mirror of
https://github.com/ivuorinen/actions.git
synced 2026-01-26 03:23:59 +00:00
281 lines
11 KiB
Docker
281 lines
11 KiB
Docker
# GitHub Actions Testing Framework Docker Image
|
|
# Multi-stage build with non-root user for security
|
|
# Pre-installs all testing tools to reduce CI runtime
|
|
|
|
# Centralized ARG defaults to avoid version drift across stages
|
|
ARG KCOV_VERSION=42
|
|
ARG TRUFFLEHOG_VERSION=3.86.0
|
|
ARG ACTIONLINT_VERSION=1.7.7
|
|
ARG ACT_VERSION=0.2.71
|
|
ARG SHELLSPEC_VERSION=0.28.1
|
|
|
|
# Stage 1: Build kcov separately to keep final image slim
|
|
FROM ubuntu:24.04 AS kcov-builder
|
|
|
|
ARG KCOV_VERSION
|
|
|
|
# Install only build dependencies needed for kcov
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
ca-certificates \
|
|
cmake \
|
|
g++ \
|
|
git \
|
|
libcurl4-openssl-dev \
|
|
libdw-dev \
|
|
libelf-dev \
|
|
libiberty-dev \
|
|
libssl-dev \
|
|
make \
|
|
pkg-config \
|
|
python3 \
|
|
zlib1g-dev \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Build kcov from source
|
|
WORKDIR /tmp/kcov-build
|
|
RUN git clone --depth 1 --branch "v${KCOV_VERSION}" https://github.com/SimonKagstrom/kcov.git .
|
|
|
|
WORKDIR /tmp/kcov-build/build
|
|
RUN cmake .. \
|
|
&& make \
|
|
&& make install DESTDIR=/kcov-install
|
|
|
|
# Stage 2: Base system setup
|
|
FROM ubuntu:24.04 AS base
|
|
|
|
LABEL maintainer="ivuorinen"
|
|
LABEL description="GitHub Actions testing framework with pre-installed tools"
|
|
LABEL version="1.0.0"
|
|
LABEL org.opencontainers.image.source="https://github.com/ivuorinen/actions"
|
|
|
|
# Avoid interactive prompts during package installation
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
ENV TZ=UTC
|
|
ENV NODE_MAJOR=20
|
|
|
|
# Set shell to bash with pipefail for better error handling
|
|
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
|
|
|
# Install system dependencies and common tools
|
|
# hadolint ignore=DL3008
|
|
RUN apt-get update && apt-get install -y \
|
|
--no-install-recommends \
|
|
ca-certificates \
|
|
curl \
|
|
git \
|
|
gnupg \
|
|
gzip \
|
|
jq \
|
|
lsb-release \
|
|
python3 \
|
|
python3-pip \
|
|
python3-yaml \
|
|
shellcheck \
|
|
sudo \
|
|
tar \
|
|
unzip \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/* \
|
|
# Note: build-essential, cmake, and kcov build deps moved to separate builder stage \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key -o /tmp/nodesource.gpg.key \
|
|
&& gpg --dearmor -o /usr/share/keyrings/nodesource.gpg < /tmp/nodesource.gpg.key \
|
|
&& echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
|
|
&& apt-get update \
|
|
&& apt-get install -y --no-install-recommends nodejs \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/* /tmp/nodesource.gpg.key
|
|
|
|
# Stage 2: Tool installation
|
|
FROM base AS tools
|
|
|
|
# Set shell to bash with pipefail for better error handling
|
|
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
|
|
|
# Version pinning for security and reproducibility (inherit from global ARGs)
|
|
ARG TRUFFLEHOG_VERSION
|
|
ARG ACTIONLINT_VERSION
|
|
ARG ACT_VERSION
|
|
ARG SHELLSPEC_VERSION
|
|
|
|
# Install all APT-based and standalone tools in a single optimized layer
|
|
# 1. Configure APT repositories (Trivy, GitHub CLI)
|
|
# 2. Install APT packages (trivy, gh, xz-utils)
|
|
# 3. Download all tool tarballs and checksums in parallel
|
|
# 4. Verify checksums and install tools
|
|
# hadolint ignore=DL3008
|
|
RUN set -eux \
|
|
# Detect architecture once
|
|
&& arch="$(dpkg --print-architecture)" \
|
|
&& case "${arch}" in \
|
|
amd64) trufflehog_arch="amd64"; actionlint_arch="amd64"; act_arch="Linux_x86_64" ;; \
|
|
arm64) trufflehog_arch="arm64"; actionlint_arch="arm64"; act_arch="Linux_arm64" ;; \
|
|
*) echo "Unsupported architecture: ${arch}" && exit 1 ;; \
|
|
esac \
|
|
