From e599e4d8d95d4f52ae875456dcf05a42f18f4597 Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Thu, 15 May 2025 09:36:59 +1000 Subject: [PATCH 1/6] build: include semgrep in final docker image Signed-off-by: Carl Flottmann --- docker/Dockerfile.final | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docker/Dockerfile.final b/docker/Dockerfile.final index a96036403..0fd91621e 100644 --- a/docker/Dockerfile.final +++ b/docker/Dockerfile.final @@ -10,6 +10,8 @@ # Note that the local machine must login to ghcr.io so that Docker could pull the ghcr.io/oracle/macaron-base # image for this build. +FROM ghcr.io/oracle/macaron-deps:latest@sha256:245faf84b0f8e57eaf6032c98eed905ffbd41aea19d312a02b646888b32274d4 as wheel_stage + FROM ghcr.io/oracle/macaron-base:latest@sha256:79b3b8b03cb9b6a124c6450f4baa58f96f83ee9e37f572c88a97597b35c7bc51 ENV HOME="/home/macaron" @@ -34,11 +36,14 @@ ARG WHEEL_PATH # the warning of not having correct ownership of /home/macaron is not raised. USER macaron:macaron COPY --chown=macaron:macaron $WHEEL_PATH $HOME/dist/ +COPY --chown=macaron:macaron --from=wheel_stage /semgrep_wheel.whl $HOME/dist/semgrep_wheel.whl RUN : \ && python3 -m venv $HOME/.venv \ && . .venv/bin/activate \ && pip install --no-compile --no-cache-dir --upgrade pip setuptools \ && find $HOME/dist -depth \( -type f \( -name "macaron-*.whl" \) \) -exec pip install --no-compile --no-cache-dir '{}' \; \ + && pip uninstall semgrep \ + && pip install --no-compile --no-cache-dir $HOME/dist/semgrep_wheel.whl \; \ && rm -rf $HOME/dist \ && deactivate From 95adf986411de26d7196fa199b29f5f937bd48de Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Thu, 15 May 2025 11:11:28 +1000 Subject: [PATCH 2/6] fix: login to container registry for internal image Signed-off-by: Carl Flottmann --- .github/workflows/_build_docker.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/_build_docker.yaml b/.github/workflows/_build_docker.yaml index 7b1373723..ac57ca141 100644 --- a/.github/workflows/_build_docker.yaml +++ b/.github/workflows/_build_docker.yaml @@ -1,4 +1,4 @@ -# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. # This is a reuseable workflow to build and test the Docker image. Note that this workflow does not @@ -53,6 +53,10 @@ jobs: echo "Hash of package should be $ARTIFACT_HASH." echo "$ARTIFACT_HASH" | base64 --decode | sha256sum --strict --check --status || exit 1 + # Login so the docker build has access to the internal dependencies image + - name: Log in to GitHub Container Registry + run: docker login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} + # Build the Docker image without pushing it. - name: Build the Docker image env: From d7c74ec2dc2afcf84a7a3bfbecef0fc44e0d029b Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Thu, 15 May 2025 12:09:56 +1000 Subject: [PATCH 3/6] fix: maintain original wheel name when publishing the image Signed-off-by: Carl Flottmann --- .github/workflows/build_semgrep_wheel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml index fdb3b1456..2dd40cd1b 100644 --- a/.github/workflows/build_semgrep_wheel.yaml +++ b/.github/workflows/build_semgrep_wheel.yaml @@ -48,6 +48,6 @@ jobs: cd wheels WHEEL=$(find . -type f -name 'semgrep-*manylinux*.whl') echo "FROM scratch - COPY ${WHEEL} /semgrep_wheel.whl" >> Dockerfile.semgrep + COPY ${WHEEL} /" >> Dockerfile.semgrep docker build -t ghcr.io/oracle/macaron-deps:latest -f Dockerfile.semgrep . docker push ghcr.io/oracle/macaron-deps:latest From fb63b8a5fb1feb388bd08ac85e9ec598576f422d Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Thu, 15 May 2025 12:28:22 +1000 Subject: [PATCH 4/6] test: add push trigger to semgrep build to try generate new image with fix Signed-off-by: Carl Flottmann --- .github/workflows/build_semgrep_wheel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml index 2dd40cd1b..d9cb2563e 100644 --- a/.github/workflows/build_semgrep_wheel.yaml +++ b/.github/workflows/build_semgrep_wheel.yaml @@ -3,7 +3,7 @@ name: Build Semgrep Wheel Artifact -on: workflow_dispatch +on: [push, workflow_dispatch] permissions: contents: read From 210002d1e64eed3bb4854cc26b07af5a35007603 Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Thu, 15 May 2025 13:53:38 +1000 Subject: [PATCH 5/6] build: remove push trigger and pull from new published image Signed-off-by: Carl Flottmann --- .github/workflows/build_semgrep_wheel.yaml | 2 +- docker/Dockerfile.final | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml index d9cb2563e..2dd40cd1b 100644 --- a/.github/workflows/build_semgrep_wheel.yaml +++ b/.github/workflows/build_semgrep_wheel.yaml @@ -3,7 +3,7 @@ name: Build Semgrep Wheel