From b4f310e70e6742d68d164faf5e45196ac0bf0133 Mon Sep 17 00:00:00 2001 From: Chris Banks Date: Thu, 9 May 2024 15:44:33 +0100 Subject: [PATCH 1/3] Use two-stage container image build. This avoids including a bunch of cruft in the output image that worsens the signal-noise ratio from the image scanning (SCA) tools. --- Dockerfile | 15 +++++++++++++-- Gemfile.lock | 2 ++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index f3ce672..166a88b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,20 @@ ARG ruby_version=3.3 -FROM ghcr.io/alphagov/govuk-ruby-builder:$ruby_version +ARG base_image=ghcr.io/alphagov/govuk-ruby-base:$ruby_version +ARG builder_image=ghcr.io/alphagov/govuk-ruby-builder:$ruby_version + +FROM --platform=$TARGETPLATFORM $builder_image AS builder + +WORKDIR $APP_HOME COPY Gemfile* .ruby-version ./ RUN bundle install COPY . . -USER app + +FROM --platform=$TARGETPLATFORM $base_image +WORKDIR $APP_HOME +COPY --from=builder $BUNDLE_PATH $BUNDLE_PATH +COPY --from=builder $APP_HOME . + +USER app CMD ["./collect"] diff --git a/Gemfile.lock b/Gemfile.lock index f212d3e..7af0fc1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -123,6 +123,8 @@ GEM hashdiff (>= 0.4.0, < 2.0.0) PLATFORMS + aarch64-linux + ruby x86_64-linux DEPENDENCIES From 5f05329c66e2f7efab610a0c429d8a8a4382631a Mon Sep 17 00:00:00 2001 From: Chris Banks Date: Thu, 9 May 2024 17:32:58 +0100 Subject: [PATCH 2/3] bundle update --bundler && bundle update --- Gemfile.lock | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 7af0fc1..95a11e5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -15,7 +15,7 @@ GEM public_suffix (>= 2.0.2, < 6.0) ast (2.4.2) base64 (0.2.0) - bigdecimal (3.1.7) + bigdecimal (3.1.8) climate_control (1.2.0) concurrent-ruby (1.2.3) connection_pool (2.4.1) @@ -23,33 +23,32 @@ GEM bigdecimal rexml diff-lcs (1.5.1) - domain_name (0.5.20190701) - unf (>= 0.0.5, < 1.0.0) + domain_name (0.6.20240107) drb (2.2.1) hashdiff (1.1.0) http-accept (1.7.0) http-cookie (1.0.5) domain_name (~> 0.5) - i18n (1.14.4) + i18n (1.14.5) concurrent-ruby (~> 1.0) - json (2.7.1) + json (2.7.2) language_server-protocol (3.17.0.3) - mime-types (3.5.1) + mime-types (3.5.2) mime-types-data (~> 3.2015) - mime-types-data (3.2023.1003) + mime-types-data (3.2024.0507) minitest (5.22.3) mutex_m (0.2.0) netrc (0.11.0) parallel (1.24.0) - parser (3.3.0.5) + parser (3.3.1.0) ast (~> 2.4.1) racc prometheus-client (4.2.2) - public_suffix (5.0.4) + public_suffix (5.0.5) racc (1.7.3) - rack (3.0.10) + rack (3.0.11) rainbow (3.1.1) - regexp_parser (2.9.0) + regexp_parser (2.9.1) rest-client (2.1.0) http-accept (>= 1.7.0, < 2.0) http-cookie (>= 1.0.2, < 2.0) @@ -65,10 +64,10 @@ GEM rspec-expectations (3.13.0) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.13.0) - rspec-mocks (3.13.0) + rspec-mocks (3.13.1) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.13.0) - rspec-support (3.13.0) + rspec-support (3.13.1) rubocop (1.62.1) json (~> 2.3) language_server-protocol (>= 3.17.0) @@ -104,7 +103,7 @@ GEM rubocop-capybara (~> 2.17) rubocop-factory_bot (~> 2.22) rubocop-rspec_rails (~> 2.28) - rubocop-rspec_rails (2.28.2) + rubocop-rspec_rails (2.28.3) rubocop (~> 1.40) ruby-progressbar (1.13.0) sentry-ruby (5.17.3) @@ -113,9 +112,6 @@ GEM timecop (0.9.8) tzinfo (2.0.6) concurrent-ruby (~> 1.0) - unf (0.1.4) - unf_ext - unf_ext (0.0.8.2) unicode-display_width (2.5.0) webmock (3.23.0) addressable (>= 2.8.0) @@ -138,4 +134,4 @@ DEPENDENCIES webmock BUNDLED WITH - 2.4.10 + 2.5.10 From 0145d5f6852b6e24a6c9d31dbb0b159c6aee5a63 Mon Sep 17 00:00:00 2001 From: Chris Banks Date: Thu, 9 May 2024 17:35:00 +0100 Subject: [PATCH 3/3] Disable GHA checkout logspew. --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d4a731..8902f85 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,6 +39,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + show-progress: false - name: Setup Ruby uses: ruby/setup-ruby@v1