Skip to content

Commit

Permalink
Derive our own studio image so CF will expose PORT instead of 3000
Browse files Browse the repository at this point in the history
  • Loading branch information
@mogul
mogul committed Jul 27, 2024
1 parent 61404e9 commit 415d2ae
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 5 deletions.
6 changes: 6 additions & 0 deletions .docker/studio.Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
FROM ghcr.io/supabase/studio:v1.24.05

# Override the EXPOSE port
ENV PORT=8080
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "require('http').get('http://localhost:8080/api/profile', (r) => {if (r.statusCode !== 200) throw new Error(r.statusCode)})" ]
80 changes: 80 additions & 0 deletions .github/workflows/build-scan-push.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
---
name: Build images, scan, push to GHCR
on:
workflow_dispatch:
schedule:
- cron: '0 5 * * 0'

jobs:
build-and-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
env:
GH_REPO: gsa-tts/cg-supabase
strategy:
fail-fast: false
matrix:
image:
# - name: ghcr.io/supabase/postgres-meta:v0.83.2
# short-name: meta
# - name: postgrest/postgrest:latest
# short-name: rest
# - name: ghcr.io/supabase/storage-api:v1.7.0
# short-name: storage
- name: ghcr.io/supabase/studio:v1.24.05
short-name: studio
name: Publish ${{ matrix.image.short-name }}
steps:
- name: Build and load Docker image
id: build
uses: docker/build-push-action@v6
with:
context: .
file: ./.docker/${{ matrix.image.short-name }}.Dockerfile
load: true
tags: ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}

- name: Scan Image
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
image-ref: ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: 1
scanners: 'vuln'

# Upload results to GH Code Scanning even if the scan exited with 1 due to CRITICAL/HIGH findings
# Just don't carry on and push the image to GHCR!
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ !cancelled() }}
with:
sarif_file: 'trivy-results.sarif'

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set current date as env variable
run: echo "DATESTAMP=$(date +'%Y%m%d')" >> $GITHUB_ENV

- name: Push Image
uses: docker/build-push-action@v6
with:
push: true
tags: >
ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest
ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:scanned
ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:${{ env.DATESTAMP }}


4 changes: 0 additions & 4 deletions .github/workflows/pull-scan-push-images.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,12 @@
fail-fast: false
matrix:
image:
- name: kong:2.8.5
short-name: kong
- name: ghcr.io/supabase/postgres-meta:v0.83.2
short-name: meta
- name: postgrest/postgrest:latest
short-name: rest
- name: ghcr.io/supabase/storage-api:v1.7.0
short-name: storage
- name: ghcr.io/supabase/studio:v1.24.05
short-name: studio
name: Scan ${{ matrix.image.short-name }}
steps:
- name: Checkout
Expand Down
1 change: 0 additions & 1 deletion supabase/studio.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ resource "cloudfoundry_route" "supabase-studio" {
space = data.cloudfoundry_space.apps.id
domain = data.cloudfoundry_domain.private.id
hostname = "supabase-studio${local.slug}"
port = 3000
}

resource "cloudfoundry_service_key" "studio" {
Expand Down

0 comments on commit 415d2ae

Please sign in to comment.