feat: Certbot update, base image bumped, repo clean up (#47)

BREAKING CHANGE: Certbot updated (9 minor versions), base image updated one based on Alpine 3.14

.github/workflows/ci.yml

@@ -11,13 +11,11 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
     steps:
       - uses: actions/checkout@master
-
-      - name: Set up java for tests execution
-        uses: actions/setup-java@v1
-        with:
-          java-version: 11
 
       - name: Set tag var
         id: vars
@@ -30,17 +28,7 @@ jobs:
         run: docker build . -t ${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }}
 
       - name: Test Docker image
-        run: cd tests && sudo gradle test --info -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }} -Droot_domain=${{ secrets.ROOT_DOMAIN }} -Dacme_email=${{ secrets.ACME_EMAIL }} -Dcloudflare_token=${{ secrets.CLOUDFLARE_TOKEN }}
-
-      - name: Scan with Phonito Security
-        uses: phonito/phonito-scanner-action@master
-        with:
-          image: ${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }}
-          phonito-token: '${{ secrets.PHONITO_TOKEN }}'
-
-      - name: Scan with Snyk
-        uses: snyk/actions/[email protected]
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          image: ${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }}
+        run: cd tests && sudo --preserve-env gradle test --info -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.docker_tag }} -Droot_domain=${{ secrets.ROOT_DOMAIN }} -Dacme_email=${{ secrets.ACME_EMAIL }} -Dcloudflare_token=${{ secrets.CLOUDFLARE_TOKEN }}
+        env: # To allow downloading packages
+          GITHUB_USERNAME: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci_cd.yml

@@ -10,16 +10,14 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # To add version tags
+      packages: write # To push docker image
     steps:
       - uses: actions/checkout@master
 
-      - name: Set up java for tests execution
-        uses: actions/setup-java@v1
-        with:
-          java-version: 11
-
       - name: "Determine release version"
-        uses: codfish/semantic-release-action@master
+        uses: docker://ghcr.io/codfish/semantic-release-action:v1.9.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -29,7 +27,11 @@ jobs:
       - name: "Build Docker image"
         if: env.RELEASE_VERSION != ''
         run: |
-          docker build . -t "$IMAGE_NAME:$RELEASE_VERSION" \
+          docker build . \
+              --tag "$IMAGE_NAME:$RELEASE_VERSION" \
+              --tag "$IMAGE_NAME:latest" \
+              --tag "ghcr.io/$IMAGE_NAME:$RELEASE_VERSION" \
+              --tag "ghcr.io/$IMAGE_NAME:latest" \
               --label "org.label-schema.schema-version=1.0" \
               --label "org.label-schema.vcs-ref=${GITHUB_SHA}" \
               --label "org.label-schema.vcs-url=https://github.com/${GITHUB_REPOSITORY}" \
@@ -40,43 +42,33 @@ jobs:
 
       - name: Test Docker image
         if: env.RELEASE_VERSION != ''
-        run: cd tests && sudo gradle test -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} -Droot_domain=${{ secrets.ROOT_DOMAIN }} -Dacme_email=${{ secrets.ACME_EMAIL }} -Dcloudflare_token=${{ secrets.CLOUDFLARE_TOKEN }}
+        run: cd tests && sudo --preserve-env gradle test -Ddocker_image_tag=${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} -Droot_domain=${{ secrets.ROOT_DOMAIN }} -Dacme_email=${{ secrets.ACME_EMAIL }} -Dcloudflare_token=${{ secrets.CLOUDFLARE_TOKEN }}
+        env: # To allow downloading packages
+          GITHUB_USERNAME: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Scan with Phonito Security
-        if: env.RELEASE_VERSION != ''
-        uses: phonito/phonito-scanner-action@master
-        with:
-          image: ${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
-          phonito-token: '${{ secrets.PHONITO_TOKEN }}'
-
-      - name: Scan with Snyk
-        if: env.RELEASE_VERSION != ''
-        uses: snyk/actions/[email protected]
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          image: ${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
-
-      - name: "Tag image as latest"
-        if: env.RELEASE_VERSION != ''
-        run: "docker tag $IMAGE_NAME:$RELEASE_VERSION $IMAGE_NAME:latest"
-
+      # Docker hub
       - name: "Log into Docker Hub"
         if: env.RELEASE_VERSION != ''
         run: "echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login --username ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin"
 
