SMI · rkm · Jun 18, 2024 · Jun 18, 2024 · Jun 18, 2024 · Jun 18, 2024
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -32,16 +32,34 @@ jobs:
             SKIP=1
           fi
           echo "SKIP=$SKIP" >> "$GITHUB_ENV"
+      - name: Run jlumbroso/free-disk-space@main
+        if: env.SKIP == '0'
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: true
       - name: free disk space
         if: env.SKIP == '0'
         run: |
           set -euxo pipefail
-          df -h
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf /opt/ghc
-          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          # From https://github.com/jlumbroso/free-disk-space/pull/24
+          sudo apt-get remove -y microsoft-edge-stable --fix-missing
+          sudo apt-get remove -y snapd --fix-missing
+          # Extras
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /opt/hostedtoolcache
+          sudo rm -rf /usr/local/aws*
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /usr/local/lib/R
+          sudo rm -rf /usr/local/lib/node_modules
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /usr/local/share/chromedriver-linux64
+          sudo rm -rf /usr/local/share/edge_driver
+          sudo rm -rf /usr/local/share/gecko_driver
+          sudo rm -rf /usr/share/java/selenium-server.jar
+          sudo rm -rf /usr/local/share/
+          sudo rm -rf /opt/az
+          sudo rm -rf /opt/mssql-tools
+          sudo rm -rf /opt/microsoft
           df -h
       - name: build image
         if: env.SKIP == '0'
@@ -55,22 +73,33 @@ jobs:
           docker tag "$img:$tag" "$img:latest"
           echo "img=$img" >> "$GITHUB_ENV"
           echo "tag=$tag" >> "$GITHUB_ENV"
+      - name: free disk space
+        if: env.SKIP == '0'
+        run: |
+          set -euxo pipefail
+          docker builder prune --all --force
+          df -h
       - name: run trivy
         if: env.SKIP == '0'
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "${{ env.img }}:${{ env.tag }}"
-          format: 'github'
-          output: 'dependency-results.sbom.json'
-          github-pat: "${{ secrets.GITHUB_TOKEN }}"
-          severity: 'MEDIUM,CRITICAL,HIGH'
-          scanners: "vuln"
+        run: |
+          set -euxo pipefail
+          report_dir=$(mktemp -d)
+          echo "report_dir=$report_dir" >> "$GITHUB_ENV"
+          docker run \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v "${report_dir}":/out \
+            docker.io/aquasec/trivy:0.52.2 \
+              image \
+              --scanners vuln \
+              --severity MEDIUM,HIGH,CRITICAL \
+              --output /out/dependency-results.sbom.json \
+              "$img:$tag"
       - name: upload trivy report
         if: env.SKIP == '0' && !cancelled()
         uses: actions/upload-artifact@v4
         with:
           name: 'trivy-sbom-report-${{ matrix.package }}'
-          path: 'dependency-results.sbom.json'
+          path: '${{ env.report_dir }}/dependency-results.sbom.json'
       - name: push image
         if: env.SKIP == '0' && github.ref == 'refs/heads/main'
         run: |

diff --git a/software/Freesurfer/Dockerfile b/software/Freesurfer/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM docker.io/ubuntu@sha256:e9569c25505f33ff72e88b2990887c9dcf230f23259da296eb814fc2b41af999
 
 ARG FREESURFER_VERSION="7.4.1"
 ARG FREESURFER_DEB_MD5="bfe85dd76677cfb7ca2b247b9ac6148e"
@@ -7,26 +7,76 @@ ENV \
     LANG="en_GB.UTF-8" \
     LC_ALL="en_GB.UTF-8"
 
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
 RUN : \
     && apt-get update -qq \
+    && apt-get upgrade -qq \
     && DEBIAN_FRONTEND=noninteractive apt-get install \
-           -qq -y --no-install-recommends \
-           ca-certificates \
-           curl \
+         -qq -y --no-install-recommends \
+         bash \
+         bc \
+         binutils \
+         ca-certificates \
+         csh \
+         curl \
+         file \
+         gettext \
+         gzip \
+         language-pack-en \
+         libbsd0 \
+         libegl1 \
+         libgl1 \
+         libglu1-mesa \
+         libglvnd0 \
+         libglx0 \
+         libjpeg62 \
+         libncurses5 \
+         libopengl0 \
+         libpcre3 \
+         libquadmath0 \
+         libsm6 \
+         libwayland-cursor0 \
+         libx11-dev \
+         libxcb-icccm4 \
+         libxcb-image0 \
+         libxcb-keysyms1 \
+         libxcb-render-util0 \
+         libxcb-render0 \
+         libxcb-shape0 \
+         libxcb-sync1 \
+         libxcb-xfixes0 \
+         libxcb-xinerama0 \
+         libxcb-xinput0 \
+         libxcb-xkb1 \
+         libxdmcp6 \
+         libxext6 \
+         libxi6 \
+         libxkbcommon-x11-0 \
+         libxkbcommon0 \
+         libxrender1 \
+         libxss1 \
+         libxt6 \
+         make \
+         perl \
+         tar \
+         tcsh \
+         x11-apps \
+         xorg \
+         xorg-dev \
+         xserver-xorg-video-intel \
+         xterm \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
     && :
 
 RUN : \
-    && set -eu \
     && deb="freesurfer_ubuntu22-${FREESURFER_VERSION}_amd64.deb" \
     && curl -sfLo "${deb}" "https://surfer.nmr.mgh.harvard.edu/pub/dist/freesurfer/${FREESURFER_VERSION}/${deb}" \
     && echo "${FREESURFER_DEB_MD5} ${deb}" | md5sum -c \
-    && apt-get update -qq \
-    && DEBIAN_FRONTEND=noninteractive apt-get install \
-           -y --no-install-recommends \
-           "./${deb}" \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
+    && dpkg -i "${deb}" \
     && rm "${deb}" \
     && :
+
+RUN groupadd --system nonroot && useradd --no-log-init --system --gid nonroot nonroot
+USER nonroot