diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index 6fab8db..073aa25 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -31,8 +31,15 @@ jobs: containerfiles: | ./identity-server/Dockerfile + - name: Test container works + run: | + set -Eeuxo pipefail + version="$(podman run --rm "${{ steps.build-image.outputs.image-with-tag }}" --version)" + echo "version: ${version}" + - name: Get registry url run: | + set -Eeuxo pipefail # Container registries don't support upper case letters CI_REGISTRY_URL="ghcr.io/${GITHUB_REPOSITORY_OWNER@L}" echo "CI_REGISTRY_URL=${CI_REGISTRY_URL}" >> "${GITHUB_ENV}" diff --git a/.github/workflows/rust.yaml b/.github/workflows/rust.yaml index 7c76e91..506977a 100644 --- a/.github/workflows/rust.yaml +++ b/.github/workflows/rust.yaml @@ -25,8 +25,6 @@ jobs: - uses: actions/checkout@v4.2.0 - name: Cache cargo dependencies uses: Swatinem/rust-cache@v2.7.3 - with: - save-if: ${{ env.CI_IS_DEFAULT_BRANCH }} - name: Clippy lints run: cargo clippy --profile artifact-dev --all --all-features --all-targets --no-deps -- -D warnings @@ -44,8 +42,6 @@ jobs: - uses: actions/checkout@v4.2.0 - name: Cache cargo dependencies uses: Swatinem/rust-cache@v2.7.3 - with: - save-if: ${{ env.CI_IS_DEFAULT_BRANCH }} - name: Test run: cargo test --profile artifact-dev --all --all-features --all-targets @@ -84,8 +80,6 @@ jobs: version: 0.13.0 - name: Cache cargo dependencies uses: Swatinem/rust-cache@v2.7.3 - with: - save-if: ${{ env.CI_IS_DEFAULT_BRANCH }} - name: Install cargo-zigbuild run: cargo install --locked cargo-zigbuild@0.19.3 diff --git a/identity-server/Dockerfile b/identity-server/Dockerfile index fe674bd..369d02a 100644 --- a/identity-server/Dockerfile +++ b/identity-server/Dockerfile @@ -1,13 +1,14 @@ # We use linux/amd64 because we don't actually care which arch yet. FROM --platform=linux/amd64 gcr.io/distroless/static-debian12:nonroot@sha256:69830f29ed7545c762777507426a412f97dad3d8d32bae3e74ad3fb6160917ea AS distroless COPY artifacts/identity-server-linux-aarch64 /artifacts/linux/arm64/identity-server -COPY artifacts/identity-server-windows-x86_64.exe /artifacts/windows/amd64/identity-server COPY artifacts/identity-server-linux-x86_64 /artifacts/linux/amd64/identity-server +COPY artifacts/identity-server-windows-x86_64.exe /artifacts/windows/amd64/identity-server FROM scratch ARG TARGETPLATFORM COPY --from=distroless /etc/passwd /etc/passwd +COPY --from=distroless /etc/group /etc/group USER nonroot ENV USER=nonroot @@ -15,7 +16,7 @@ ENV XDG_CACHE_HOME=/home/nonroot/.cache VOLUME ["/home/nonroot/.cache"] # Bring in the actual binary we will run -COPY --from=distroless /artifacts/$TARGETPLATFORM/identity-server /opt/identity-server +COPY --from=distroless --chmod=544 --chown=nonroot:nonroot /artifacts/$TARGETPLATFORM/identity-server /opt/identity-server ENTRYPOINT ["/opt/identity-server"] VOLUME ["/var/db"] WORKDIR ["/var/db"] diff --git a/identity-server/src/main.rs b/identity-server/src/main.rs index 4158eb0..bc57d83 100644 --- a/identity-server/src/main.rs +++ b/identity-server/src/main.rs @@ -17,6 +17,7 @@ use identity_server::{ const GOOGLE_CLIENT_ID_DOCS_URL: &str = "https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid#get_your_google_api_client_id"; #[derive(clap::Parser, Debug)] +#[clap(version)] struct Cli { #[clap(long, env)] config: PathBuf,