Merge pull request #128 from cyber-dojo/check-base-image

Check base-image workflow input has tag and digest

.github/workflows/base_image_trigger.yml

@@ -3,11 +3,15 @@ name: Base Image Update
 on:
   workflow_dispatch:
     inputs:
+      base_image_name:
+        description: "Dockerfile FROM ${BASE_IMAGE} : name"
+        required: true
+        default: "cyberdojo/sinatra-base"
       base_image_tag:
-        description: "Image-Tag for cyberdojo/sinatra-base (short commit SHA - first 7 digits), eg edb2887"
+        description: "Dockerfile FROM ${BASE_IMAGE} : tag, eg edb2887"
         required: true
       base_image_digest:
-        description: "Image-Digest for cyberdojo/sinatra-base, eg ddab9080c..."
+        description: "Dockerfile FROM ${BASE_IMAGE} : digest, eg ddab9080c..."
         required: true
 
 
@@ -21,8 +25,10 @@ jobs:
       - name: Outputs
         id: vars
         run: | 
-          TAG_WITH_DIGEST="${{ inputs.base_image_tag }}@sha256:${{ inputs.base_image_digest }}"
-          echo "base_image=cyberdojo/sinatra-base:${TAG_WITH_DIGEST}"       >> ${GITHUB_OUTPUT}
+          NAME="${{ inputs.base_image_name }}"
+          TAG="${{ inputs.base_image_tag }}"
+          DIGEST="${{ inputs.base_image_digest }}"
+          echo "base_image=${NAME}:${TAG}@sha256:${DIGEST}"                 >> ${GITHUB_OUTPUT}
           echo "kosli_trail=base-image-update-${{ inputs.base_image_tag }}" >> ${GITHUB_OUTPUT}
       
 

.github/workflows/main.yml

@@ -53,6 +53,11 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Check BASE_IMAGE
+        run: |
+          source ./bin/lib.sh
+          exit_non_zero_if_bad_base_image "${{ inputs.BASE_IMAGE }}"
+
       - name: Prepare outputs for workflow jobs
         id: vars
         run: |

.snyk

@@ -1,3 +1,31 @@
 # This file specifies snyk vulnerabilities to be ignored.
 # If this file contains only comments, then no vulnerabilities are ignored
 # but do not delete this file - it is needed for the live-snyk-scans repo workflows.
+ignore:
+  SNYK-ALPINE320-CURL-8689556:
+    - '*':
+        reason: No fix available
+        expires: 2025-03-08T10:03:36.581Z
+        created: 2025-02-08T10:03:36.589Z
+  SNYK-ALPINE320-CURL-8689557:
+    - '*':
+        reason: No fix available
+        expires: 2025-03-08T10:03:36.581Z
+        created: 2025-02-08T10:03:36.589Z
+  SNYK-ALPINE320-CURL-8689558:
+    - '*':
+        reason: No fix available
+        expires: 2025-03-08T10:03:36.581Z
+        created: 2025-02-08T10:03:36.589Z
+  SNYK-ALPINE320-OPENSSL-8235201:
+    - '*':
+        reason: No fix available
+        expires: 2025-03-08T10:03:36.581Z
+        created: 2025-02-08T10:03:36.589Z
+  SNYK-ALPINE320-OPENSSL-8690013:
+    - '*':
+        reason: No fix available
+        expires: 2025-03-08T10:03:36.581Z
+        created: 2025-02-08T10:03:36.589Z
+
+patch: {}

bin/lib.sh

@@ -1,22 +1,39 @@
 
 echo_base_image()
 {
+  # This is set to the env-var BASE_IMAGE which is set as a docker-compose build --build-arg
+  # and used the Dockerfile's 'FROM ${BASE_IMAGE}' statement
+  # This BASE_IMAGE abstraction is to facilitate the base_image_trigger.yml workflow.
   local -r json="$(curl --fail --silent --request GET https://beta.cyber-dojo.org/saver/base_image)"
-  echo "${json}" | jq -r '.base_image'
-  # echo cyberdojo/sinatra-base:559d354@sha256:ddab9080cd0bbd8e976a18bdd01b37b66e47fe83b0db396e65dc3014bad17fd3
+  local -r via_curl="$(echo "${json}" | jq -r '.base_image')"
+  local -r via_code="cyberdojo/sinatra-base:559d354@sha256:ddab9080cd0bbd8e976a18bdd01b37b66e47fe83b0db396e65dc3014bad17fd3"
+  if [ "${via_curl}" != "${via_code}" ] ; then
+    stderr "BASE_IMAGE sources disagree"
+    stderr "Via curl: '${via_curl}'"
+    stderr "Via code: '${via_code}'"
+    exit 42
+  else
+    echo "${via_code}"
+  fi
 }
 
-echo_env_vars()
+exit_non_zero_if_bad_base_image()
 {
-  # Setup port env-vars in .env file using versioner
-  local -r env_filename="${ROOT_DIR}/.env"
-  docker run --rm cyberdojo/versioner | grep PORT > "${env_filename}"
-  echo "CYBER_DOJO_SAVER_CLIENT_PORT=4538" >> "${env_filename}"
-
-  # Get identities of dependent services from versioner
-  # There are none
+  # Called in setup job in .github/workflows/main.yml
+  base_image="${1}"
+  regex=":[a-z0-9]{7}@sha256:[a-z0-9]{64}$"
+  if ! [[ ${base_image} =~ $regex ]]; then
+    stderr "BASE_IMAGE must have a 7-digit short-sha tag and a full 64-digit digest, Eg"
+    stderr " base_image_name  : cyberdojo/sinatra-base"
+    stderr " base_image_tag   : 559d354"
+    stderr " base_image_digest: ddab9080cd0bbd8e976a18bdd01b37b66e47fe83b0db396e65dc3014bad17fd3"
+    exit 42
+  fi
+}
 
-  # Set env-vars for this repos runner service
+echo_env_vars()
+{
+  # Set env-vars for this repo
   if [[ ! -v BASE_IMAGE ]] ; then
     echo BASE_IMAGE="$(echo_base_image)"  # --build-arg
   fi
@@ -25,9 +42,6 @@ echo_env_vars()
     echo COMMIT_SHA="${sha}"  # --build-arg
   fi
 
-  # From versioner ...
-  docker run --rm cyberdojo/versioner:latest
-
   echo CYBER_DOJO_SAVER_SHA="${sha}"
   echo CYBER_DOJO_SAVER_TAG="${sha:0:7}"
 
@@ -42,6 +56,14 @@ echo_env_vars()
   local -r AWS_ACCOUNT_ID=244531986313
   local -r AWS_REGION=eu-central-1
   echo CYBER_DOJO_SAVER_IMAGE=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/saver
+
+  # Setup port env-vars in .env file using versioner
+  local -r env_filename="${ROOT_DIR}/.env"
+  docker run --rm cyberdojo/versioner | grep PORT > "${env_filename}"
+  echo "CYBER_DOJO_SAVER_CLIENT_PORT=4538" >> "${env_filename}"
+
+  # Get identities of all docker-compose.yml dependent services (from versioner)
+   docker run --rm cyberdojo/versioner:latest
 }
 
 stderr()