diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0f702f1f3..c66abdc7d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -13,11 +13,11 @@ on: - release\/* permissions: - id-token: write - pull-requests: write - contents: read - deployments: write - packages: write + id-token: write + pull-requests: write + contents: read + deployments: write + packages: write env: DOTNET_VERSION: "7.0.x" @@ -227,15 +227,11 @@ jobs: join-gateway-images: name: Gateway needs: - - setup-tags - docker-gateway-api-private - docker-gateway-api-private-arm - uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main with: - image_name: private-babylon-ng-gateway-api - image_tag: ${{ needs.setup-tags.outputs.gateway-api-tag }} - tag_suffix_1: amd64 - tag_suffix_2: arm64 + amd_meta_data_json: ${{ needs.docker-gateway-api-private.outputs.json }} aws_dockerhub_secret: github-actions/common/dockerhub-credentials secrets: role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }} @@ -243,15 +239,11 @@ jobs: join-aggregator-images: name: Aggregator needs: - - setup-tags - docker-data-aggregator-private - docker-data-aggregator-private-arm - uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main with: - image_name: private-babylon-ng-data-aggregator - image_tag: ${{ needs.setup-tags.outputs.data-aggregator-tag }} - tag_suffix_1: amd64 - tag_suffix_2: arm64 + amd_meta_data_json: ${{ needs.docker-data-aggregator-private.outputs.json }} aws_dockerhub_secret: github-actions/common/dockerhub-credentials secrets: role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }} @@ -259,20 +251,15 @@ jobs: join-migrations-images: name: Migration needs: - - setup-tags - docker-database-migrations-private - docker-database-migrations-private-arm - uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main with: - image_name: private-babylon-ng-database-migrations - image_tag: ${{ needs.setup-tags.outputs.database-migrations-tag }} - tag_suffix_1: amd64 - tag_suffix_2: arm64 + amd_meta_data_json: ${{ needs.docker-database-migrations-private.outputs.json }} aws_dockerhub_secret: github-actions/common/dockerhub-credentials secrets: role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }} - deploy-on-mardunet: runs-on: ubuntu-22.04 needs: diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 57b8bf74f..f86132384 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -67,6 +67,11 @@ jobs: name: AMD DatabaseMigrations needs: - setup-tags + permissions: + id-token: write + contents: read + pull-requests: write + packages: write uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main with: runs_on: ubuntu-22.04 @@ -90,6 +95,11 @@ jobs: name: ARM DatabaseMigrations needs: - setup-tags + permissions: + id-token: write + contents: read + pull-requests: write + packages: write uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main with: runs_on: babylon-gateway-arm @@ -115,6 +125,11 @@ jobs: name: AMD DataAggregator needs: - setup-tags + permissions: + id-token: write + contents: read + pull-requests: write + packages: write uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main with: runs_on: ubuntu-22.04 @@ -138,6 +153,11 @@ jobs: name: ARM DataAggregator needs: - setup-tags + permissions: + id-token: write + contents: read + pull-requests: write + packages: write uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main with: runs_on: babylon-gateway-arm @@ -163,6 +183,11 @@ jobs: name: AMD GatewayApi needs: - setup-tags + permissions: + id-token: write + contents: read + pull-requests: write + packages: write uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main with: runs_on: ubuntu-22.04 @@ -186,6 +211,11 @@ jobs: name: ARM GatewayApi needs: - setup-tags + permissions: + id-token: write + contents: read + pull-requests: write + packages: write uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main with: runs_on: babylon-gateway-arm @@ -210,15 +240,15 @@ jobs: join-gateway-images: name: Gateway needs: - - setup-tags - docker-gateway-api-dockerhub - docker-gateway-api-dockerhub-arm - uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main + permissions: + id-token: write + contents: read + pull-requests: read + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main with: - image_name: babylon-ng-gateway-api - image_tag: ${{ needs.setup-tags.outputs.version-suffix }} - tag_suffix_1: amd64 - tag_suffix_2: arm64 + amd_meta_data_json: ${{ needs.docker-gateway-api-dockerhub.outputs.json }} aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials secrets: role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }} @@ -229,12 +259,13 @@ jobs: - setup-tags - docker-data-aggregator-dockerhub - docker-data-aggregator-dockerhub-arm - uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main + permissions: + id-token: write + contents: read + pull-requests: read + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main with: - image_name: babylon-ng-data-aggregator - image_tag: ${{ needs.setup-tags.outputs.version-suffix }} - tag_suffix_1: amd64 - tag_suffix_2: arm64 + amd_meta_data_json: ${{ needs.docker-data-aggregator-dockerhub.outputs.json }} aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials secrets: role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }} @@ -245,12 +276,13 @@ jobs: - setup-tags - docker-database-migrations-dockerhub - docker-database-migrations-dockerhub-arm - uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main + permissions: + id-token: write + contents: read + pull-requests: read + uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main with: - image_name: babylon-ng-database-migrations - image_tag: ${{ needs.setup-tags.outputs.version-suffix }} - tag_suffix_1: amd64 - tag_suffix_2: arm64 + amd_meta_data_json: ${{ needs.docker-database-migrations-dockerhub.outputs.json }} aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials secrets: role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }} @@ -277,10 +309,8 @@ jobs: with: role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} app_name: 'babylon-gateway' - step_name: 'snyk-container-monitor' dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }} snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} - parse_json: true snyk_org_id: ${{ secrets.SNYK_ORG_ID }} image: docker.io/radixdlt/babylon-ng-${{ matrix.app }}:${{ needs.setup-tags.outputs.version-suffix }} target_ref: ${{ github.ref_name }} diff --git a/apps/DataAggregator/Dockerfile b/apps/DataAggregator/Dockerfile index e492697d1..9f569115c 100644 --- a/apps/DataAggregator/Dockerfile +++ b/apps/DataAggregator/Dockerfile @@ -5,15 +5,6 @@ FROM mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim AS base WORKDIR /app -# Fixes CVE-2023-4911 can be removed when we update the base OS image to include this fix -# docker run -it mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim ldd --version -# This fix can be removed as long as the version printed in the above command is 2.36-9+deb12u3 or above -RUN apt-get update -y \ - && apt-get -y --no-install-recommends install \ - libc6=2.36-9+deb12u3 \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - FROM mcr.microsoft.com/dotnet/sdk:7.0-bookworm-slim AS build WORKDIR /src COPY babylon-gateway.sln \ diff --git a/apps/DatabaseMigrations/Dockerfile b/apps/DatabaseMigrations/Dockerfile index a4c77a125..b519c520a 100644 --- a/apps/DatabaseMigrations/Dockerfile +++ b/apps/DatabaseMigrations/Dockerfile @@ -5,15 +5,6 @@ FROM mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim AS base WORKDIR /app -# Fixes CVE-2023-4911 can be removed when we update the base OS image to include this fix -# docker run -it mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim ldd --version -# This fix can be removed as long as the version printed in the above command is 2.36-9+deb12u3 or above -RUN apt-get update -y \ - && apt-get -y --no-install-recommends install \ - libc6=2.36-9+deb12u3 \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - FROM mcr.microsoft.com/dotnet/sdk:7.0-bookworm-slim AS build WORKDIR /src COPY babylon-gateway.sln \ diff --git a/apps/GatewayApi/Dockerfile b/apps/GatewayApi/Dockerfile index d7246df7b..6a0f9938d 100644 --- a/apps/GatewayApi/Dockerfile +++ b/apps/GatewayApi/Dockerfile @@ -5,15 +5,6 @@ FROM mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim AS base WORKDIR /app -# Fixes CVE-2023-4911 can be removed when we update the base OS image to include this fix -# docker run -it mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim ldd --version -# This fix can be removed as long as the version printed in the above command is 2.36-9+deb12u3 or above -RUN apt-get update -y \ - && apt-get -y --no-install-recommends install \ - libc6=2.36-9+deb12u3 \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - FROM mcr.microsoft.com/dotnet/sdk:7.0-bookworm-slim AS build WORKDIR /src COPY babylon-gateway.sln \