Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(trg): make dedicated container image notice mandatory #629

Merged
merged 2 commits into from
Feb 8, 2024
Merged

docs(trg): make dedicated container image notice mandatory #629

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8461aff
docs(trg): make dedicated container image notice mandatory
SebastianBezold Jan 23, 2024
8d76080
fix(trg): typos, formatting and correct links
SebastianBezold Jan 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 38 additions & 14 deletions docs/release/trg-4/trg-4-06.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,10 @@ The minimum set of information is:
- Direct link to the Dockerfile used to build your image
- Link to `LICENCE` file in your repo as 'Project License' (make clear, that this is the PROJECT licence, not an image license)

## How and where to annotate the base image

The above information **must** be provided in Markdown format, either in your toplevel `README.md`, or in a dedicated
notice Markdown file, that you then reference from your toplevel `README.md`.

A dedicated notice file can be necessary, if you built multiple container image from a single repository.
Multiple notice files ensure, that you can directly link the specific `Dockerfile`, that is used and include it in the description, that is pushed to `DockerHub`.
The above information **must** be provided as dedicated Markdown file in your repository.
It **should** be located next to the `Dockerfile`, that is used to build the image you are annotating.
Provide a dedicated notice file for every image, that is published.
It **must** be linked in your top-level `README.md`. Link all notice files, in case you publish multiple images.

The notice **must** follow a specific structure, starting with a specific headline, a reference to your image on `DockerHub` and information about your product.
You can use the following example as a starting point. Remember to update the placeholders indicated by `<>` brackets.
Expand Down Expand Up @@ -77,17 +74,44 @@ As with all Docker images, these likely also contain other software which may be
As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.
```

## Examples
## Best practice and examples

The following examples are shown as reference, to see already existing and complete versions of a 'Notice for docker images'.
They **can not** be used for your product without modifications.
- Use "Container images" as headline to link to the container image notice files from the repositories README.md file
- Name the notice file "notice.md"
- Provide important information about your image with your notice. Examples:
- Available volumes
- Default port the service is listening on

### GitHub workflow step

Keeping the DockerHub description up-to-date with the latest notice content is crucial.
The following workflow step can be used as part of the DockerHub publishing workflow to ensure that:

Good example for notice integrated in toplevel `README.md`:
```yaml
# DockerHub publishing worklflow

- [IRS](https://github.com/eclipse-tractusx/item-relationship-service#notice-for-docker-image) or
- [app-dashboard](https://github.com/eclipse-tractusx/app-dashboard#notice-for-docker-image)
...

# https://github.com/peter-evans/dockerhub-description
- name: Update Docker Hub description
# Ensure the DockerHub description is updated with contents from a PR (usually images are not published on PR)
if: github.event_name != 'pull_request'
uses: peter-evans/dockerhub-description@v3
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
repository: ${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}
# IMPORTANT: Adjust this to the actual path of your container image notice
readme-filepath: <path/to/your/notice.md>
```

### Examples

The following examples are shown as reference, to see already existing and complete versions of a 'Notice for docker images'.
They **can not** be used for your product without modifications.

Good example for a dedicated notice file: [edc-controlplane-memory-hashicorp-vault](https://github.com/eclipse-tractusx/tractusx-edc/edit/main/edc-controlplane/edc-controlplane-memory-hashicorp-vault/notice.md)
- [edc-controlplane-memory-hashicorp-vault](https://github.com/eclipse-tractusx/tractusx-edc/blob/main/edc-controlplane/edc-controlplane-memory-hashicorp-vault/notice.md)
- [Country Risk](https://github.com/eclipse-tractusx/vas-country-risk/blob/main/DOCKER_NOTICE.md)

## Already collected base image information

Expand Down
Loading