From 415d2ae15eee70f25bf40c3d478db8c030c3215c Mon Sep 17 00:00:00 2001
From: Bret Mogilefsky <bmogilefsky@gmail.com>
Date: Sat, 27 Jul 2024 11:10:36 -0700
Subject: [PATCH] Derive our own studio image so CF will expose PORT instead of
 3000

---
 .docker/studio.Dockerfile                   |  6 ++
 .github/workflows/build-scan-push.yml       | 80 +++++++++++++++++++++
 .github/workflows/pull-scan-push-images.yml |  4 --
 supabase/studio.tf                          |  1 -
 4 files changed, 86 insertions(+), 5 deletions(-)
 create mode 100644 .docker/studio.Dockerfile
 create mode 100644 .github/workflows/build-scan-push.yml

diff --git a/.docker/studio.Dockerfile b/.docker/studio.Dockerfile
new file mode 100644
index 0000000..1a3268f
--- /dev/null
+++ b/.docker/studio.Dockerfile
@@ -0,0 +1,6 @@
+FROM ghcr.io/supabase/studio:v1.24.05
+
+# Override the EXPOSE port 
+ENV PORT=8080
+EXPOSE 8080
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "require('http').get('http://localhost:8080/api/profile', (r) => {if (r.statusCode !== 200) throw new Error(r.statusCode)})" ]
diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml
new file mode 100644
index 0000000..3828313
--- /dev/null
+++ b/.github/workflows/build-scan-push.yml
@@ -0,0 +1,80 @@
+---
+    name: Build images, scan, push to GHCR
+    on:
+      workflow_dispatch:
+      schedule:
+        - cron: '0 5 * * 0'
+
+    jobs:
+      build-and-scan:
+        runs-on: ubuntu-latest
+        permissions:
+          contents: read
+          packages: write
+          security-events: write
+        env:
+          GH_REPO: gsa-tts/cg-supabase
+        strategy:
+          fail-fast: false
+          matrix:
+            image:
+            #   - name: ghcr.io/supabase/postgres-meta:v0.83.2
+            #     short-name: meta
+            #   - name: postgrest/postgrest:latest
+            #     short-name: rest
+            #   - name: ghcr.io/supabase/storage-api:v1.7.0
+            #     short-name: storage
+              - name: ghcr.io/supabase/studio:v1.24.05
+                short-name: studio
+        name: Publish ${{ matrix.image.short-name }}
+        steps:
+          - name: Build and load Docker image
+            id: build
+            uses: docker/build-push-action@v6
+            with:
+              context: .
+              file: ./.docker/${{ matrix.image.short-name }}.Dockerfile
+              load: true
+              tags: ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}
+
+          - name: Scan Image
+            uses: aquasecurity/trivy-action@0.24.0
+            with:
+              scan-type: 'image'
+              image-ref: ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}
+              format: 'sarif'
+              output: 'trivy-results.sarif'
+              severity: 'CRITICAL,HIGH'
+              exit-code: 1
+              scanners: 'vuln'
+
+          # Upload results to GH Code Scanning even if the scan exited with 1 due to CRITICAL/HIGH findings
+          # Just don't carry on and push the image to GHCR!
+          - name: Upload Trivy scan results to GitHub Security tab
+            uses: github/codeql-action/upload-sarif@v3
+            if: ${{ !cancelled() }}
+            with:
+              sarif_file: 'trivy-results.sarif'
+            
+          - name: Login to GitHub Container Registry
+            uses: docker/login-action@v3
+            with:
+              registry: ghcr.io
+              username: ${{ github.repository_owner }}
+              password: ${{ secrets.GITHUB_TOKEN }}
+    
+          - name: Set current date as env variable
+            run: echo "DATESTAMP=$(date +'%Y%m%d')" >> $GITHUB_ENV
+      
+          - name: Push Image
+            uses: docker/build-push-action@v6
+            with:
+                push: true
+                tags: > 
+                  ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest
+                  ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:scanned
+                  ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:${{ env.DATESTAMP }}
+
+      
+
+    
diff --git a/.github/workflows/pull-scan-push-images.yml b/.github/workflows/pull-scan-push-images.yml
index 3b35dc3..edb1cdd 100644
--- a/.github/workflows/pull-scan-push-images.yml
+++ b/.github/workflows/pull-scan-push-images.yml
@@ -18,16 +18,12 @@
           fail-fast: false
           matrix:
             image:
-              - name: kong:2.8.5
-                short-name: kong
               - name: ghcr.io/supabase/postgres-meta:v0.83.2
                 short-name: meta
               - name: postgrest/postgrest:latest
                 short-name: rest
               - name: ghcr.io/supabase/storage-api:v1.7.0
                 short-name: storage
-              - name: ghcr.io/supabase/studio:v1.24.05
-                short-name: studio
         name: Scan ${{ matrix.image.short-name }}
         steps:
           - name: Checkout
diff --git a/supabase/studio.tf b/supabase/studio.tf
index 16a8dc2..1428b1e 100644
--- a/supabase/studio.tf
+++ b/supabase/studio.tf
@@ -13,7 +13,6 @@ resource "cloudfoundry_route" "supabase-studio" {
   space    = data.cloudfoundry_space.apps.id
   domain   = data.cloudfoundry_domain.private.id
   hostname = "supabase-studio${local.slug}"
-  port     = 3000
 }
 
 resource "cloudfoundry_service_key" "studio" {