mjanez · mjanez · Sep 28, 2023 · Sep 27, 2023 · Sep 27, 2023 · Sep 27, 2023
diff --git a/.github/workflows/build-master.yml → .github/.old/build-master.yml b/.github/workflows/build-master.yml → .github/.old/build-master.yml
diff --git a/.github/workflows/build-tags.yml → .github/.old/build-tags.yml b/.github/workflows/build-tags.yml → .github/.old/build-tags.yml
diff --git a/.github/workflows/docker-master.yml → .github/.old/docker-master.yml b/.github/workflows/docker-master.yml → .github/.old/docker-master.yml
@@ -20,17 +20,17 @@ jobs:
     steps:
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       -
         name: Login to registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -43,7 +43,7 @@ jobs:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
       -
         name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}

diff --git a/.github/workflows/docker-tags.yml → .github/.old/docker-tags.yml b/.github/workflows/docker-tags.yml → .github/.old/docker-tags.yml
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,78 @@
+name: Build and push ckan-docker image from PR Merge
+
+on:
+  pull_request:
+    types:
+        - closed
+    branches:
+        - main
+        - 'ckan-*.*.*'
+        - '!dev/ckan-*.*.*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  TAG: ghcr.io/${{ github.repository }}:${{ github.head_ref }}
+  CONTEXT: .
+  BRANCH: ${{ github.head_ref }}
+  DOCKERFILE_PATH: /ckan
+  DOCKERFILE: Dockerfile
+
+jobs:
+  docker:
+    name: runner/build-docker-push:${{ github.head_ref }}
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true
+
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}/blob/${{ env.BRANCH }}/README.md
+            org.opencontainers.image.version=${{ env.BRANCH }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ env.TAG }}
+          labels: ${{ steps.meta.outputs.labels }}
+          context: ${{ env.CONTEXT }}
+          file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+
+      - name: Linting Dockerfile with hadolint in GH Actions
+        uses: hadolint/[email protected]
+        with:
+          dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+
+      - name: Run Trivy container image vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }}
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml
@@ -0,0 +1,88 @@
+name: Test ckan-docker images (PR)
+
+on:
+  pull_request:
+    branches:
+        - main
+        - 'ckan-*.*.*'
+        - '!dev/ckan-*.*.*'
+        - '!*/*'
+
+env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ckan-docker-spatial
+    CONTEXT: .
+    BRANCH: ${{ github.head_ref }}
+    DOCKERFILE_PATH: /ckan
+    DOCKERFILE: Dockerfile
+    HADOLINT_VERSION: 2.12.0
+
+jobs:
+  docker:
+    name: runner/test-docker-pr:${{ github.head_ref }}
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      -  name: NGINX build
+         uses: docker/build-push-action@v5
+         with:
+            context: ./nginx
+            file: ./nginx/Dockerfile
+            push: false
+            tags: mjanez/ckan-docker-nginx:test-build-only
+
+      -  name: Apache HTTP Server build
+         uses: docker/build-push-action@v5
+         with:
+            context: ./apache
+            file: ./apache/Dockerfile
+            push: false
+            tags: mjanez/ckan-docker-apache:test-build-only
+
+      -  name: PostgreSQL build
+         uses: docker/build-push-action@v5
+         with:
+              context: ./postgresql
+              file: ./postgresql/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-postgresql:test-build-only
+
+      -  name: Solr build
+         uses: docker/build-push-action@v5
+         with:
+              context: ./solr
+              file: ./solr/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-solr:test-build-only
+
+      -  name: ckan-pycsw build
+         uses: docker/build-push-action@v4
+         with:
+              context: ./ckan-pycsw
+              file: ./ckan-pycsw/Dockerfile
+              push: false
+              tags: mjanez/ckan-docker-pycsw:test-build-only
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Linting Dockerfile and annotate code inline in the github PR viewer
+        id: hadolint
+        uses: jbergstroem/[email protected]
+        with:
+          dockerfile: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
+          version: ${{ env.HADOLINT_VERSION }}
+          annotate: true
+          error_level: -1
diff --git a/ckan/Dockerfile b/ckan/Dockerfile
@@ -1,4 +1,5 @@
 FROM ghcr.io/mjanez/ckan-base-spatial:ckan-2.9.9
+LABEL maintainer="[email protected]"
 
 # Set up environment variables
 ENV APP_DIR=/srv/app \
@@ -19,7 +20,7 @@
 ### PDFView - 0.0.8 ###
 ### Scheming DCAT - v2.0.0 (GeoDCAT-AP/NTI-RISP extended version) ###
 ### SPARQL Interface - 2.0.1 ###
 RUN echo ${TZ} > /etc/timezone && \
    if ! [ /usr/share/zoneinfo/${TZ} -ef /etc/localtime ]; then cp /usr/share/zoneinfo/${TZ} /etc/localtime ; fi && \
    # Install CKAN extensions
    echo "ckan/ckanext-xloader" && \
@@ -58,7 +59,7 @@
 # Apply any patches needed to CKAN core
 COPY patches ${APP_DIR}/patches

 RUN for d in $APP_DIR/patches/*; do \
    if [ -d $d ]; then \
    for f in `ls $d/*.patch | sort -g`; do \
    cd $SRC_DIR/`basename "$d"` && echo "$0: Applying patch $f to $SRC_DIR/`basename $d`"; patch -p1 < "$f" ; \
@@ -66,4 +67,4 @@
    fi ; \
    done

 CMD $APP_DIR/start_ckan.sh