Merge pull request #264 from babylonlabs-io/devops/add-docker-sec

(docker)resolve Dockerfile issue & fix CVEs
babylonlabs-io · Nov 21, 2024 · 4c70a72 · 4c70a72
2 parents f138195 + 007fd20
commit 4c70a72
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 9 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -20,10 +20,16 @@ jobs:
       run-lint: true
 
   docker_pipeline:
-    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0
+    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2
     needs: ["lint_test"]
     secrets: inherit
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
     with:
       publish: true
       dockerfile: ./contrib/images/babylond/Dockerfile
       repoName: babylond
+      docker_scan: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,7 +42,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - [278](https://github.com/babylonlabs-io/babylon/pull/278) Allow unbonding time to be min unbonding value
 
 ### Improvements
-
+- [#264](https://github.com/babylonlabs-io/babylon/pull/264) bump docker workflow 
+version to 0.10.2, fix some Dockerfile issues
 - [#284](https://github.com/babylonlabs-io/babylon/pull/284) Update cosmos sdk math dependency
 - [#285](https://github.com/babylonlabs-io/babylon/pull/285) Update cometbft dependency
 version

diff --git a/contrib/images/babylond/Dockerfile b/contrib/images/babylond/Dockerfile
@@ -15,8 +15,8 @@ ARG LEDGER_ENABLED="false"
 
 
 # Install cli tools for building and final image
-RUN apk add --update --no-cache make git bash gcc linux-headers eudev-dev ncurses-dev openssh curl jq
-RUN apk add --no-cache musl-dev
+# hadolint ignore=DL3018
+RUN apk add --update --no-cache make git bash gcc linux-headers eudev-dev ncurses-dev openssh curl jq musl-dev && rm -rf /var/cache/apk/\*
 
 # Build
 WORKDIR /go/src/github.com/babylonlabs-io/babylon
@@ -32,12 +32,13 @@ RUN if [ -n "${VERSION}" ]; then \
     fi
 
 # Cosmwasm - Download correct libwasmvm version
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 RUN WASMVM_VERSION=$(go list -m github.com/CosmWasm/wasmvm/v2 | cut -d ' ' -f 2) && \
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc.$(uname -m).a \
-    -O /lib/libwasmvm_muslc.$(uname -m).a && \
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc."$(uname -m)".a \
+    -O /lib/libwasmvm_muslc."$(uname -m)".a && \
     # verify checksum
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
-    sha256sum /lib/libwasmvm_muslc.$(uname -m).a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc.$(uname -m) | cut -d ' ' -f 1)
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/"$WASMVM_VERSION"/checksums.txt -O /tmp/checksums.txt && \
+    sha256sum /lib/libwasmvm_muslc."$(uname -m)".a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc."$(uname -m)" | cut -d ' ' -f 1)
 
 RUN LEDGER_ENABLED=$LEDGER_ENABLED \
     BABYLON_BUILD_OPTIONS=$BABYLON_BUILD_OPTIONS \
@@ -49,7 +50,8 @@ RUN LEDGER_ENABLED=$LEDGER_ENABLED \
 FROM alpine:3.14 AS run
 # Create a user
 RUN addgroup --gid 1137 -S babylon && adduser --uid 1137 -S babylon -G babylon
-RUN apk add bash curl jq
+# hadolint ignore=DL3018
+RUN apk --no-cache add bash curl jq && rm -rf /var/cache/apk/\*
 
 # Label should match your github repo
 ARG VERSION