# Configure APT repositories for Trivy and GitHub CLI
|
|
&& echo "=== Configuring APT repositories ===" \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 https://aquasecurity.github.io/trivy-repo/deb/public.key -o /tmp/trivy.key \
|
|
&& gpg --dearmor -o /usr/share/keyrings/trivy.gpg < /tmp/trivy.key \
|
|
&& echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" \
|
|
| tee /etc/apt/sources.list.d/trivy.list \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 https://cli.github.com/packages/githubcli-archive-keyring.gpg -o /tmp/githubcli-archive-keyring.gpg \
|
|
&& install -m 0644 /tmp/githubcli-archive-keyring.gpg /usr/share/keyrings/githubcli-archive-keyring.gpg \
|
|
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
|
|
| tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
|
|
# Install APT packages
|
|
&& echo "=== Installing APT packages ===" \
|
|
&& apt-get update \
|
|
&& apt-get install -y --no-install-recommends gh trivy xz-utils \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/* /tmp/trivy.key /tmp/githubcli-archive-keyring.gpg \
|
|
# Download all tool tarballs and checksums
|
|
&& echo "=== Downloading standalone tools ===" \
|
|
&& trufflehog_tarball="trufflehog_${TRUFFLEHOG_VERSION}_linux_${trufflehog_arch}.tar.gz" \
|
|
&& actionlint_tarball="actionlint_${ACTIONLINT_VERSION}_linux_${actionlint_arch}.tar.gz" \
|
|
&& act_tarball="act_${act_arch}.tar.gz" \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/${trufflehog_tarball}" -o "/tmp/${trufflehog_tarball}" \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_checksums.txt" -o /tmp/trufflehog_checksums.txt \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/${actionlint_tarball}" -o "/tmp/${actionlint_tarball}" \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_checksums.txt" -o /tmp/actionlint_checksums.txt \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 "https://github.com/nektos/act/releases/download/v${ACT_VERSION}/${act_tarball}" -o "/tmp/${act_tarball}" \
|
|
&& curl -fsSL --proto '=https' --tlsv1.2 "https://github.com/nektos/act/releases/download/v${ACT_VERSION}/checksums.txt" -o /tmp/act_checksums.txt \
|
|
# Verify checksums and install trufflehog
|
|
&& echo "=== Verifying checksums and installing tools ===" \
|
|
&& grep "${trufflehog_tarball}" /tmp/trufflehog_checksums.txt \
|
|
| sed "s|${trufflehog_tarball}|/tmp/${trufflehog_tarball}|" \
|
|
| sha256sum -c - \
|
|
&& tar -xzf "/tmp/${trufflehog_tarball}" -C /tmp \
|
|
&& chmod +x /tmp/trufflehog \
|
|
&& mv /tmp/trufflehog /usr/local/bin/trufflehog \
|
|
# Verify checksum and install actionlint
|
|
&& grep "${actionlint_tarball}" /tmp/actionlint_checksums.txt \
|
|
| sed "s|${actionlint_tarball}|/tmp/${actionlint_tarball}|" \
|
|
| sha256sum -c - \
|
|
&& tar -xzf "/tmp/${actionlint_tarball}" -C /tmp \
|
|
&& chmod +x /tmp/actionlint \
|
|
&& mv /tmp/actionlint /usr/local/bin/actionlint \
|
|
# Verify checksum and install act
|
|
&& grep "${act_tarball}" /tmp/act_checksums.txt \
|
|
| sed "s|${act_tarball}|/tmp/${act_tarball}|" \
|
|
| sha256sum -c - \
|
|
&& tar -xzf "/tmp/${act_tarball}" -C /tmp \
|
|
&& chmod +x /tmp/act \
|
|
&& mv /tmp/act /usr/local/bin/act \
|
|
# Clean up all temporary files
|
|
&& rm -f /tmp/*.tar.gz /tmp/*_checksums.txt \
|
|
# Verify all installations
|
|
&& echo "=== Verifying tool installations ===" \
|
|
&& trivy --version \
|
|
&& gh --version \
|
|
&& trufflehog --version \
|
|
&& actionlint --version \
|
|
&& act --version \
|
|
&& test -f /bin/sh && test -f /bin/bash && echo "✓ Shell binaries intact" \
|
|
&& echo "=== All tools installed successfully ==="
|
|
|
|
# Stage 3: Final image with non-root user
|
|
FROM tools AS final
|
|
|
|
# Set shell to bash with pipefail for better error handling
|
|
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
|
|
|
