diff --git a/.dockerignore b/.dockerignore index f915cf9fe..18c3c3ce5 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,18 +1,26 @@ -.git* -.idea -.vscode -README* -RELEASE.txt -appProduction* -bundle* -node_modules -cache* +# Tooling artifacts +**/.git +**/.github +**/.idea +**/.vscode +**/.fleet + +# Meteor artifacts +**/bundle +**/.npm +**/.meteor/local +**/node_modules + +# METexpress artifacts +**/*.md container_deployment -home -logs +docs scripts -server_configuration_files -static -tests -tmp* -METexpress +**/tests +build.sh +LICENSE.md + +# Development files +**/tmp* +cache* +logs diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f1f0ce26..525018419 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,9 +42,11 @@ jobs: build: runs-on: ubuntu-latest - timeout-minutes: 120 + timeout-minutes: 30 + permissions: + packages: write strategy: - # fail-fast: true # FIXME: Reactivate fail-fast once our image size is under control + fail-fast: true matrix: app: - met-airquality @@ -105,19 +107,18 @@ jobs: --build-arg COMMITSHA=${{ github.sha }} \ -t ${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }} \ . - # FIXME: Reactivate image scanning once we've determined why the image size has blown up - # - name: Scan image with Trivy - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: '${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }}' - # format: 'sarif' - # output: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' - # ignore-unfixed: true + - name: Scan image with Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }}' + format: 'sarif' + output: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' + ignore-unfixed: true - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' - name: Login to GitHub Container Registry uses: docker/login-action@v1 diff --git a/Dockerfile b/Dockerfile index 5ed31bb56..196b126e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,13 +9,16 @@ ENV METEOR_PACKAGE_DIRS=/MATScommon/meteor_packages # Assume we're passed the repo root as build context COPY apps/${APPNAME}/package*.json ${APP_SOURCE_FOLDER}/ -RUN apt-get update && apt-get install --assume-yes --no-install-recommends cmake && \ - bash ${SCRIPTS_FOLDER}/build-app-npm-dependencies.sh +RUN bash ${SCRIPTS_FOLDER}/build-app-npm-dependencies.sh # Copy app & MATScommon library source into container COPY apps/${APPNAME} ${APP_SOURCE_FOLDER}/ COPY MATScommon /MATScommon +# If this fails with the mention that cmake is needed to build a dependency, +# double check the `MATScommon/meteor_packages/mats-common/.npm/package/npm-shrinkwrap.json +# file for any OS-specific dependencies. If we allow Meteor to build the Couchbase SDK, it +# will blow up our image size. RUN bash ${SCRIPTS_FOLDER}/build-meteor-bundle.sh diff --git a/MATScommon b/MATScommon index 871d6737e..a8d6ebea9 160000 --- a/MATScommon +++ b/MATScommon @@ -1 +1 @@ -Subproject commit 871d6737e1e5fa5fdec898140ad3c3d636c6b09f +Subproject commit a8d6ebea9d123d0a7b5dcd2d1bf38bc01245442f