Skip to content

Commit

Permalink
build: transparency on package versions and docker scout policy
Browse files Browse the repository at this point in the history
Signed-off-by: Viet Nguyen Duc <[email protected]>
  • Loading branch information
VietND96 committed Sep 12, 2024
1 parent 65933cd commit 069fb11
Show file tree
Hide file tree
Showing 6 changed files with 51 additions and 1 deletion.
6 changes: 5 additions & 1 deletion .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,8 @@ jobs:
retry_wait_seconds: 300
continue_on_error: true
command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_latest
- name: Update package versions
run: make generate_latest_sbom
- name: Tag browser images
if: github.event.inputs.skip-build-push-image != 'true'
uses: nick-invision/retry@master
Expand Down Expand Up @@ -201,4 +203,6 @@ jobs:
prerelease: ${{ env.PRERELEASE }}
draft: false
append_body: false
files: ${{ env.PUBLISH_YAML_MANIFESTS }}
files: |
package_versions.txt
${{ env.PUBLISH_YAML_MANIFESTS }}
3 changes: 3 additions & 0 deletions .github/workflows/nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,8 @@ jobs:
max_attempts: 3
retry_wait_seconds: 120
command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_nightly
- name: Update package versions
run: make generate_nightly_sbom
- name: Push Helm chart to registry
uses: nick-invision/retry@master
with:
Expand Down Expand Up @@ -151,6 +153,7 @@ jobs:
name: "Nightly"
body_path: "release_notes.md"
files: |
package_versions.txt
${{ env.CHART_PACKAGE_PATH }}
generate_release_notes: true
draft: false
Expand Down
7 changes: 7 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ CURRENT_PLATFORM := $(shell if [ `arch` = "aarch64" ]; then echo "linux/arm64";
PLATFORMS := $(or $(PLATFORMS),$(shell echo $$PLATFORMS),$(CURRENT_PLATFORM))
SEL_PASSWD := $(or $(SEL_PASSWD),$(SEL_PASSWD),secret)
CHROMIUM_VERSION := $(or $(CHROMIUM_VERSION),$(CHROMIUM_VERSION),latest)
SBOM_OUTPUT := $(or $(SBOM_OUTPUT),$(SBOM_OUTPUT),package_versions.txt)

all: hub \
distributor \
Expand Down Expand Up @@ -341,6 +342,9 @@ release_latest:
docker push $(NAME)/standalone-docker:latest
docker push $(NAME)/video:latest

generate_latest_sbom:
NAME=$(NAME) FILTER_IMAGE_TAG=latest OUTPUT_FILE=$(SBOM_OUTPUT) ./generate_sbom.sh

tag_nightly:
docker tag $(NAME)/base:$(TAG_VERSION) $(NAME)/base:nightly
docker tag $(NAME)/hub:$(TAG_VERSION) $(NAME)/hub:nightly
Expand Down Expand Up @@ -383,6 +387,9 @@ release_nightly:
docker push $(NAME)/standalone-docker:nightly
docker push $(NAME)/video:nightly

generate_nightly_sbom:
NAME=$(NAME) FILTER_IMAGE_TAG=nightly OUTPUT_FILE=$(SBOM_OUTPUT) ./generate_sbom.sh

tag_major_minor:
docker tag $(NAME)/base:$(TAG_VERSION) $(NAME)/base:$(MAJOR)
docker tag $(NAME)/hub:$(TAG_VERSION) $(NAME)/hub:$(MAJOR)
Expand Down
7 changes: 7 additions & 0 deletions NodeBase/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,13 @@ RUN --mount=type=secret,id=SEL_PASSWD \
&& chgrp -R 0 ${HOME} /tmp/.X11-unix \
&& chmod -R g=u ${HOME} /tmp/.X11-unix

# Removing deb packages not compliant with Docker Scount (No AGPL v3 licenses) rule \
# The image must not contain any software with an AGPL v3 license.
RUN dpkg -r --force-depends fonts-urw-base35 libgs-common libjbig2dec0 libgs10-common \
ghostscript libgs10 jbig2dec poppler-data \
&& apt-get -qyy autoremove -f \
&& apt-get -qyy clean

# Copying configuration script generator
COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-node.sh \
start-xvfb.sh \
Expand Down
25 changes: 25 additions & 0 deletions generate_sbom.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/bin/bash

NAMESPACE=${NAME:-selenium}
FILTER_IMAGE_TAG=${FILTER_IMAGE_TAG:-"*"}
OUTPUT_FILE=${OUTPUT_FILE:-"package_versions.txt"}

# List all Docker images matching tag
images=$(docker images --filter=reference=${NAMESPACE}'/*:'${FILTER_IMAGE_TAG} --format "{{.Repository}}:{{.Tag}}")

# Check if there are any images
if [ -z "$images" ]; then
echo "No Docker images found."
exit 1
fi

echo -n "" >${OUTPUT_FILE}
# Iterate through each image and generate SBOM
for image in $images; do
echo "Generating SBOM for image: $image"
echo "==================== $image ====================" >>${OUTPUT_FILE}
docker sbom $image >>${OUTPUT_FILE}
echo "" >>${OUTPUT_FILE}
done

echo "SBOM generation completed for all images."
4 changes: 4 additions & 0 deletions tests/charts/make/chart_setup_env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ chmod +x ./docker-compose
sudo mv ./docker-compose /usr/libexec/docker/cli-plugins
docker compose version
echo "==============================="
echo "Install Docker SBOMs plugin"
curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s --
docker sbom --version
echo "==============================="
if [ "${CLUSTER}" = "kind" ]; then
echo "Installing kind for AMD64 / ARM64"
curl -fsSL -o ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-$(dpkg --print-architecture)
Expand Down

0 comments on commit 069fb11

Please sign in to comment.