=.snyk          
@@ -393,23 +389,26 @@ jobs:
     if: ${{ github.ref == 'refs/heads/main' }}
     runs-on: ubuntu-latest
     needs: [setup, build-image, pull-request, rubocop-lint, unit-tests, integration-tests, snyk-container-scan, snyk-code-scan]
+    env:
+      IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
+      KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
     steps:
       - name: Setup Kosli CLI
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Kosli SDLC gate to short-circuit the workflow
-        env:
-          IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
         run:
           kosli assert artifact ${IMAGE_NAME}
 
 
   approve-deployment-to-beta:
-    runs-on: ubuntu-latest
     needs: [setup, build-image, sdlc-control-gate]
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
+      KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
     environment:
       name: staging
       url: https://beta.cyber-dojo.org
@@ -425,8 +424,6 @@ jobs:
 
       - name: Attest approval of deployment to Kosli
         env:
-          IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
           KOSLI_ENVIRONMENT: aws-beta
         run:
           kosli report approval ${IMAGE_NAME}
@@ -445,6 +442,9 @@ jobs:
   approve-deployment-to-prod:
     needs: [setup, build-image, deploy-to-beta]
     runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
+      KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
     environment:
       name: production
       url: https://cyber-dojo.org
@@ -460,8 +460,6 @@ jobs:
 
       - name: Attest approval of deployment to Kosli
         env:
-          IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
           KOSLI_ENVIRONMENT: aws-prod
         run:
           kosli report approval ${IMAGE_NAME}

diff --git a/Dockerfile b/Dockerfile
@@ -1,14 +1,19 @@
-FROM cyberdojo/docker-base:d6830c0
+ARG BASE_IMAGE
+FROM ${BASE_IMAGE}
 LABEL maintainer=jon@jaggersoft.com
 
+# ARGs are reset after FROM See https://github.com/moby/moby/issues/34129
+ARG BASE_IMAGE
+ENV BASE_IMAGE=${BASE_IMAGE}
+
+ARG COMMIT_SHA
+ENV SHA=${COMMIT_SHA}
+
 RUN gem install --no-document 'concurrent-ruby'
 
 WORKDIR /runner
 COPY source/server/ .
 
-ARG COMMIT_SHA
-ENV SHA=${COMMIT_SHA}
-
 USER root
 HEALTHCHECK --interval=1s --timeout=1s --retries=5 --start-period=5s CMD /runner/config/healthcheck.sh
 ENTRYPOINT ["/sbin/tini", "-g", "--"]

diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ API
 * [GET alive](docs/api.md#get-alive)  
 * [GET ready](docs/api.md#get-ready)
 * [GET sha](docs/api.md#get-sha)
+* [GET base_image](docs/api.md#get-base-image)
 
 ***
 

diff --git a/bin/build_image.sh b/bin/build_image.sh
@@ -51,13 +51,13 @@ build_image()
   check_args "$@"
   local -r type="${1}"
   exit_non_zero_unless_installed docker
-  export $(echo_versioner_env_vars)
+  export $(echo_env_vars)
   containers_down
   remove_old_images
 
-  docker compose build --build-arg COMMIT_SHA="${COMMIT_SHA}" server
+  docker compose build server
   if [ "${type}" == 'client' ]; then
-    docker compose build --build-arg COMMIT_SHA="${COMMIT_SHA}" client
+    docker compose build client
   fi
 
   local -r image_name="${CYBER_DOJO_RUNNER_IMAGE}:${CYBER_DOJO_RUNNER_TAG}"

diff --git a/bin/check_coverage.sh b/bin/check_coverage.sh
@@ -41,7 +41,7 @@ check_args()
 check_coverage()
 {
   check_args "$@"
-  export $(echo_versioner_env_vars)
+  export $(echo_env_vars)
 
   local -r TYPE="${1}"           # {server|client}
   local -r TEST_LOG=test.log

diff --git a/bin/demo.sh b/bin/demo.sh
@@ -6,7 +6,7 @@ export ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 readonly DEMO_FILENAME="/tmp/runner_demo.html"
 