# Create non-root user for security
|
|
ARG USERNAME=runner
|
|
ARG USER_UID=1001
|
|
ARG USER_GID=$USER_UID
|
|
ARG SHELLSPEC_VERSION
|
|
|
|
# Set up environment for testing
|
|
ENV PATH="/home/$USERNAME/.local/bin:$PATH"
|
|
ENV USER=$USERNAME
|
|
ENV HOME="/home/$USERNAME"
|
|
|
|
# Create the user and group, then
|
|
# grant passwordless sudo to runner user for testing scenarios, then
|
|
# create workspace directory with proper permissions (as root)
|
|
RUN groupadd --gid "$USER_GID" "$USERNAME" \
|
|
&& useradd --uid "$USER_UID" --gid "$USER_GID" -m "$USERNAME" -s /bin/bash \
|
|
&& echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/$USERNAME" \
|
|
&& chmod 0440 "/etc/sudoers.d/$USERNAME" \
|
|
&& mkdir -p /workspace \
|
|
&& chown -R "$USERNAME:$USERNAME" /workspace
|
|
|
|
# Copy kcov from builder stage (avoiding build dependencies in final image)
|
|
# kcov is not available in Ubuntu 22.04 apt repositories, so we build it separately
|
|
COPY --from=kcov-builder /kcov-install/usr/local/ /usr/local/
|
|
|
|
# Install only runtime dependencies for kcov (not build dependencies)
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
libcurl4 \
|
|
libdw1 \
|
|
libelf1 \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Switch to non-root user for ShellSpec installation
|
|
USER "$USERNAME"
|
|
WORKDIR /workspace
|
|
|
|
# Install ShellSpec testing framework in user's home with checksum verification, then
|
|
# verify installations (run as root to access all tools)
|
|
# ShellSpec - version-aware checksum verification
|
|
# hadolint ignore=SC2016
|
|
RUN set -eux; \
|
|
mkdir -p ~/.local/bin; \
|
|
tarball="shellspec-dist.tar.gz"; \
|
|
# Pinned SHA-256 checksum for ShellSpec 0.28.1 shellspec-dist.tar.gz
|
|
# Source: https://github.com/shellspec/shellspec/releases/download/0.28.1/shellspec-dist.tar.gz
|
|
expected_checksum="350d3de04ba61505c54eda31a3c2ee912700f1758b1a80a284bc08fd8b6c5992"; \
|
|
\
|
|
# Download ShellSpec
|
|
curl -fsSL --proto '=https' --tlsv1.2 \
|
|
"https://github.com/shellspec/shellspec/releases/download/${SHELLSPEC_VERSION}/${tarball}" \
|
|
-o "/tmp/${tarball}"; \
|
|
\
|
|
# Verify checksum
|
|
actual_checksum=$(sha256sum "/tmp/${tarball}" | awk '{print $1}'); \
|
|
if [ "${actual_checksum}" != "${expected_checksum}" ]; then \
|
|
echo "Error: Checksum verification failed for ShellSpec ${SHELLSPEC_VERSION}" >&2; \
|
|
echo "Expected: ${expected_checksum}" >&2; \
|
|
echo "Got: ${actual_checksum}" >&2; \
|
|
rm -f "/tmp/${tarball}"; \
|
|
exit 1; \
|
|
fi; \
|
|
echo "Checksum verified successfully"; \
|
|
\
|
|
tar -xzf "/tmp/${tarball}" -C "$HOME/.local"; \
|
|
ln -s "$HOME/.local/shellspec/shellspec" "$HOME/.local/bin/shellspec"; \
|
|
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc; \
|
|
shellspec --version; \
|
|
rm -f "/tmp/${tarball}" \
|
|
&& echo "ShellSpec installed successfully" \
|
|
&& echo "Verifying installed tool versions..." \
|
|
&& echo "=== Tool Versions ===" \
|
|
&& shellcheck --version \
|
|
&& jq --version \
|
|
&& kcov --version \
|
|
&& trivy --version \
|
|
&& trufflehog --version \
|
|
&& actionlint --version \
|
|
&& act --version \
|
|
&& gh --version \
|
|
&& node --version \
|
|
&& npm --version \
|
|
&& python3 --version \
|
|
&& echo "=== System tools verified ===" \
|
|
&& echo "=== Verify user-installed tools ===" \
|
|
&& shellspec --version \
|
|
&& echo "=== User tools verified ===" \
|
|
&& echo "=== Build complete ==="
|
|
|
|
# Health check to verify essential tools are accessible
|
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
|
CMD shellspec --version > /dev/null 2>&1 && \
|
|
shellcheck --version > /dev/null 2>&1 && \
|
|
jq --version > /dev/null 2>&1 || exit 1
|
|
|
|
# Default command keeps container running for GitHub Actions
|
|
CMD ["/bin/bash", "-c", "tail -f /dev/null"]
|