fix: security build issue (#198)

* ci: trigger security build job in PRs * chore: clean up * fix: sonarqube warnings * fix: issue with copying parts of the source code * chore: nit
0xPolygon · Feb 5, 2024 · 1bc7aaa · 1bc7aaa
1 parent eb0fec8
commit 1bc7aaa
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 18 deletions.
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -2,9 +2,7 @@ name: "Build Pipeline (Docker)"
 
 on:
   push:
-    branches:
-      - jesse/pipeline-deploy
-      - main
+    branches: [main]
 
 env:
   IMAGE_NAME: "${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ secrets.DOCKER_REPOSITORY }}/polygon-cli"
@@ -55,9 +53,9 @@ jobs:
       #   run: |-
       #     export CLOUDSDK_CORE_DISABLE_PROMPTS=1
       #     gcloud components install beta --quiet
-          
+
       #     DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} --format='get(image_summary.digest)')
-          
+
       #     gcloud beta container binauthz attestations sign-and-create \
       #         --artifact-url="${{ env.IMAGE_NAME }}@${DIGEST}" \
       #         --attestor="${{ env.ATTESTOR }}" \

diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -2,9 +2,7 @@ name: "Build Pipeline (Debian)"
 
 on:
   push:
-    branches:
-      - jesse/pipeline-deploy
-      - main
+    branches: [main]
 
 jobs:
   build-pipeline-apt:

diff --git a/.github/workflows/security-build.yml b/.github/workflows/security-build.yml
@@ -1,10 +1,10 @@
 name: Security Build
 
 on:
+  pull_request:
+  merge_group:
   push:
-    branches:
-      - main
-  workflow_dispatch: {}
+    branches: [main]
 
 jobs:
   sonarqube:

diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,31 @@
-FROM golang:1.21 as builder
-WORKDIR /go/src/app
+FROM golang:1.21 AS builder
+WORKDIR /workspace
 COPY go.mod go.sum ./
 RUN go mod download
-COPY . .
-RUN CGO_ENABLED=0 make build
 
-FROM scratch
+COPY abi/ abi/
+COPY bindings/ bindings/
+COPY cmd/ cmd/
+COPY dashboard/ dashboard/
+COPY gethkeystore/ gethkeystore/
+COPY hdwallet/ hdwallet/
+COPY metrics/ metrics/
+COPY p2p/ p2p/
+COPY proto/ proto/
+COPY rpctypes/ rpctypes/
+COPY util/ util/
+COPY main.go ./
+RUN CGO_ENABLED=0 go build -o polycli main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=builder /go/src/app/out/polycli /usr/bin/polycli
+COPY --from=builder /workspace/polycli /usr/bin/polycli
+USER 65532:65532
 ENTRYPOINT ["polycli"]
-CMD ["--help"]
+CMD ["--help"]
+
+# How to test this image?
+# https://github.com/maticnetwork/polygon-cli/pull/189#discussion_r1464486344