-      - name: "Push versioned image"
-        if: env.RELEASE_VERSION != ''
-        run: "docker push $IMAGE_NAME:$RELEASE_VERSION"
-
-      - name: "Push latest image"
+      - name: "Push to DockerHub"
         if: env.RELEASE_VERSION != ''
-        run: "docker push $IMAGE_NAME:latest"
+        run: "docker push $IMAGE_NAME:$RELEASE_VERSION && docker push $IMAGE_NAME:latest"
 
       - name: "Update Docker Hub description"
         if: env.RELEASE_VERSION != ''
-        uses: peter-evans/dockerhub-description@v2.2.0
+        uses: peter-evans/dockerhub-description@v2.4.3
         env:
           DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
           DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
           DOCKERHUB_REPOSITORY: ${{ env.IMAGE_NAME }}
+
+      # GitHub Packages
+      - name: "Log into GitHub Packages"
+        if: env.RELEASE_VERSION != ''
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: "Push to GitHub Packages"
+        if: env.RELEASE_VERSION != ''
+        run: "docker push ghcr.io/$IMAGE_NAME:$RELEASE_VERSION && docker push ghcr.io/$IMAGE_NAME:latest"

.gitignore

@@ -17,4 +17,6 @@ gradle-app.setting
 !gradle-wrapper.jar
 
 # Cache of project
-.gradletasknamecache
+.gradletasknamecache
+
+*.tmp

Dockerfile

@@ -1,8 +1,8 @@
-FROM certbot/certbot:v1.6.0 as certbot
+FROM certbot/certbot:v1.17.0 as certbot
 
-FROM homecentr/cron-base:1.2.1
+FROM homecentr/cron-base:2.0.0
 
-ARG CERTBOT_PIP_VERSION="1.6.0"
+ARG CERTBOT_PIP_VERSION="1.17.0"
 
 ENV CERTBOT_ARGS=""
 ENV CRON_SCHEDULE="30 * * * *"
@@ -11,21 +11,25 @@ ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 COPY --from=certbot /usr/local/bin/certbot /usr/local/bin/certbot
 
 RUN apk add --no-cache \
-      python3=3.8.5-r0 \ 
+      python3=3.9.5-r1 \ 
       # Required from Certbot version 1.5.0
-      py3-six=1.15.0-r0 \
-      py3-requests=2.23.0-r0 \
-      py3-distro=1.5.0-r1	&& \
+      py3-six=1.15.0-r1	\
+      py3-requests=2.25.1-r4 \
+      py3-distro=1.5.0-r3	\
+      py3-wheel=0.36.2-r2 \
+      py3-setuptools=52.0.0-r3 && \
     apk add --no-cache --virtual deps \
-      python3-dev=3.8.5-r0 \
-      py3-pip=20.1.1-r0 \
-      gcc=9.3.0-r2 \
+      python3-dev=3.9.5-r1 \
+      py3-pip=20.3.4-r1 \
+      gcc=10.3.1_git20210424-r2 \
       libffi-dev=3.3-r2 \
-      openssl-dev=1.1.1g-r0	\
-      musl-dev=1.1.24-r9 &&\
-      pip3 install --upgrade pip==20.1.1 && \
-      pip3 install \
-        setuptools==47.3.1 \
+      openssl-dev=1.1.1k-r0	\
+      musl-dev=1.2.2-r3	\
+      cargo=1.52.0-r0	\
+      && \
+      pip3 install --no-cache-dir --upgrade pip==21.1.3 && \
+      pip3 install --no-cache-dir \
+        # setuptools==57.1.0 \
         acme==${CERTBOT_PIP_VERSION} \
         certbot==${CERTBOT_PIP_VERSION} \
         certbot-dns-cloudflare==${CERTBOT_PIP_VERSION} \

README.md

@@ -2,7 +2,7 @@
 [![](https://badgen.net/docker/pulls/homecentr/certbot)](https://hub.docker.com/repository/docker/homecentr/certbot) 
 [![](https://badgen.net/docker/size/homecentr/certbot)](https://hub.docker.com/repository/docker/homecentr/certbot)
 
