diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a1897c28..4ae2d21b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,11 +6,15 @@ on: paths-ignore: - '.github/workflows/installer-build.yaml' - 'installer/**' + - 'docker/**' + - '.github/workflows/docker-build.yaml' pull_request: branches: [ main ] paths-ignore: - '.github/workflows/installer-build.yaml' - 'installer/**' + - 'docker/**' + - '.github/workflows/docker-build.yaml' jobs: build: diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml new file mode 100644 index 00000000..bbc02028 --- /dev/null +++ b/.github/workflows/docker-build.yaml @@ -0,0 +1,58 @@ +name: Docker build + +on: + pull_request: + paths: + - 'docker/**' + - '.github/workflows/docker-build.yaml' + +jobs: + docker-build: + runs-on: ubuntu-latest + timeout-minutes: 15 + permissions: + contents: read + security-events: write + strategy: + matrix: + node: [18, 20] + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Set up Docker + uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 #v4.7.0 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + + - name: Set up QEMU + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + + - name: Build Docker image + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + context: . + file: docker/Dockerfile + platforms: linux/amd64, linux/arm64, linux/arm/v7 + tags: flowfuse-device-agent-pr:${{ matrix.node }}-scan + push: false + load: true + build-args: | + NODE_VERSION=${{ matrix.node }} + + - name: Perform SAST scan + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 + with: + image-ref: flowfuse-device-agent-pr:${{ matrix.node }}-scan + trivy-config: .github/trivy.yaml + output: 'sast-results.sarif' + + - name: Upload scan results + uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 + with: + sarif_file: sast-results.sarif diff --git a/docker/Dockerfile b/docker/Dockerfile index 5eba8977..4eb2c6a1 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -2,13 +2,19 @@ ARG NODE_VERSION=20 FROM node:${NODE_VERSION}-alpine ARG VERSION=latest +ARG FF_UID=2000 +ARG FF_GID=2000 RUN apk add --no-cache --virtual buildtools build-base linux-headers udev python3 openssl -RUN mkdir -m 777 -p /opt/flowfuse-device -RUN npm config set cache /opt/flowfuse-device/.npm --global -RUN npm install -g @flowfuse/device-agent@${VERSION} --omit=dev -RUN chmod -R 777 /opt/flowfuse-device/.npm +RUN addgroup -g ${FF_GID} -S flowfuse \ + && adduser -u ${FF_UID} -S -G flowfuse -h /opt/flowfuse-device flowfuse \ + && mkdir -p /opt/flowfuse-device \ + && chown -R "${FF_UID}":"${FF_GID}" /opt/flowfuse-device + +RUN npm config set cache /opt/flowfuse-device/.npm --global \ + && npm install -g @flowfuse/device-agent@${VERSION} --omit=dev \ + && chown -R ${FF_UID}:${FF_GID} /opt/flowfuse-device EXPOSE 1880 @@ -21,4 +27,8 @@ LABEL org.label-schema.name="FlowFuse Device Agent" \ authors="FlowFuse Inc." +ENV HOME=/opt/flowfuse-device + +USER flowfuse + CMD ["flowfuse-device-agent"]