benjamin-wilson · benjamin-wilson · Dec 13, 2023 · Dec 12, 2023 · Dec 12, 2023 · Dec 12, 2023
diff --git a/.github/workflows/build-image-on-push.yml b/.github/workflows/build-image-on-push.yml
@@ -0,0 +1,35 @@
+name: "Test build of image when Dockerfile is changed"
+
+on:
+  push:
+    branches-ignore:
+    - master
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  rebuild-container:
+    name: "Build image with cache"
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Set up QEMU
+        uses: docker/[email protected]
+        with:
+          platforms: linux/arm64
+      - 
+        name: Set up Docker Buildx
+        uses: docker/[email protected]
+      - 
+        name: Checkout repository
+        uses: actions/checkout@v4
+      - 
+        name: Build image
+        id: docker_build_amd64
+        uses: docker/[email protected]
+        with:
+          push: false
+          load: true
+          platforms: linux/amd64
+          tags: public-pool:amd64
+          cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool:latest
diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml
@@ -0,0 +1,37 @@
+name: Build and scan container for vulnerabilities with Trivy
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '22 14 * * 0'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and scan images
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Checkout code
+        uses: actions/checkout@v4
+      - 
+        name: Build image from Dockerfile
+        uses: docker/[email protected]
+        with:
+          push: false
+          load: true
+          tags: ${{ secrets.DOCKER_USERNAME }}/public-pool:latest
+      - 
+        name: Run Trivy vulnerability scanner against "latest" image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: '${{ secrets.DOCKER_USERNAME }}/public-pool:latest'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+      - 
+        name: Upload "latest" Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/update-base-image.yml b/.github/workflows/update-base-image.yml
@@ -0,0 +1,61 @@
+name: "Update image and push to Github Packages and Docker Hub weekly"
+
+on:
+  schedule:
+    - cron: "0 12 * * 1" # Run every Monday at noon.
+  workflow_dispatch:
+
+jobs:
+  rebuild-container:
+    name: "Rebuild Container with the latest base image"
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Prepare outputs
+        id: prep
+        run: |
+          echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+      - 
+        name: Set up QEMU
+        uses: docker/[email protected]
+        with:
+          platforms: linux/arm64
+      - 
+        name: Set up Docker Buildx
+        uses: docker/[email protected]
+      - 
+        name: Login to GitHub Container Registry
+        uses: docker/[email protected] 
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - 
+        name: Login to DockerHub
+        uses: docker/[email protected] 
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - 
+        name: Checkout repository
+        uses: actions/checkout@v4
+      - 
+        name: Get short SHA
+        id: get_short_sha
+        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+      - 
+        name: Build and push to Docker Hub and GitHub Packages Docker Registry
+        id: docker_build
+        uses: docker/[email protected]
+        with:
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/public-pool:latest
+            ghcr.io/${{ github.repository_owner }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
+            ${{ secrets.DOCKER_USERNAME }}/public-pool:latest
+            ${{ secrets.DOCKER_USERNAME }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
diff --git a/.github/workflows/update-image-on-push.yml b/.github/workflows/update-image-on-push.yml
@@ -0,0 +1,64 @@
+name: "Update image when Dockerfile is changed"
+
+on:
+  push:
+    branches:
+    - master
+  workflow_dispatch:
+
+jobs:
+  rebuild-container:
+    name: "Rebuild Container with the latest base image"
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Prepare outputs
+        id: prep
+        run: |
+          echo "::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+      - 
+        name: Set up QEMU
+        uses: docker/[email protected]
+        with:
+          platforms: linux/arm64
+      - 
+        name: Set up Docker Buildx
+        uses: docker/[email protected]
+      - 
+        name: Login to GitHub Container Registry
+        uses: docker/[email protected] 
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - 
+        name: Login to DockerHub
+        uses: docker/[email protected] 
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - 
+        name: Checkout repository
+        uses: actions/checkout@v4
+      - 
+        name: Get short SHA
+        id: get_short_sha
+        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+      - 
+        name: Build and push to Docker Hub and GitHub Packages Docker Registry
+        uses: docker/[email protected]
+        id: docker_build_push
+        with:
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/public-pool:latest
+            ghcr.io/${{ github.repository_owner }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
+            ${{ secrets.DOCKER_USERNAME }}/public-pool:latest
+            ${{ secrets.DOCKER_USERNAME }}/public-pool:${{ steps.get_short_sha.outputs.sha_short }}
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/public-pool:latest
+          cache-to: type=inline
diff --git a/Dockerfile b/Dockerfile
@@ -2,27 +2,35 @@
 # Docker build environment #
 ############################
 
-FROM node:18.16.1-bookworm AS build
+FROM node:18.16.1-bookworm-slim AS build
+
+# Upgrade all packages and install dependencies
+RUN apt-get update \
+    && apt-get upgrade -y
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        python3 \
+        build-essential \
+    && apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 WORKDIR /build
 
 COPY . .
 
-RUN npm i
-RUN npm run build
+# Build Public Pool using NPM
+RUN npm i && npm run build
 
 ############################
 # Docker final environment #
 ############################
 
-FROM node:18.16.1-bookworm
+FROM node:18.16.1-bookworm-slim
 
-EXPOSE 3333
-EXPOSE 3334
-EXPOSE 8332
+# Expose ports for Stratum and Bitcoin RPC
+EXPOSE 3333 3334 8332
 
 WORKDIR /public-pool
 
+# Copy built binaries into the final image
 COPY --from=build /build .
 #COPY .env.example .env