From c0b690755df2de9956a156e9907d48e272e08767 Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Wed, 23 Aug 2023 11:29:40 -0600 Subject: [PATCH 1/5] Remove cmake from our Dockerfile Hopefully this will prevent Couchbase from being rebuilt by Meteor/NPM. Once rebuilt, it takes up a large amount of space in the image. --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5ed31bb56..56875ec46 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,8 +9,7 @@ ENV METEOR_PACKAGE_DIRS=/MATScommon/meteor_packages # Assume we're passed the repo root as build context COPY apps/${APPNAME}/package*.json ${APP_SOURCE_FOLDER}/ -RUN apt-get update && apt-get install --assume-yes --no-install-recommends cmake && \ - bash ${SCRIPTS_FOLDER}/build-app-npm-dependencies.sh +RUN bash ${SCRIPTS_FOLDER}/build-app-npm-dependencies.sh # Copy app & MATScommon library source into container COPY apps/${APPNAME} ${APP_SOURCE_FOLDER}/ From e46b410c02028d268fea62b834760f0f37355eea Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Wed, 23 Aug 2023 13:52:28 -0600 Subject: [PATCH 2/5] Update MATScommon Use the corrected npm-shrinkwrap.json file. --- Dockerfile | 4 ++++ MATScommon | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 56875ec46..196b126e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,10 @@ RUN bash ${SCRIPTS_FOLDER}/build-app-npm-dependencies.sh COPY apps/${APPNAME} ${APP_SOURCE_FOLDER}/ COPY MATScommon /MATScommon +# If this fails with the mention that cmake is needed to build a dependency, +# double check the `MATScommon/meteor_packages/mats-common/.npm/package/npm-shrinkwrap.json +# file for any OS-specific dependencies. If we allow Meteor to build the Couchbase SDK, it +# will blow up our image size. RUN bash ${SCRIPTS_FOLDER}/build-meteor-bundle.sh diff --git a/MATScommon b/MATScommon index 871d6737e..a8d6ebea9 160000 --- a/MATScommon +++ b/MATScommon @@ -1 +1 @@ -Subproject commit 871d6737e1e5fa5fdec898140ad3c3d636c6b09f +Subproject commit a8d6ebea9d123d0a7b5dcd2d1bf38bc01245442f From 37ff46b8f3fd09b4d60c30625740cde482121105 Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Fri, 1 Sep 2023 12:38:17 -0600 Subject: [PATCH 3/5] Update .dockerignore to exclude .npm directories MATS ignores the .npm directory in MATScommon as well. This prevents Meteor from using the .npm/packages/npm-shrinkwrap.json file and so Meteor pulls in the correct NPM package for the architecture. Otherwise, Meteor will try to rebuild from source and greatly increase the image size. Additionally, reorganized the .dockerignore and updated the exclude rules to better target artifacts that shouldn't be brought into the image. --- .dockerignore | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/.dockerignore b/.dockerignore index f915cf9fe..18c3c3ce5 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,18 +1,26 @@ -.git* -.idea -.vscode -README* -RELEASE.txt -appProduction* -bundle* -node_modules -cache* +# Tooling artifacts +**/.git +**/.github +**/.idea +**/.vscode +**/.fleet + +# Meteor artifacts +**/bundle +**/.npm +**/.meteor/local +**/node_modules + +# METexpress artifacts +**/*.md container_deployment -home -logs +docs scripts -server_configuration_files -static -tests -tmp* -METexpress +**/tests +build.sh +LICENSE.md + +# Development files +**/tmp* +cache* +logs From 2763d07bfccc7a4bf0b4965a98543d8299dc4732 Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Fri, 1 Sep 2023 13:16:04 -0600 Subject: [PATCH 4/5] Undo CI workarounds Reactivate our container image scanning, set the pipeline timeout back to 30 minutes, and re-enable fail-fast builds --- .github/workflows/build.yml | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0f1f0ce26..1730e3ba7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,9 +42,9 @@ jobs: build: runs-on: ubuntu-latest - timeout-minutes: 120 + timeout-minutes: 30 strategy: - # fail-fast: true # FIXME: Reactivate fail-fast once our image size is under control + fail-fast: true matrix: app: - met-airquality @@ -105,19 +105,18 @@ jobs: --build-arg COMMITSHA=${{ github.sha }} \ -t ${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }} \ . - # FIXME: Reactivate image scanning once we've determined why the image size has blown up - # - name: Scan image with Trivy - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: '${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }}' - # format: 'sarif' - # output: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' - # ignore-unfixed: true + - name: Scan image with Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.DEV_REGISTRY }}/${{ env.APP_LOWERCASE }}:${{ env.BRANCH }}' + format: 'sarif' + output: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' + ignore-unfixed: true - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-${{ env.APP_LOWERCASE }}.sarif' - name: Login to GitHub Container Registry uses: docker/login-action@v1 From 0a207dd587e029ae2264e47ac385f5ead1defe3c Mon Sep 17 00:00:00 2001 From: Ian McGinnis <67600557+ian-noaa@users.noreply.github.com> Date: Fri, 1 Sep 2023 13:25:12 -0600 Subject: [PATCH 5/5] Give Dependabot PR's write access to GHCR --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1730e3ba7..525018419 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,6 +43,8 @@ jobs: build: runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + packages: write strategy: fail-fast: true matrix: