From e73446f8d9a7ea3550be85f50dd346e3744af7d5 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Tue, 18 Jun 2024 21:30:05 +0100 Subject: [PATCH 01/24] fully qualify image signature --- software/Freesurfer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile index 9b85767..cdf55a6 100644 --- a/software/Freesurfer/Dockerfile +++ b/software/Freesurfer/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM docker.io/ubuntu@sha256:e9569c25505f33ff72e88b2990887c9dcf230f23259da296eb814fc2b41af999 ARG FREESURFER_VERSION="7.4.1" ARG FREESURFER_DEB_MD5="bfe85dd76677cfb7ca2b247b9ac6148e" From 1f537a709f1680e415618a2a4f59b6d1de25faa6 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Tue, 18 Jun 2024 21:30:15 +0100 Subject: [PATCH 02/24] add nonroot user --- software/Freesurfer/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile index cdf55a6..dd9d8c1 100644 --- a/software/Freesurfer/Dockerfile +++ b/software/Freesurfer/Dockerfile @@ -30,3 +30,6 @@ RUN : \ && rm -rf /var/lib/apt/lists/* \ && rm "${deb}" \ && : + +RUN useradd --system --no-user-group nonroot +USER nonroot From f6fdbf7e4ee86436fdbae31d3178b41d5170c6d2 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Tue, 18 Jun 2024 21:36:09 +0100 Subject: [PATCH 03/24] set SHELL --- software/Freesurfer/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile index dd9d8c1..4350377 100644 --- a/software/Freesurfer/Dockerfile +++ b/software/Freesurfer/Dockerfile @@ -7,6 +7,8 @@ ENV \ LANG="en_GB.UTF-8" \ LC_ALL="en_GB.UTF-8" +SHELL ["/bin/bash", "-euo", "pipefail", "-c"] + RUN : \ && apt-get update -qq \ && DEBIAN_FRONTEND=noninteractive apt-get install \ @@ -18,7 +20,6 @@ RUN : \ && : RUN : \ - && set -eu \ && deb="freesurfer_ubuntu22-${FREESURFER_VERSION}_amd64.deb" \ && curl -sfLo "${deb}" "https://surfer.nmr.mgh.harvard.edu/pub/dist/freesurfer/${FREESURFER_VERSION}/${deb}" \ && echo "${FREESURFER_DEB_MD5} ${deb}" | md5sum -c \ From 659d2db3d8e652fac14b56c8ea6dd1fa3b5c690e Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Tue, 18 Jun 2024 22:27:19 +0100 Subject: [PATCH 04/24] fix locale generation --- software/Freesurfer/Dockerfile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile index 4350377..bfa1907 100644 --- a/software/Freesurfer/Dockerfile +++ b/software/Freesurfer/Dockerfile @@ -11,12 +11,15 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"] RUN : \ && apt-get update -qq \ + && apt-get upgrade -qq \ && DEBIAN_FRONTEND=noninteractive apt-get install \ - -qq -y --no-install-recommends \ - ca-certificates \ - curl \ + -qq -y --no-install-recommends \ + ca-certificates \ + curl \ + locales \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ + && locale-gen "${LC_ALL}" \ && : RUN : \ From a802117bf3ffcd2859c2dbc9cd018d7068a62e06 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Tue, 18 Jun 2024 23:00:58 +0100 Subject: [PATCH 05/24] update USER command --- software/Freesurfer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile index bfa1907..3bf5f99 100644 --- a/software/Freesurfer/Dockerfile +++ b/software/Freesurfer/Dockerfile @@ -35,5 +35,5 @@ RUN : \ && rm "${deb}" \ && : -RUN useradd --system --no-user-group nonroot +RUN groupadd --system nonroot && useradd --no-log-init --system --gid nonroot nonroot USER nonroot From 69c6abc8e43401abbeea7138988416ab0b6d6d86 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Tue, 18 Jun 2024 23:49:37 +0100 Subject: [PATCH 06/24] freesurfer: extract deps to base layer --- software/Freesurfer/Dockerfile | 59 +++++++++++++++++++++++++++++----- 1 file changed, 51 insertions(+), 8 deletions(-) diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile index 3bf5f99..6bedb07 100644 --- a/software/Freesurfer/Dockerfile +++ b/software/Freesurfer/Dockerfile @@ -14,24 +14,67 @@ RUN : \ && apt-get upgrade -qq \ && DEBIAN_FRONTEND=noninteractive apt-get install \ -qq -y --no-install-recommends \ + bash \ + bc \ + binutils \ ca-certificates \ + csh \ curl \ - locales \ + file \ + gettext \ + gzip \ + language-pack-en \ + libbsd0 \ + libegl1 \ + libgl1 \ + libglu1-mesa \ + libglvnd0 \ + libglx0 \ + libjpeg62 \ + libncurses5 \ + libopengl0 \ + libpcre3 \ + libquadmath0 \ + libsm6 \ + libwayland-cursor0 \ + libx11-dev \ + libxcb-icccm4 \ + libxcb-image0 \ + libxcb-keysyms1 \ + libxcb-render-util0 \ + libxcb-render0 \ + libxcb-shape0 \ + libxcb-sync1 \ + libxcb-xfixes0 \ + libxcb-xinerama0 \ + libxcb-xinput0 \ + libxcb-xkb1 \ + libxdmcp6 \ + libxext6 \ + libxi6 \ + libxkbcommon-x11-0 \ + libxkbcommon0 \ + libxrender1 \ + libxss1 \ + libxt6 \ + make \ + perl \ + tar \ + tcsh \ + x11-apps \ + xorg \ + xorg-dev \ + xserver-xorg-video-intel \ + xterm \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ - && locale-gen "${LC_ALL}" \ && : RUN : \ && deb="freesurfer_ubuntu22-${FREESURFER_VERSION}_amd64.deb" \ && curl -sfLo "${deb}" "https://surfer.nmr.mgh.harvard.edu/pub/dist/freesurfer/${FREESURFER_VERSION}/${deb}" \ && echo "${FREESURFER_DEB_MD5} ${deb}" | md5sum -c \ - && apt-get update -qq \ - && DEBIAN_FRONTEND=noninteractive apt-get install \ - -y --no-install-recommends \ - "./${deb}" \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ + && dpkg -i "${deb}" \ && rm "${deb}" \ && : From 8f98f03ab96c40ff92910e278cfc0d78dfd548c3 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 08:24:08 +0100 Subject: [PATCH 07/24] try pruning excess images before trivy scan --- .github/workflows/main.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 7f725a8..f31a59a 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -55,6 +55,14 @@ jobs: docker tag "$img:$tag" "$img:latest" echo "img=$img" >> "$GITHUB_ENV" echo "tag=$tag" >> "$GITHUB_ENV" + - name: free disk space + if: env.SKIP == '0' + run: | + set -euxo pipefail + df -h + docker builder prune -a -f + docker rmi -f $(docker image ls -a | grep -v "${{ matrix.package }}" | awk 'NR>1 {print $3}') + df -h - name: run trivy if: env.SKIP == '0' uses: aquasecurity/trivy-action@master From 48ddca24116653805648fa400f25b9f5643076e8 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 08:48:15 +0100 Subject: [PATCH 08/24] debug --- .github/workflows/main.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index f31a59a..56d7474 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -43,6 +43,9 @@ jobs: sudo rm -rf /opt/ghc sudo rm -rf "$AGENT_TOOLSDIRECTORY" df -h + + # debug + docker image ls -a --digests --no-trunc - name: build image if: env.SKIP == '0' run: | From 7fb43df84f3142dbe5add02b682275c3e89b52f7 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 09:14:50 +0100 Subject: [PATCH 09/24] don't prune trivy image --- .github/workflows/main.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 56d7474..d7207b2 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -64,8 +64,11 @@ jobs: set -euxo pipefail df -h docker builder prune -a -f - docker rmi -f $(docker image ls -a | grep -v "${{ matrix.package }}" | awk 'NR>1 {print $3}') + docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}') df -h + + # debug + docker image ls -a --digests --no-trunc - name: run trivy if: env.SKIP == '0' uses: aquasecurity/trivy-action@master From dace6bdfaebba70f1124c9fbe78965d87adaecec Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 13:03:23 +0100 Subject: [PATCH 10/24] investigate /mnt on runner --- .github/workflows/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index d7207b2..ff69bca 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -46,6 +46,7 @@ jobs: # debug docker image ls -a --digests --no-trunc + tree -d -L 3 /mnt - name: build image if: env.SKIP == '0' run: | From 1d262907a3ab0136ed8f7ec94c39adf85b88b5b5 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 13:06:44 +0100 Subject: [PATCH 11/24] investigate /mnt on runner --- .github/workflows/main.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index ff69bca..e151063 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -46,7 +46,8 @@ jobs: # debug docker image ls -a --digests --no-trunc - tree -d -L 3 /mnt + ls -l / + mkdir -p /mnt/tmp - name: build image if: env.SKIP == '0' run: | From 7823f3645cb1cf5f519a64d5ee2d3a48c76b07bc Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 13:15:53 +0100 Subject: [PATCH 12/24] try jlumbroso/free-disk-space@main --- .github/workflows/main.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index e151063..3653892 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -32,6 +32,10 @@ jobs: SKIP=1 fi echo "SKIP=$SKIP" >> "$GITHUB_ENV" + - name: Run jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@main + with: + tool-cache: true - name: free disk space if: env.SKIP == '0' run: | @@ -46,8 +50,6 @@ jobs: # debug docker image ls -a --digests --no-trunc - ls -l / - mkdir -p /mnt/tmp - name: build image if: env.SKIP == '0' run: | From 12430d0051a42564bef0401b2905333ed7b26833 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 13:29:37 +0100 Subject: [PATCH 13/24] tidy debugging --- .github/workflows/main.yaml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 3653892..f7467fe 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -33,23 +33,10 @@ jobs: fi echo "SKIP=$SKIP" >> "$GITHUB_ENV" - name: Run jlumbroso/free-disk-space@main + if: env.SKIP == '0' uses: jlumbroso/free-disk-space@main with: tool-cache: true - - name: free disk space - if: env.SKIP == '0' - run: | - set -euxo pipefail - df -h - sudo rm -rf /usr/share/dotnet - sudo rm -rf /usr/local/lib/android - sudo rm -rf /usr/local/share/boost - sudo rm -rf /opt/ghc - sudo rm -rf "$AGENT_TOOLSDIRECTORY" - df -h - - # debug - docker image ls -a --digests --no-trunc - name: build image if: env.SKIP == '0' run: | @@ -68,7 +55,7 @@ jobs: set -euxo pipefail df -h docker builder prune -a -f - docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}') + # docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}') df -h # debug From 2ebbbb03271bcffbce04f37db9645d8a58a19cb8 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 13:43:54 +0100 Subject: [PATCH 14/24] ensure trivy image is retained --- .github/workflows/main.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index f7467fe..1b0e485 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -37,6 +37,7 @@ jobs: uses: jlumbroso/free-disk-space@main with: tool-cache: true + docker-images: false - name: build image if: env.SKIP == '0' run: | @@ -55,7 +56,7 @@ jobs: set -euxo pipefail df -h docker builder prune -a -f - # docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}') + docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}') df -h # debug From 30e0d8b7c504001fb5f70c5483242c4605406118 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 15:13:51 +0100 Subject: [PATCH 15/24] try using trivy directly instead of trivy-action --- .github/workflows/main.yaml | 45 ++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 1b0e485..83c6ab0 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -37,7 +37,6 @@ jobs: uses: jlumbroso/free-disk-space@main with: tool-cache: true - docker-images: false - name: build image if: env.SKIP == '0' run: | @@ -63,20 +62,36 @@ jobs: docker image ls -a --digests --no-trunc - name: run trivy if: env.SKIP == '0' - uses: aquasecurity/trivy-action@master - with: - image-ref: "${{ env.img }}:${{ env.tag }}" - format: 'github' - output: 'dependency-results.sbom.json' - github-pat: "${{ secrets.GITHUB_TOKEN }}" - severity: 'MEDIUM,CRITICAL,HIGH' - scanners: "vuln" - - name: upload trivy report - if: env.SKIP == '0' && !cancelled() - uses: actions/upload-artifact@v4 - with: - name: 'trivy-sbom-report-${{ matrix.package }}' - path: 'dependency-results.sbom.json' + run: | + set -euxo pipefail + out_dir=$(mktemp -d) + docker run \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v "${out_dir}":/out + docker.io/aquasec/trivy:0.52.2 \ + image \ + --scaners vuln \ + --severity MEDIUM,HIGH,CRITICAL \ + --output /out/dependency-results.sbom.json \ + "$img:$tag" + ls -la "${out_dir}" + # - name: run trivy + # if: env.SKIP == '0' + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: "${{ env.img }}:${{ env.tag }}" + # format: 'github' + # output: 'dependency-results.sbom.json' + # github-pat: "${{ secrets.GITHUB_TOKEN }}" + # severity: 'MEDIUM,CRITICAL,HIGH' + # scanners: "vuln" + # TODO + # - name: upload trivy report + # if: env.SKIP == '0' && !cancelled() + # uses: actions/upload-artifact@v4 + # with: + # name: 'trivy-sbom-report-${{ matrix.package }}' + # path: 'dependency-results.sbom.json' - name: push image if: env.SKIP == '0' && github.ref == 'refs/heads/main' run: | From b8788cfb3cd0741d6a750ac920c546e19137558b Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Wed, 19 Jun 2024 16:23:57 +0100 Subject: [PATCH 16/24] Comment image prune --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 83c6ab0..7775dcc 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -55,7 +55,7 @@ jobs: set -euxo pipefail df -h docker builder prune -a -f - docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}') + # docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}') df -h # debug From e0cb67bf3012db5f6edc0c0e26cf65b5eea7ba9b Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Thu, 20 Jun 2024 09:16:42 +0100 Subject: [PATCH 17/24] fixup command --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 7775dcc..0aa14c6 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -67,7 +67,7 @@ jobs: out_dir=$(mktemp -d) docker run \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "${out_dir}":/out + -v "${out_dir}":/out \ docker.io/aquasec/trivy:0.52.2 \ image \ --scaners vuln \ From d67d9e1883b622af1c7c27a4628bdf7f29ada810 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Thu, 20 Jun 2024 09:27:11 +0100 Subject: [PATCH 18/24] Typo --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 0aa14c6..59cfa23 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -70,7 +70,7 @@ jobs: -v "${out_dir}":/out \ docker.io/aquasec/trivy:0.52.2 \ image \ - --scaners vuln \ + --scanners vuln \ --severity MEDIUM,HIGH,CRITICAL \ --output /out/dependency-results.sbom.json \ "$img:$tag" From ae04c171b1d4afaf50dcf2dd6f3df7e00ee205ee Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Thu, 20 Jun 2024 12:54:32 +0100 Subject: [PATCH 19/24] try using insightsengineering/disk-space-reclaimer@v1 instead --- .github/workflows/main.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 59cfa23..dbeba93 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -32,9 +32,9 @@ jobs: SKIP=1 fi echo "SKIP=$SKIP" >> "$GITHUB_ENV" - - name: Run jlumbroso/free-disk-space@main + - name: Run insightsengineering/disk-space-reclaimer@v1 if: env.SKIP == '0' - uses: jlumbroso/free-disk-space@main + uses: insightsengineering/disk-space-reclaimer@v1 with: tool-cache: true - name: build image From 4fa58192d7aeb4776779e999b7631af8689ade8b Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Thu, 20 Jun 2024 13:00:30 +0100 Subject: [PATCH 20/24] typo --- .github/workflows/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index dbeba93..a3412ea 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -36,7 +36,7 @@ jobs: if: env.SKIP == '0' uses: insightsengineering/disk-space-reclaimer@v1 with: - tool-cache: true + tools-cache: true - name: build image if: env.SKIP == '0' run: | From 43b4c3766b4613fd6eedd23bf8cb170b328c955f Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Thu, 20 Jun 2024 13:13:56 +0100 Subject: [PATCH 21/24] revert to jlumbroso/free-disk-space@main and delete extra bits --- .github/workflows/main.yaml | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index a3412ea..2a90b0f 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -32,11 +32,31 @@ jobs: SKIP=1 fi echo "SKIP=$SKIP" >> "$GITHUB_ENV" - - name: Run insightsengineering/disk-space-reclaimer@v1 + - name: Run jlumbroso/free-disk-space@main if: env.SKIP == '0' - uses: insightsengineering/disk-space-reclaimer@v1 + uses: jlumbroso/free-disk-space@main with: - tools-cache: true + tool-cache: true + - name: free disk space + if: env.SKIP == '0' + run: | + set -euxo pipefail + df -h + # From https://github.com/jlumbroso/free-disk-space/pull/24 + sudo apt-get remove -y microsoft-edge-stable --fix-missing + sudo apt-get remove -y snapd --fix-missing + + # Debug + ls -l /usr/local + ls -l /usr/local/lib* + ls -l /usr/local/share + ls -l /opt + + # Extras + sudo rm -rf /usr/share/swift + sudo rm -rf /opt/hostedtoolcache/ + + df -h - name: build image if: env.SKIP == '0' run: | From 0e42bbd2caf539ef25eafdadad655b37de2b4627 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Thu, 20 Jun 2024 14:02:08 +0100 Subject: [PATCH 22/24] remove extra dirs --- .github/workflows/main.