apk upgrade on each build to auto resolve any CVEs

pgflo · Nov 16, 2024 · 93d3059 · 93d3059
1 parent 33ee371
commit 93d3059
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 111 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -47,3 +47,32 @@ jobs:
 
       - name: Build
         run: make build
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          buildkitd-flags: --debug
+
+      - name: Set build timestamp
+        id: timestamp
+        run: echo "timestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: pg_flo:test
+          build-args: |
+            VERSION=${{ github.sha }}
+            COMMIT=${{ github.sha }}
+            DATE=${{ steps.timestamp.outputs.timestamp }}
+
+      - name: Verify Docker image version
+        run: |
+          docker run --rm pg_flo:test version | grep ${{ github.sha }}
diff --git a/.github/workflows/release-and-docker.yml b/.github/workflows/release-and-docker.yml
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
 FROM golang:1.21-alpine AS builder
+RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 COPY . .
 ARG VERSION=dev
@@ -12,6 +13,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -v \
   -o pg_flo .
 
 FROM alpine:latest
-RUN apk add --no-cache postgresql15-client
+RUN apk update && apk upgrade --no-cache && \
+  apk add --no-cache postgresql15-client
 COPY --from=builder /app/pg_flo /usr/local/bin/
 ENTRYPOINT ["pg_flo"]