refactor(Dockerfile): unify inter stage with first

now `cosign dockerfile verify` can be easily used in CI
andros21 · Sep 25, 2023 · 85839c3 · 85839c3
1 parent b76d757
commit 85839c3
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 13 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -32,13 +32,6 @@ jobs:
     steps:
       - name: checkout project
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
-      - name: get base image
-        id: base
-        run: |
-          set -x
-          DIGEST="$(awk -F '@' '/latest@/ {print $2}' Dockerfile)"
-          echo "Base image: ${BASE_IMAGE}:latest@${DIGEST}"
-          echo "image=${BASE_IMAGE}:latest@${DIGEST}" >> "$GITHUB_OUTPUT"
       - name: setup python
         uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
         with:
@@ -54,11 +47,11 @@ jobs:
         uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19
       - name: verify base image signature
         run: |
-          cosign verify \
+          cosign dockerfile verify \
             --certificate-identity \
             'https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main' \
             --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
-            "${{ steps.base.outputs.image }}" | jq .
+            Dockerfile | jq .
       - name: docker buildx
         id: buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226

diff --git a/Dockerfile b/Dockerfile
@@ -11,10 +11,7 @@ WORKDIR /home/nonroot
 RUN ["/usr/bin/python3", "-m" , "venv", ".venv"]
 COPY requirements.txt requirements.txt
 RUN [".venv/bin/pip", "install", "--no-cache-dir", "--disable-pip-version-check", "--require-hashes", "-r", "requirements.txt"]
-
 # Run random walk simulation
-#
-FROM venv AS rwalker
 COPY rwalker.py rwalker.py
 RUN [".venv/bin/python3", "rwalker.py"]
 
@@ -27,6 +24,6 @@ FROM cgr.dev/chainguard/python:latest@sha256:2065a6e52402ba9616ad51d9fbc0c6587d5
 WORKDIR /home/nonroot
 COPY . .
 COPY --from=venv /home/nonroot/.venv .venv
-COPY --from=rwalker /home/nonroot/data /data
+COPY --from=venv /home/nonroot/data /data
 EXPOSE 8080
 ENTRYPOINT [".venv/bin/gunicorn", "--bind", ":8080", "--workers", "2", "rwalk:app"]