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 2a90b0f..55a3af3 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -51,10 +51,19 @@ jobs: ls -l /usr/local/lib* ls -l /usr/local/share ls -l /opt + ls -l /opt/microsoft # Extras sudo rm -rf /usr/share/swift - sudo rm -rf /opt/hostedtoolcache/ + sudo rm -rf /opt/hostedtoolcache + sudo rm -rf /usr/local/aws* + sudo rm -rf /usr/local/julia* + sudo rm -rf /usr/local/lib/R + sudo rm -rf /usr/local/lib/node_modules + sudo rm -rf /usr/local/share/chromium + sudo rm -rf /usr/local/share/chromium + sudo rm -rf /opt/az + sudo rm -rf /opt/mssql-tools df -h - name: build image From e821839ac095ab656c4d5a0d7405b2025b9e42df Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Thu, 20 Jun 2024 14:07:37 +0100 Subject: [PATCH 23/24] remove extra dirs --- .github/workflows/main.yaml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 55a3af3..5c154a3 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -45,14 +45,6 @@ jobs: # From https://github.com/jlumbroso/free-disk-space/pull/24 sudo apt-get remove -y microsoft-edge-stable --fix-missing sudo apt-get remove -y snapd --fix-missing - - # Debug - ls -l /usr/local - ls -l /usr/local/lib* - ls -l /usr/local/share - ls -l /opt - ls -l /opt/microsoft - # Extras sudo rm -rf /usr/share/swift sudo rm -rf /opt/hostedtoolcache @@ -61,10 +53,14 @@ jobs: sudo rm -rf /usr/local/lib/R sudo rm -rf /usr/local/lib/node_modules sudo rm -rf /usr/local/share/chromium - sudo rm -rf /usr/local/share/chromium + sudo rm -rf /usr/local/share/chromedriver-linux64 + sudo rm -rf /usr/local/share/edge_driver + sudo rm -rf /usr/local/share/gecko_driver + sudo rm -rf /usr/share/java/selenium-server.jar + sudo rm -rf /usr/local/share/ sudo rm -rf /opt/az sudo rm -rf /opt/mssql-tools - + sudo rm -rf /opt/microsoft df -h - name: build image if: env.SKIP == '0' From 327f4393b15aa43cffc9d1be76cc4ff0bd6e8364 Mon Sep 17 00:00:00 2001 From: Ruairidh MacLeod Date: Thu, 20 Jun 2024 14:28:25 +0100 Subject: [PATCH 24/24] checkout file from main --- .github/workflows/main.yaml | 37 ++++++++++--------------------------- 1 file changed, 10 insertions(+), 27 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 5c154a3..a0bb66d 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -41,7 +41,6 @@ jobs: if: env.SKIP == '0' run: | set -euxo pipefail - df -h # From https://github.com/jlumbroso/free-disk-space/pull/24 sudo apt-get remove -y microsoft-edge-stable --fix-missing sudo apt-get remove -y snapd --fix-missing @@ -78,45 +77,29 @@ jobs: if: env.SKIP == '0' run: | set -euxo pipefail + docker builder prune --all --force df -h - docker builder prune -a -f - # docker rmi -f $(docker image ls -a | grep -E "(node|debian|moby|ubuntu|alpine)" | awk 'NR>1 {print $3}') - df -h - - # debug - docker image ls -a --digests --no-trunc - name: run trivy if: env.SKIP == '0' run: | set -euxo pipefail - out_dir=$(mktemp -d) + report_dir=$(mktemp -d) + echo "report_dir=$report_dir" >> "$GITHUB_ENV" docker run \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "${out_dir}":/out \ + -v "${report_dir}":/out \ docker.io/aquasec/trivy:0.52.2 \ image \ --scanners vuln \ --severity MEDIUM,HIGH,CRITICAL \ --output /out/dependency-results.sbom.json \ "$img:$tag" - ls -la "${out_dir}" - # - name: run trivy - # if: env.SKIP == '0' - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: "${{ env.img }}:${{ env.tag }}" - # format: 'github' - # output: 'dependency-results.sbom.json' - # github-pat: "${{ secrets.GITHUB_TOKEN }}" - # severity: 'MEDIUM,CRITICAL,HIGH' - # scanners: "vuln" - # TODO - # - name: upload trivy report - # if: env.SKIP == '0' && !cancelled() - # uses: actions/upload-artifact@v4 - # with: - # name: 'trivy-sbom-report-${{ matrix.package }}' - # path: 'dependency-results.sbom.json' + - name: upload trivy report + if: env.SKIP == '0' && !cancelled() + uses: actions/upload-artifact@v4 + with: + name: 'trivy-sbom-report-${{ matrix.package }}' + path: '${{ env.report_dir }}/dependency-results.sbom.json' - name: push image if: env.SKIP == '0' && github.ref == 'refs/heads/main' run: |