Merge pull request #63 from appwrite/clo-4095-cve-maintenance-01

Updated PHP, Swoole, Imagemagick, Add more CI scanning, ...

Author: davidjeddy

.dive-ci.yml

@@ -0,0 +1,13 @@
+rules:
+  # If the efficiency is measured below X%, mark as failed.
+  # Expressed as a ratio between 0-1.
+  lowestEfficiency: 0.90
+
+  # If the amount of wasted space is at least X or larger than X, mark as failed.
+  # Expressed in B, KB, MB, and GB.
+  highestWastedBytes: 128MB
+
+  # If the amount of wasted space makes up for X% or more of the image, mark as failed.
+  # Note: the base image layer is NOT included in the total image size.
+  # Expressed as a ratio between 0-1; fails if the threshold is met or crossed.
+  highestUserWastedPercent: 0.10

.dockerignore

@@ -0,0 +1,6 @@
+.git*
+*.md
+*test*.*
+Dockerfile
+LICENSE
+trivy-*.json

.github/workflows/build-and-push.yml

@@ -1,37 +1,87 @@
-name: Build and Push to DockerHub
+name: Build and Push
 
-on:
+on: 
+  push:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 env:
-  REGISTRY: docker.io
   IMAGE_NAME: appwrite/base
-  TAG: ${{ github.event.release.tag_name }}
+  REGISTRY: docker.io
 
+# https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/
+# https://learn.arm.com/learning-paths/cross-platform/github-arm-runners/actions/
 jobs:
-  build:
-    runs-on: ubuntu-latest
+  build_and_push:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-24.04
+            arch: amd64
+          - os: ubuntu-24.04-arm
+            arch: arm64
     steps:
       - name: Checkout the repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6.0.2
 
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      - name: Build an image from Dockerfile
+        run: |
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{matrix.arch}} .
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Push an image
+        run: |
+          docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{matrix.arch}}
 
-      - name: Build and push
-        uses: docker/build-push-action@v4
+  manifest_build_and_push_on_feature:
+    if: github.ref != 'refs/heads/main'
+    needs: build_and_push
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v4
         with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Create manifest
+        run: |
+            docker manifest create \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64
+
+      - name: Push manifest
+        run: |
+            docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+  manifest_build_and_push_on_main:
+    if: github.ref == 'refs/heads/main'
+    needs: build_and_push
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Create manifest
+        run: |
+            docker manifest create \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64
+
+      - name: Push manifest
+        run: |
+            docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}

.github/workflows/dive.yml

@@ -0,0 +1,27 @@
+name: Dive Test
+
+on: push
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
+
+jobs:
+  dive:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
+
+      - name: Dive
+        uses: yuichielectric/dive-action@0.0.4
+        with:
+          config-file: ${{ github.workspace }}/.dive-ci.yml
+          image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'

.github/workflows/structure-test.yml

@@ -0,0 +1,28 @@
+# https://github.com/marketplace/actions/container-structure-test-action
+name: Container Structure Test
+
+on: push
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
+
+jobs:
+  structure_test:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v6.0.2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
+
+      - name: Run container structure tests
+        uses: plexsystems/container-structure-test-action@v0.1.0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          config: tests.yaml

.github/workflows/test.yml

@@ -1,9 +1,5 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-name: trivy
+# https://github.com/aquasecurity/trivy-action
+name: Trivy Scan
 
 on:
   push:
@@ -15,34 +11,35 @@ on:
     - cron: '43 11 * * 6'
 
 permissions:
-  contents: read
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
 
 jobs:
-  build:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-    name: Build
-    runs-on: ubuntu-latest
+  scheduled_trivy:
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
 
       - name: Build an image from Dockerfile
         run: |
-          docker build -t appwrite/docker-base:${{ github.sha }} .
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+      - name: Run Trivy vulnerability scanner (sarif report)
+        uses: aquasecurity/trivy-action@0.35.0
         with:
-          image-ref: 'appwrite/docker-base:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
+          format: 'sarif'
+          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
+          output: 'trivy-image-results.sarif'
           severity: 'CRITICAL,HIGH'
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+      # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v4
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: '.'

.github/workflows/trivy.yml

@@ -0,0 +1,38 @@
+# CHANGELOG
+
+## Version 1.1.0
+
+### Add
+
+* .dockerignore
+* .github/workflows/pr-scan.yml to scan all commit pushes for vulnerabilities
+* base_image and php_build_date to container labels
+* container image build action to publish image using commit sha
+* container-structure-test to check PHP version (currently set to 8.5.3)
+* container-structure-test to check swoole version (currently set to 6.2.0)
+* SECURITY.md to align with appwrite/appwrite
+
+### Change
+
+* .github/*.yml steps updated to latest versions
+* Better document use of `docker buildx ...` for local builds
+* Better noted and organized the different build processes for PHP extensions
+* Date component of PHP extension shared objects directory now a build argument
+* Dockerfile base now based on `phpswoole/swoole:php8.5-alpine`
+* Dockerfile compile and final stage system packages aligned
+* GitHub action for container-structure-test now uses a marketplace action
+* GitHub action runners pinned to Ubuntu 24.04
+* ImageMagick version bumped to 7.1.2.15 via APK
+* PHP version bumped to 8.5
+* Refactored multi-arch build process to prevent cross-arch builds requiring long wait times
+
+### Fixes
+
+* README.md usage instructions more detailed
+
+### Miscellaneous
+
+### Removed
+
+* Build tools from final stage of Dockerfile
+* GitHub action to Setup QEMU as GitHub now provides native ARM runners