Artifact -on: [push, workflow_dispatch] +on: workflow_dispatch permissions: contents: read diff --git a/docker/Dockerfile.final b/docker/Dockerfile.final index 0fd91621e..61af9b5eb 100644 --- a/docker/Dockerfile.final +++ b/docker/Dockerfile.final @@ -10,7 +10,7 @@ # Note that the local machine must login to ghcr.io so that Docker could pull the ghcr.io/oracle/macaron-base # image for this build. -FROM ghcr.io/oracle/macaron-deps:latest@sha256:245faf84b0f8e57eaf6032c98eed905ffbd41aea19d312a02b646888b32274d4 as wheel_stage +FROM ghcr.io/oracle/macaron-deps:latest@sha256:99526baf6596c4c3f24e4caa2b59afaf7f7c26d633ad3113ca24ba43dfad3f0f as wheel_stage FROM ghcr.io/oracle/macaron-base:latest@sha256:79b3b8b03cb9b6a124c6450f4baa58f96f83ee9e37f572c88a97597b35c7bc51 @@ -36,14 +36,14 @@ ARG WHEEL_PATH # the warning of not having correct ownership of /home/macaron is not raised. USER macaron:macaron COPY --chown=macaron:macaron $WHEEL_PATH $HOME/dist/ -COPY --chown=macaron:macaron --from=wheel_stage /semgrep_wheel.whl $HOME/dist/semgrep_wheel.whl +COPY --chown=macaron:macaron --from=wheel_stage /semgrep-*manylinux*.whl $HOME/dist/ RUN : \ && python3 -m venv $HOME/.venv \ && . .venv/bin/activate \ && pip install --no-compile --no-cache-dir --upgrade pip setuptools \ && find $HOME/dist -depth \( -type f \( -name "macaron-*.whl" \) \) -exec pip install --no-compile --no-cache-dir '{}' \; \ && pip uninstall semgrep \ - && pip install --no-compile --no-cache-dir $HOME/dist/semgrep_wheel.whl \; \ + && find $HOME/dist -depth \( -type f \( -name "semgrep-*.whl" \) \) -exec pip install --no-compile --no-cache-dir '{}' \; \ && rm -rf $HOME/dist \ && deactivate From 17600860265ae2a83a223b0aa36c627418660646 Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Thu, 15 May 2025 14:52:19 +1000 Subject: [PATCH 6/6] docs: updated comments for changes Signed-off-by: Carl Flottmann --- .github/workflows/build_semgrep_wheel.yaml | 3 +++ docker/Dockerfile.final | 12 ++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml index 2dd40cd1b..7fcd095f4 100644 --- a/.github/workflows/build_semgrep_wheel.yaml +++ b/.github/workflows/build_semgrep_wheel.yaml @@ -1,6 +1,9 @@ # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. +# This is a manually-triggered workflow to build the minimal macaron dependencies image that stores the built-from-source +# Semgrep wheel file. Note that this workflow DOES push the built image. + name: Build Semgrep Wheel Artifact on: workflow_dispatch diff --git a/docker/Dockerfile.final b/docker/Dockerfile.final index 61af9b5eb..ad1d88c19 100644 --- a/docker/Dockerfile.final +++ b/docker/Dockerfile.final @@ -1,16 +1,17 @@ # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. -# This Dockerfile is for building the final production image. It's based on ghcr.io/oracle/macaron-base. -# For the build, two files will be copied into the image: +# This Dockerfile is for building the final production image. It's based on ghcr.io/oracle/macaron-base and ghcr.io/oracle/maracon-deps. +# For the build, three files will be copied into the image: # - Macaron wheel file (its path must be provided to the build argument WHEEL_PATH) +# - Macaron dependency files, copied from the macaron-deps image. # - user.sh for the entrypoint of the final image. # For example, using Docker, we could build the image using: # docker build --build-arg WHEEL_PATH= -t ghcr.io/oracle/macaron -f docker/Dockerfile.final ./ # Note that the local machine must login to ghcr.io so that Docker could pull the ghcr.io/oracle/macaron-base # image for this build. -FROM ghcr.io/oracle/macaron-deps:latest@sha256:99526baf6596c4c3f24e4caa2b59afaf7f7c26d633ad3113ca24ba43dfad3f0f as wheel_stage +FROM ghcr.io/oracle/macaron-deps:latest@sha256:99526baf6596c4c3f24e4caa2b59afaf7f7c26d633ad3113ca24ba43dfad3f0f as deps_stage FROM ghcr.io/oracle/macaron-base:latest@sha256:79b3b8b03cb9b6a124c6450f4baa58f96f83ee9e37f572c88a97597b35c7bc51 @@ -36,7 +37,10 @@ ARG WHEEL_PATH # the warning of not having correct ownership of /home/macaron is not raised. USER macaron:macaron COPY --chown=macaron:macaron $WHEEL_PATH $HOME/dist/ -COPY --chown=macaron:macaron --from=wheel_stage /semgrep-*manylinux*.whl $HOME/dist/ +# Currently, the only dependency stored in the minimal image is the wheel for Semgrep, which we copy here. Since the +# Macaron project dependencies lists Semgrep as a python dependency, we uninstall it first before using our wheel here +# to install a trusted built-from-source version. +COPY --chown=macaron:macaron --from=deps_stage /semgrep-*manylinux*.whl $HOME/dist/ RUN : \ && python3 -m venv $HOME/.venv \ && . .venv/bin/activate \