diff --git a/.github/workflows/build-ubi.yml b/.github/workflows/build-ubi.yml deleted file mode 100644 index a3dcaf0..0000000 --- a/.github/workflows/build-ubi.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Build UBI - -on: - workflow_dispatch: - push: - branches: - - ubi - # Ignore Markdown files - paths-ignore: - - '**.md' - schedule: - # Build the image daily - - cron: '0 1 * * *' - -env: - REGISTRY: ghcr.io - IMAGE_NAME: polarix-containers/mariadb - TAG: ubi - -jobs: - build: - name: Build & push new image - permissions: - contents: read - packages: write - timeout-minutes: 10 - runs-on: ubuntu-24.04 - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Extract version for tags - run: | - echo "FULL_VERSION=$(grep -oP '(?<=VERSION=).*' UBI/Dockerfile)" >> $GITHUB_ENV - - # Add support for more platforms with QEMU (optional) - # https://github.com/docker/setup-qemu-action - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to registry - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - ${{ env.TAG }} - ${{ env.FULL_VERSION }}-${{ env.TAG }} - latest - - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@v6 - with: - context: UBI - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - trivy: - name: Scan current image with Trivy - needs: build - permissions: - security-events: write - timeout-minutes: 10 - runs-on: ubuntu-24.04 - steps: - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} - format: template - template: '@/contrib/sarif.tpl' - output: trivy-results.sarif - severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - vuln-type: os,library - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: trivy-results.sarif - category: trivy - - grype: - name: Scan current image with Grype - needs: build - permissions: - security-events: write - timeout-minutes: 10 - runs-on: ubuntu-24.04 - steps: - - name: Run Grype vulnerability scanner - uses: anchore/scan-action@v4 - id: grype - with: - image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} - fail-build: false - - - name: Upload Grype scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.grype.outputs.sarif }} - category: grype diff --git a/.github/workflows/build-alpine.yml b/.github/workflows/build.yml similarity index 99% rename from .github/workflows/build-alpine.yml rename to .github/workflows/build.yml index 95b545a..02955e9 100644 --- a/.github/workflows/build-alpine.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,4 @@ -name: Build Alpine +name: Build on: workflow_dispatch: diff --git a/Alpine/Dockerfile b/Dockerfile similarity index 100% rename from Alpine/Dockerfile rename to Dockerfile diff --git a/README.md b/README.md index be2b061..4caccb0 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # MariaDB -![Build Alpine, scan & push](https://github.com/Polarix-Containers/mariadb/actions/workflows/build-alpine.yml/badge.svg) -![Build UBI, scan & push](https://github.com/Polarix-Containers/mariadb/actions/workflows/build-ubi.yml/badge.svg) +![Build Alpine, scan & push](https://github.com/Polarix-Containers/mariadb/actions/workflows/build.yml/badge.svg) +![Build UBI, scan & push](https://github.com/Polarix-Containers/mariadb-ubi/actions/workflows/build.yml/badge.svg) Drop-in replacement for the [official image](https://hub.docker.com/_/mariadb). @@ -22,6 +22,7 @@ Drop-in replacement for the [official image](https://hub.docker.com/_/mariadb). - Has a lot of outdated packages with *maybe* some downstream patching. - Generates a lot of vulnerbility scanner noise - hard to tell what is a false positive and what is not. - **Tags**: `ubi`, `latest`. +- Source: https://github.com/Polarix-Containers/mariadb-ubi ### Sample Docker Compose config @@ -50,4 +51,4 @@ Drop-in replacement for the [official image](https://hub.docker.com/_/mariadb). ### Licensing - Licensed under GPL 2 to comply with licensing by MariaDB. -- Any image built by Polarix Containers is provided under the combination of license terms resulting from the use of individual packages. +- Any image built by Polarix Containers is provided under the combination of license terms resulting from the use of individual packages. \ No newline at end of file diff --git a/UBI/Dockerfile b/UBI/Dockerfile deleted file mode 100644 index 1dd0353..0000000 --- a/UBI/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -ARG VERSION=11 - -FROM mariadb:${VERSION}-ubi - -LABEL maintainer="Thien Tran contact@tommytran.io" - -USER root - -RUN microdnf -y upgrade \ - && rm -rf /usr/local/bin/gosu \ - && curl https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/repo/rhel-9/secureblue-hardened_malloc-rhel-9.repo \ - -o /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo \ - && microdnf install -y crypto-policies-scripts hardened_malloc \ - && update-crypto-policies --set FUTURE \ - && echo libhardened_malloc.so > /etc/ld.so.preload - -USER mysql \ No newline at end of file