 source "${ROOT_DIR}/bin/lib.sh"
-export $(echo_versioner_env_vars)
+export $(echo_env_vars)
 docker compose --progress=plain up --wait --wait-timeout=10 client
 docker exec -it test_runner_client ruby /runner/demo.rb > "${DEMO_FILENAME}"
 open "file://${DEMO_FILENAME}"
diff --git a/bin/lib.sh b/bin/lib.sh
@@ -46,11 +46,25 @@ containers_down()
   docker compose down --remove-orphans --volumes
 }
 
-echo_versioner_env_vars()
+echo_base_image()
 {
-  local -r sha="$(cd "${ROOT_DIR}" && git rev-parse HEAD)"
-  echo COMMIT_SHA="${sha}"
+  #local -r json="$(curl --fail --silent --request GET https://beta.cyber-dojo.org/runner/base_image)"
+  #echo "${json}" | jq -r '.base_image'
+  echo cyberdojo/docker-base:d6830c0
+}
+
+echo_env_vars()
+{
+  # --build-arg ...
+  if [[ ! -v CYBER_DOJO_RUNNER_BASE_IMAGE ]] ; then
+    echo CYBER_DOJO_RUNNER_BASE_IMAGE="$(echo_base_image)"
+  fi
+  if [[ ! -v COMMIT_SHA ]] ; then
+    local -r sha="$(cd "${ROOT_DIR}" && git rev-parse HEAD)"
+    echo COMMIT_SHA="${sha}"
+  fi
 
+  # From versioner ...
   docker run --rm cyberdojo/versioner
 
   echo CYBER_DOJO_RUNNER_SHA="${sha}"

diff --git a/bin/run_tests.sh b/bin/run_tests.sh
@@ -7,7 +7,7 @@ source "${ROOT_DIR}/bin/lib.sh"
 source "${ROOT_DIR}/bin/create_test_data_manifests_file.sh"
 source "${ROOT_DIR}/bin/setup_dependent_images.sh"
 
-export $(echo_versioner_env_vars)
+export $(echo_env_vars)
 
 show_help()
 {

diff --git a/bin/snyk_container_scan.sh b/bin/snyk_container_scan.sh
@@ -3,7 +3,7 @@ set -Eeu
 
 export ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 source "${ROOT_DIR}/bin/lib.sh"
-export $(echo_versioner_env_vars)
+export $(echo_env_vars)
 
 readonly IMAGE_NAME="${CYBER_DOJO_RUNNER_IMAGE}:${CYBER_DOJO_RUNNER_TAG}"
 readonly SARIF_FILENAME=${SARIF_FILENAME:-snyk.container.scan.json}

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -4,7 +4,9 @@ services:
   client:
     build:
       context: source/client
-      args: [ COMMIT_SHA ]
+      args:
+        - COMMIT_SHA
+        - BASE_IMAGE=${CYBER_DOJO_RUNNER_BASE_IMAGE}
     image: ${CYBER_DOJO_RUNNER_CLIENT_IMAGE}:${CYBER_DOJO_RUNNER_TAG}
     user: ${CYBER_DOJO_RUNNER_CLIENT_USER}
     container_name: ${CYBER_DOJO_RUNNER_CLIENT_CONTAINER_NAME}
@@ -21,7 +23,9 @@ services:
   server:
     build:
       context: .
-      args: [ COMMIT_SHA ]
+      args:
+        - COMMIT_SHA
+        - BASE_IMAGE=${CYBER_DOJO_RUNNER_BASE_IMAGE}
     image: ${CYBER_DOJO_RUNNER_IMAGE}:${CYBER_DOJO_RUNNER_TAG}
     user: ${CYBER_DOJO_RUNNER_SERVER_USER}
     container_name: ${CYBER_DOJO_RUNNER_SERVER_CONTAINER_NAME}