diff --git a/apps/sage/shiny-base/.dockerfilelintrc b/apps/sage/shiny-base/.dockerfilelintrc deleted file mode 100644 index d4595a73dd..0000000000 --- a/apps/sage/shiny-base/.dockerfilelintrc +++ /dev/null @@ -1,8 +0,0 @@ ---- -# https://github.com/replicatedhq/dockerfilelint -rules: - apt-get-upgrade: off - apt-get-update_require_install: off - apt-get_recommends: off - apt-get_missing_rm: off - sudo_usage: off diff --git a/apps/sage/shiny-base/.github/workflows/docker_build.yml b/apps/sage/shiny-base/.github/workflows/docker_build.yml deleted file mode 100644 index cf1cf1acc1..0000000000 --- a/apps/sage/shiny-base/.github/workflows/docker_build.yml +++ /dev/null @@ -1,99 +0,0 @@ ---- -name: Run precommit and conditionally build container - -on: - push: - branches: - - '*' - tags: - - 'v[0-9]+\.[0-9]+\.[0-9]+' - pull_request: - branches: - - '*' - -env: - REGISTRY: ghcr.io - IMAGE_PATH: ghcr.io/${{ github.repository }} - TARFILE_NAME: image.tar - - -jobs: - tests: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Static Analysis - uses: pre-commit/action@v3.0.0 - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v4.1.1 - with: - images: ${{ env.IMAGE_PATH }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} # major.minor.patch - type=semver,pattern={{major}}.{{minor}} - - - name: Check that build works, save for scanning, but don't push yet - uses: docker/build-push-action@v6.4.0 - with: - context: . - push: false - outputs: type=tar,dest=${{ env.TARFILE_NAME }} - meta_json: ${{ steps.meta.outputs.json }} - labels: ${{ steps.meta.outputs.labels }} - - - name: Upload tarball for use by Trivy job - uses: actions/upload-artifact@v4 - with: - name: ${{ env.TARFILE_NAME }} - path: ${{ env.TARFILE_NAME }} - - outputs: - meta_json: ${{ steps.meta.outputs.json }} - tarfile_artifact: ${{ env.TARFILE_NAME }} - - trivy-scan: - needs: tests - uses: "./.github/workflows/trivy.yml" - with: - SOURCE_TYPE: tar - IMAGE_NAME: image-name - TARFILE_NAME: ${{ needs.tests.outputs.tarfile_artifact }} - EXIT_CODE: 1 - - push-image: - if: ${{ github.event_name == 'push' }} - needs: [tests, trivy-scan] - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - strategy: - matrix: - value: ${{ fromJSON(needs.tests.outputs.meta_json).tags }} - - steps: - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Build and push Docker image - uses: docker/build-push-action@v6.4.0 - with: - context: . - push: true - tags: ${{ matrix.value }} - - name: Push Docker image - run: docker push ${{ matrix.value }} -... diff --git a/apps/sage/shiny-base/.github/workflows/trivy.yml b/apps/sage/shiny-base/.github/workflows/trivy.yml deleted file mode 100644 index fff8248576..0000000000 --- a/apps/sage/shiny-base/.github/workflows/trivy.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -# -# This workflow runs Trivy on a Docker image -# It can pull the image from a container registry -# or download a tar file. The latter is used -# to check a container image prior to publishing -# to the registry. - -name: Run Trivy on a Docker image and push results to GitHub - -on: - workflow_call: - inputs: - SOURCE_TYPE: # 'tar' or 'image' - required: true - type: string - TARFILE_NAME: # only used if SOURCE_TYPE=='tar' - required: false - type: string - IMAGE_NAME: - required: true - type: string - EXIT_CODE: # return code for failed scan. 0 means OK. Non-zero will fail the build when there are findings. - required: false - type: number - default: 0 - outputs: - trivy_conclusion: - description: "The pass/fail return code from Trivy" - value: ${{ jobs.trivy.outputs.trivy_conclusion }} -env: - sarif_file_name: trivy-results.sarif - # https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2363829387 - TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 -jobs: - trivy: - name: Trivy - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Download tar file - id: tar-download - uses: actions/download-artifact@v4 - if: ${{ inputs.SOURCE_TYPE == 'tar' }} - with: - name: ${{ inputs.TARFILE_NAME }} - path: /tmp - - - name: load docker image from tar file - if: ${{ inputs.SOURCE_TYPE == 'tar' }} - run: cat ${{ steps.tar-download.outputs.download-path - }}/${{ inputs.TARFILE_NAME - }} | docker import - ${{ inputs.IMAGE_NAME }} - - - name: Run Trivy vulnerability scanner for any major issues - uses: aquasecurity/trivy-action@0.28.0 - id: trivy - with: - image-ref: ${{ inputs.IMAGE_NAME }} - ignore-unfixed: true # skip vul'ns for which there is no fix - # list files to skip, each with a justification - #skip-files: | - severity: 'CRITICAL,HIGH' - format: 'sarif' - # only output findings for configured severities - limit-severities-for-sarif: true - output: ${{ env.sarif_file_name }} - exit-code: ${{ inputs.EXIT_CODE }} - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3.25.12 - # This is the recommended way to upload scan results - # after Trivy exits with HIGH/CRITICAL findings - # See https://github.com/aquasecurity/trivy-action?