diff --git a/.github/workflows/serve-encrypt.yml b/.github/workflows/serve-encrypt.yml new file mode 100644 index 0000000..4588598 --- /dev/null +++ b/.github/workflows/serve-encrypt.yml @@ -0,0 +1,68 @@ +name: Serve-Encrypt workflow + +on: + push: + paths: + - "serve-encrypt/**" + # Adds ability to run this workflow manually + workflow_dispatch: + inputs: + logLevel: + description: 'Log level' + required: true + default: 'warning' + type: choice + options: + - info + - warning + - debug + tags: + description: 'Manual run' + required: false + type: boolean + +jobs: + + push: + if: | + github.ref == 'refs/heads/main' && + github.repository == 'scilifelabdatacentre/serve-images' + needs: build_and_test + runs-on: ubuntu-latest + concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + permissions: + contents: read + packages: write + + steps: + - name: 'Checkout github action' + uses: actions/checkout@main + + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + images: ghcr.io/scilifelabdatacentre/serve-encrypt + tags: | + type=raw,value={{date 'YYMMDD-HHmm' tz='Europe/Stockholm'}} + + - name: 'Login to GHCR' + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Publish image to GHCR + uses: docker/build-push-action@v3 + with: + file: ./serve-encrypt/Dockerfile + context: ./serve-encrypt + push: true + build-args: version=${{ github.ref_name }} + tags: | + ${{ steps.meta.outputs.tags }} + ghcr.io/scilifelabdatacentre/serve-encrypt:latest + labels: ${{ steps.meta.outputs.labels }} diff --git a/serve-encrypt/Dockerfile b/serve-encrypt/Dockerfile new file mode 100644 index 0000000..ec51d03 --- /dev/null +++ b/serve-encrypt/Dockerfile @@ -0,0 +1,29 @@ +# Use an official Debian as a parent image for a lightweight build +FROM debian:stable-slim + +# Install PostgreSQL client and GPG +RUN apt-get update && apt-get install -y gnupg2 curl postgresql-client && apt-get clean && rm -rf /var/lib/apt/lists/* + +# Create a non-root user and group (using user ID 1000 and group ID 1000 for compatibility) +# Fixed commands for Debian +RUN groupadd -g 1000 pguser && \ + useradd -m -u 1000 -g pguser pguser + +# Set the GNUPGHOME environment variable +ENV GNUPGHOME=/home/pguser/.gnupg + +# Set working directory +WORKDIR /home/pguser + +# Copy the GPG public key +COPY gpg-public-key /home/pguser/gpg-public-key + +# Import the GPG key +# The command to switch users before running a command has also been adjusted for Debian compatibility +RUN chown pguser:pguser /home/pguser/gpg-public-key && \ + chmod 600 /home/pguser/gpg-public-key && \ + su pguser -c 'gpg --import /home/pguser/gpg-public-key' + +# Switch to the non-root user +USER pguser + diff --git a/serve-encrypt/gpg-public-key b/serve-encrypt/gpg-public-key new file mode 100644 index 0000000..4a100a0 --- /dev/null +++ b/serve-encrypt/gpg-public-key @@ -0,0 +1,13 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZdi2zRYJKwYBBAHaRw8BAQdAWiUZyQidLNI7H5h2guFRX7Z5XMq7xlezOTPU +4E7WLSy0IU1vbnR5UHl0aG9uIDxzZXJ2ZUBzY2lsaWZlbGFiLnNlPoiZBBMWCgBB +FiEEFMj00C+87r6gxkIweUw2dG7WihkFAmXYts0CGwMFCQWjmoAFCwkIBwICIgIG +FQoJCAsCBBYCAwECHgcCF4AACgkQeUw2dG7WihluEAD/e0/fe2ZWu+qsbANLrIeC +SDcuUOhOjyExEqYUsYBuxxAA+wbnERFA6nO19tZEEVBXYz0yIbSQyCKh4CTPoUBj +4g4EuDgEZdi2zRIKKwYBBAGXVQEFAQEHQKyr292yAwCT0lK/RaU+BBAFaSywvgvp +0YXqHyjrHBUQAwEIB4h+BBgWCgAmFiEEFMj00C+87r6gxkIweUw2dG7WihkFAmXY +ts0CGwwFCQWjmoAACgkQeUw2dG7Wihli3AEAqd2f5uOgNylWH0HeLfnAR2xUz69G +lQdnr5MH33bDUu0A/1Q7OvzCTXQmjxFrAyqEn8UDs3y+wCri3z0OfX49ElgK +=pyub +-----END PGP PUBLIC KEY BLOCK-----