This PR addresses the issue where `npx` and `node` were not available in the action pipelines. Additionally, it removes the reliance on `nvm` for installation. Instead, the latest available LTS version of Node.js is installed during the image build process, ensuring compatibility and seamless execution in the pipelines.
This closes#2
Reviewed-on: #3
Co-authored-by: Guillaume "B.B." Van Hemmen <GuillaumeHemmen@noreply.git.van-hemmen.com>
Co-committed-by: Guillaume "B.B." Van Hemmen <GuillaumeHemmen@noreply.git.van-hemmen.com>
# Overview
This PR introduces several improvements to our Docker infrastructure, focusing on security, base image optimization, and workflow automation.
# Key Changes
## Base Image Updates
- Updated system package installation and cleanup processes
## Security Enhancements
- Implemented Trivy security scanning in the Dockerfile
- Adjusted Trivy scan configuration to handle known Debian vulnerabilities
- Enhanced container security by ensuring proper ownership of `/workspaces` directory
## CI/CD Improvements
- Added manual workflow dispatch capability to Docker workflows
- Implemented cron scheduling for automated builds
- Enhanced Docker image configuration and build process
# Technical Details
- Trivy security scanning is now implemented using a script-based installation method
- Workflow improvements allow both scheduled and manual triggering of Docker builds
# Security Considerations
- Trivy scan exit code has been set to 0 to accommodate known Debian vulnerabilities while maintaining security awareness
- Proper directory permissions and ownership are maintained for `/workspaces`
# Impact
These changes improve our Docker image by:
- Reducing image size and improving build efficiency
- Enhancing security scanning capabilities
- Providing more flexible deployment options through manual triggers
- Ensuring consistent automated builds through cron scheduling
# Reviewer Notes
Please pay special attention to:
- The base image change and its impact on existing workflows
- Security scanning configuration
- Workflow trigger modifications
Reviewed-on: #1
Co-authored-by: Guiillaume Hemmen <guillaume@van-hemmen.com>
Co-committed-by: Guiillaume Hemmen <guillaume@van-hemmen.com>
Removed the `docker-tag.yaml` workflow as it is no longer needed. Updated the destination tag format in `docker-master.yaml` and upgraded Node.js major version to 22 in the Dockerfile for compatibility and consistency.
Updated all instances of "GuillaumeHemmen" to "guillaumehemmen" in workflow files to ensure uniformity in repository URLs. This change prevents potential issues caused by case sensitivity in certain environments.
Replaced the Kaniko executor image with a self-hosted version to improve control and reliability. This ensures the workflow uses a specific version (`25.21.1`) hosted on `git.van-hemmen.com`.
Introduce four workflows to automate Docker builds and pushes using Kaniko. These workflows cover push events to the `master` branch, pull requests, tag pushes, and other branches. They streamline image publishing to the specified registry with proper secrets configuration.
This change allows the CI pipeline to be manually triggered in addition to being triggered by cron jobs and pushes. This provides more flexibility for testing and deployment workflows.
Changed the ARG_NODE_MAJOR in Dockerfile and updated corresponding tags in .woodpecker.yml to reflect the new Node.js version. This ensures that the build process uses the latest version of Node.js.
