Pin image to hash, enable dependabot for images (#300)

* Rename to Dockerfile * Pin to hash * Add dependabot * Include tag for clarity
fiaisis · Aug 13, 2024 · 3cc3276 · 3cc3276
1 parent 14ad59a
commit 3cc3276
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 8 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -23,3 +23,12 @@ updates:
       action-packages:
         patterns:
           - "*"
+
+  - package-ecosystem: "docker"
+    directory: "/container"
+    schedule:
+      interval: "daily"
+    groups:
+      docker:
+        patterns:
+          - "*"
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -32,21 +32,21 @@ jobs:
         id: docker_build
         uses: docker/build-push-action@v6
         with:
-          file: ./container/rundetection.D
+          file: ./container/Dockerfile
           push: true
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/rundetection:${{ github.sha }}
-  
+
       - name: Checkout the Gitops repository
         uses: actions/checkout@v4
         with:
           repository: fiaisis/gitops
           token: ${{ secrets.GITOPS_STAGING_EDIT_TOKEN }}
-  
+
       - name: Edit the YAML rundetection file for staging
         uses: mikefarah/[email protected]
         with:
           cmd: yq e -i '.spec.template.spec.containers[] |= select(.name == "rundetection").image = "ghcr.io/fiaisis/rundetection@${{ steps.docker_build.outputs.digest }}"' './components/rundetection/envs/staging/rundetection.yml'
-  
+
       - name: Commit and push changes
         run: |
           git config --local user.email "[email protected]"

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -18,7 +18,7 @@ jobs:
       - name: Build run-detection Docker image
         uses: docker/build-push-action@v6
         with:
-          file: ./container/rundetection.D
+          file: ./container/Dockerfile
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/rundetection:${{ github.sha }}
 
       - name: Run Trivy vulnerability scanner

diff --git a/README.md b/README.md
@@ -47,7 +47,7 @@ localhost will be used as the default host, and the default credentials, guest g
 - Construct the container by running:
 
 ```shell
-docker build . -f ./container/rundetection.D -t ghcr.io/fiaisis/rundetection
+docker build . -f ./container/Dockerfile -t ghcr.io/fiaisis/rundetection
 ```
 
 - Run the container by running:

diff --git a/container/rundetection.D → container/Dockerfile b/container/rundetection.D → container/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.12-slim
+FROM python:3.12-slim@sha256:740d94a19218c8dd584b92f804b1158f85b0d241e5215ea26ed2dcade2b9d138
 
 # Install run-detection to the container
 ADD . .

diff --git a/test/docker-compose.yml b/test/docker-compose.yml
@@ -16,7 +16,7 @@ services:
   run-detection:
     build:
       context: ../
-      dockerfile: container/rundetection.D
+      dockerfile: container/Dockerfile
     depends_on:
       rabbit-mq:
         condition: service_healthy