\ - # tab=readme-ov-file#using-trivy-with-github-code-scanning - if: ${{ success() || steps.trivy.conclusion=='failure' }} - with: - sarif_file: ${{ env.sarif_file_name }} - wait-for-processing: true - - outputs: - trivy_conclusion: steps.trivy.conclusion -... diff --git a/apps/sage/shiny-base/.github/workflows/trivy_periodic_image_scan.yml b/apps/sage/shiny-base/.github/workflows/trivy_periodic_image_scan.yml deleted file mode 100644 index 2273cc734a..0000000000 --- a/apps/sage/shiny-base/.github/workflows/trivy_periodic_image_scan.yml +++ /dev/null @@ -1,60 +0,0 @@ ---- -# -# This workflow scans the published container images -# for new vulnerabilities daily, publishing findings. -# Findings will be associated with the 'main' branch -# of the repo' in the GitHub Security tab. -# -name: Trivy Periodic Image Scan - -on: - schedule: - - cron: "0 0 * * *" - -jobs: - get-image-reference: - runs-on: ubuntu-latest - steps: - - name: Checkout Code - uses: actions/checkout@v4 - - - name: Get Version - id: semver - uses: ietf-tools/semver-action@v1 - with: - token: ${{ github.token }} - branch: main - skipInvalidTags: true - noNewCommitBehavior: current - noVersionBumpBehavior: current - prefix: "v" - - - name: Ensure image name is lower case - id: image_name - uses: vishalmamidi/lowercase-action@v1 - with: - string: ghcr.io/${{ github.repository }}:${{steps.semver.outputs.current}} - outputs: - lowercase: ${{ steps.image_name.outputs.lowercase }} - - periodic-scan: - needs: get-image-reference - uses: "./.github/workflows/trivy.yml" - with: - SOURCE_TYPE: image - IMAGE_NAME: ${{ needs.get-image-reference.outputs.lowercase }} - - # If scan failed, rebuild the image - update-image: - needs: periodic-scan - runs-on: ubuntu-latest - if: ${{!cancelled() && needs.periodic-scan.outputs.trivy_conclusion == 'failure' }} - # tag the repo to trigger a new build - steps: - - name: Bump version and push tag - id: tag_version - uses: mathieudutour/github-tag-action@v6.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - -... diff --git a/apps/sage/shiny-base/.pre-commit-config.yaml b/apps/sage/shiny-base/.pre-commit-config.yaml deleted file mode 100644 index 1dd0475987..0000000000 --- a/apps/sage/shiny-base/.pre-commit-config.yaml +++ /dev/null @@ -1,39 +0,0 @@ -repos: - - repo: https://github.com/awslabs/git-secrets - rev: b9e96b3212fa06aea65964ff0d5cda84ce935f38 - hooks: - - id: git-secrets - entry: git-secrets - args: [--scan, --recursive] - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 - hooks: - # On Windows, git will convert all CRLF to LF, - # but only after all hooks are done executing. - # yamllint will fail before git has a chance to convert - # line endings, so it must be explicitly done before yamllint - - id: mixed-line-ending - args: ['--fix=lf'] - description: Forces to replace line ending by the UNIX 'LF' character - - id: end-of-file-fixer - - id: trailing-whitespace - - id: check-json - - id: check-ast - - repo: https://github.com/adrienverge/yamllint - rev: v1.29.0 - hooks: - - id: yamllint - entry: yamllint -c .yamllint.yaml - - repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.4.2 - hooks: - - id: remove-tabs - - repo: https://github.com/sirosen/check-jsonschema - rev: 0.21.0 - hooks: - - id: check-github-workflows - - id: check-github-actions - - repo: https://github.com/pryorda/dockerfilelint-precommit-hooks - rev: v0.1.0 - hooks: - - id: dockerfilelint diff --git a/apps/sage/shiny-base/.yamllint.yaml b/apps/sage/shiny-base/.yamllint.yaml deleted file mode 100644 index addf0aa193..0000000000 --- a/apps/sage/shiny-base/.yamllint.yaml +++ /dev/null @@ -1,7 +0,0 @@ -extends: default - -rules: - # 80 chars should be enough, but don't fail if a line is longer - line-length: - max: 80 - level: warning