Merge pull request #1 from fullstack-devops/bugfix/init

init Image

Author: eksrha

.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [eksrha] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "docker" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"

.github/workflows/anchore.yml

@@ -0,0 +1,45 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.  For more information on the Anchore scan action usage
+# and parameters, see https://github.com/anchore/scan-action. For more
+# information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+name: Anchore Container Scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '45 5 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  Anchore-Build-Scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout the code
+      uses: actions/checkout@v3
+
+    - name: Scan current project
+      id: scan
+      uses: anchore/scan-action@v3
+      with:
+        path: "."
+        acs-report-enable: true
+
+    - name: Upload Anchore Scan Report
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/build-pr.yml

@@ -0,0 +1,41 @@
+name: Build PR
+
+on:
+  pull_request:
+
+env:
+  IMAGE_BASE: "ghcr.io/${{ github.repository_owner }}/excalidraw"
+
+jobs:
+  generate_infos:
+    uses: fullstack-devops/actions/.github/workflows/generate-build-infos.yml@main
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
+
+  build:
+    runs-on: ubuntu-latest
+    needs: generate_infos
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build excalidraw:pr-${{ github.event.pull_request.number }}
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          push: true
+          tags: |
+            ${{ env.IMAGE_BASE }}:pr-${{ github.event.pull_request.number }}

.github/workflows/cleanup-pr.yml

@@ -0,0 +1,18 @@
+name: Cleanup PR
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  purge-image:
+    name: Delete image from ghcr.io
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete excalidraw:pr-${{ github.event.pull_request.number }}
+        uses: bots-house/ghcr-delete-image-action@v1.0.0
+        with:
+          owner: ${{ github.repository_owner }}
+          name: excalidraw
+          token: ${{ secrets.GH_DEL_IMAGE_PAT }}
+          tag: pr-${{ github.event.pull_request.number }}

.github/workflows/create-release.yml

@@ -0,0 +1,78 @@
+name: Create Release
+
+concurrency:
+  group: ci-${{ github.repository }}-release
+  cancel-in-progress: false
+
+on:
+  push:
+    branches:
+      - "main"
+
+env:
+  IMAGE_NAME: "${{ github.repository_owner }}/excalidraw"
+
+jobs:
+  create_release:
+    uses: fullstack-devops/actions/.github/workflows/create-release.yml@main
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
+
+  build:
+    runs-on: ubuntu-latest
+    needs: create_release
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Red Hat Quay
+        uses: docker/login-action@v1
+        with:
+          registry: quay.io
+          username: ${{ secrets.RH_QUAY_USERNAME }}
+          password: ${{ secrets.RH_QUAY_PASSWORD }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build excalidraw
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          push: true
+          tags: |
+            ghcr.io/${{ env.IMAGE_NAME }}:${{needs.create_release.outputs.version}}
+            ghcr.io/${{ env.IMAGE_NAME }}:latest
+            quay.io/${{ env.IMAGE_NAME }}:${{needs.create_release.outputs.version}}
+            quay.io/${{ env.IMAGE_NAME }}:latest
+
+  publish_release:
+    runs-on: ubuntu-latest
+    needs: [create_release, build_base, build_flavors]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup awesome-ci
+        uses: fullstack-devops/awesome-ci-action@main
+
+      - name: Publish Release
+        run: awesome-ci release publish -releaseid "$ACI_RELEASE_ID"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ACI_RELEASE_ID: ${{ needs.create_release.outputs.releaseid }}
+
+      # - name: update helm charts appVersion
+      #   uses: peter-evans/repository-dispatch@v2
+      #   with:
+      #     token: ${{ secrets.HELM_REPO_TOKEN }}
+      #     repository: fullstack-devops/helm-charts
+      #     event-type: update_chart_version
+      #     client-payload: '{"chart": "excalidraw", "version": "${{ needs.create_release.outputs.version }}"}'

Dockerfile

@@ -0,0 +1,18 @@
+FROM node:14 AS build
+
+WORKDIR /opt/node_app
+
+ARG EXCALIDRAW_VERSION="0.12.0"
+
+RUN git clone --depth 1 --branch v${EXCALIDRAW_VERSION} https://github.com/excalidraw/excalidraw ./
+
+RUN yarn --ignore-optional
+
+ARG NODE_ENV=production
+RUN yarn build:app:docker
+
+FROM nginxinc/nginx-unprivileged:1.23.0-alpine
+
+COPY --from=build /opt/node_app/build /usr/share/nginx/html
+
+HEALTHCHECK CMD wget -q -O /dev/null http://localhost:8080 || exit 1

README.md

@@ -1,2 +1,18 @@
+[![Create Release](https://github.com/fullstack-devops/excalidraw/actions/workflows/create-release.yml/badge.svg)](https://github.com/fullstack-devops/excalidraw/actions/workflows/create-release.yml)
+[![Anchore Container Scan](https://github.com/fullstack-devops/excalidraw/actions/workflows/anchore.yml/badge.svg)](https://github.com/fullstack-devops/excalidraw/actions/workflows/anchore.yml)
+[![Docker Repository on Quay](https://quay.io/repository/fullstack-devops/excalidraw/status "Docker Repository on Quay")](https://quay.io/repository/fullstack-devops/excalidraw)
+
 # excalidraw
-Repo for rootless excalidraw in a secure nutshell
+Repo for rootless excalidraw in a secure nutshell ;)
+
+## Where can I get it?
+
+| Type | Registry     | Link                                                                                | Pull source                                  |
+| ---- | ------------ | ----------------------------------------------------------------------------------- | -------------------------------------------- |
+| OCI  | GitHub       | [Package](https://github.com/fullstack-devops/excalidraw/pkgs/container/excalidraw) | `ghcr.io/fullstack-devops/excalidraw:latest` |
+| OCI  | Red Hat Quay | [Repo](https://quay.io/repository/fullstack-devops/excalidraw?tab=info)             | `quay.io/fullstack-devops/excalidraw:latest` |
+| helm | GitHub       | [Repo](https://github.com/fullstack-devops/helm-charts)                             | `fs-devops/excalidraw`                       |
+
+
+more work tbd, eg.:
+- mount own libaries docker-compose and helm/k8s