-![CI/CD on master](https://github.com/homecentr/docker-certbot/workflows/CI/CD%20on%20master/badge.svg) ![Regular Docker image vulnerability scan](https://github.com/homecentr/docker-certbot/workflows/Regular%20Docker%20image%20vulnerability%20scan/badge.svg)
+![CI/CD on master](https://github.com/homecentr/docker-certbot/workflows/CI/CD%20on%20master/badge.svg)
 
 
 # HomeCentr - certbot

SECURITY.md

@@ -10,6 +10,6 @@ Known security issues will be published in GitHub repository's Security / Securi
 
 ## Automated processes
 
-The Docker image is scanned for vulnerabilities every 24 hours using [Phonito.io](https://phonito.io/?b=a) and [Snyk](https://snyk.io). You can see the scan status under the actions tab / Regular Docker image vulnerability scan.
+The Docker image is regularly scanned for vulnerabilities with [Snyk.io](https://snyk.io/).
 
 The dependencies are automatically scanned using [Dependabot](https://dependabot.com/). Dependencies are regularly updated. You can check for pending dependency updates by listing open Pull requests with the "dependencies" label.

tests/build.gradle

@@ -1,5 +1,6 @@
 plugins {
     id 'java'
+    id 'maven-publish'
 }
 
 group 'org.homecentr'
@@ -10,16 +11,21 @@ sourceCompatibility = 1.8
 repositories {
     mavenCentral()
     maven {
-        url  "https://dl.bintray.com/homecentr/maven"
+        name = "GitHubPackages"
+        url = uri("https://maven.pkg.github.com/homecentr/lib-testcontainers-extensions")
+        credentials {
+            username = System.getenv("GITHUB_USERNAME")
+            password = System.getenv("GITHUB_TOKEN")
+        }
     }
 }
 
 dependencies {
-    testImplementation group: 'junit', name: 'junit', version: '4.13'
-    testImplementation 'org.testcontainers:testcontainers:1.14.3'
-    testImplementation 'io.homecentr:testcontainers-extensions:1.4.0'
-    testImplementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.30'
-    testImplementation group: 'org.slf4j', name: 'slf4j-simple', version: '1.7.30'
+    testImplementation group: 'junit', name: 'junit', version: '4.13.2'
+    testImplementation group: 'org.testcontainers', name: 'testcontainers', version: '1.15.3'
+    testImplementation group: 'io.homecentr', name: 'testcontainers-extensions', version: '1.5.0'
+    testImplementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.31'
+    testImplementation group: 'org.slf4j', name: 'slf4j-simple', version: '1.7.31'
 }
 
 test {

tests/settings.gradle

@@ -1,2 +1,2 @@
-rootProject.name = 'docker-$$IMAGE_NAME$$-tests'
+rootProject.name = 'docker-certbot-tests'
 

tests/src/test/java/ContainerTestBase.java

@@ -13,7 +13,7 @@ public abstract class ContainerTestBase {
 
     @BeforeClass
     public static void setUp() {
-        String dockerImageTag = System.getProperty("image_tag", "homecentr/$$IMAGE_NAME$$");
+        String dockerImageTag = System.getProperty("image_tag", "homecentr/certbot");
 
         logger.info("Tested Docker image tag: {}", dockerImageTag);
 

tests/src/test/java/TestConfiguration.java

@@ -1,4 +1,5 @@
 import java.io.BufferedWriter;
+import java.io.File;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.nio.file.Paths;
@@ -33,7 +34,13 @@ public String getCertbotArgs() {
     }
 
     public void createCredentialsSecretFile() throws IOException {
-        try (BufferedWriter writer = new BufferedWriter(new FileWriter(cloudflareCredentialsHostPath))) {
+        File secretFile = new File(cloudflareCredentialsHostPath);
+
+        if(secretFile.exists()) {
+            secretFile.delete();
+        }
+
+        try (BufferedWriter writer = new BufferedWriter(new FileWriter(secretFile))) {
             writer.write("dns_cloudflare_api_token = " + getCloudflareToken());
             writer.flush();
         }