packages/docker-pnpm
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Second registry, security hardening

Browse Source 
- Added second registry
- Added non-root user
- Added supply-chain attestation flags
This commit is contained in:
Lukas | AstroGD 2025-02-23 17:58:02 +01:00
parent fef09beaf3
commit b031dc1ac3
Signed by: AstroGD
GPG Key ID: 82A5E6C236C535AA
3 changed files with 79 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
.drone.yml
View File

@ -11,6 +11,8 @@ steps:
- name: build-lts
image: plugins/docker
settings:
purge: false
build_args: --provenance=true --sbom=true
username:
from_secret: registry_username
password:
@ -20,9 +22,27 @@ steps:
- lts-alpine
- lts
dockerfile: lts/Dockerfile
- name: build-lts-astrogd
image: plugins/docker
depends_on:
- build-lts
settings:
registry: registry.astrogd.cloud
build_args: --provenance=true --sbom=true
username:
from_secret: astrogd_registry_username
password:
from_secret: astrogd_registry_key
repo: registry.astrogd.cloud/pnpm
tags:
- lts-alpine
- lts
dockerfile: lts/Dockerfile
- name: build-latest
image: plugins/docker
settings:
purge: false
build_args: --provenance=true --sbom=true
username:
from_secret: registry_username
password:
@ -32,6 +52,22 @@ steps:
- latest-alpine
- latest
dockerfile: latest/Dockerfile
- name: build-latest-astrogd
image: plugins/docker
depends_on:
- build-latest
settings:
registry: registry.astrogd.cloud
build_args: --provenance=true --sbom=true
username:
from_secret: astrogd_registry_username
password:
from_secret: astrogd_registry_key
repo: registry.astrogd.cloud/pnpm
tags:
- latest-alpine
- latest
dockerfile: latest/Dockerfile
---
kind: pipeline
@ -46,6 +82,8 @@ steps:
- name: build-lts
image: plugins/docker
settings:
purge: false
build_args: --provenance=true --sbom=true
username:
from_secret: registry_username
password:
@ -55,9 +93,27 @@ steps:
- lts-alpine
- lts
dockerfile: lts/Dockerfile
- name: build-lts-astrogd
image: plugins/docker
depends_on:
- build-lts
settings:
registry: registry.astrogd.cloud
build_args: --provenance=true --sbom=true
username:
from_secret: astrogd_registry_username
password:
from_secret: astrogd_registry_key
repo: registry.astrogd.cloud/pnpm
tags:
- lts-alpine
- lts
dockerfile: lts/Dockerfile
- name: build-latest
image: plugins/docker
settings:
purge: false
build_args: --provenance=true --sbom=true
username:
from_secret: registry_username
password:
@ -67,9 +123,25 @@ steps:
- latest-alpine
- latest
dockerfile: latest/Dockerfile
- name: build-latest-astrogd
image: plugins/docker
depends_on:
- build-latest
settings:
registry: registry.astrogd.cloud
build_args: --provenance=true --sbom=true
username:
from_secret: astrogd_registry_username
password:
from_secret: astrogd_registry_key
repo: registry.astrogd.cloud/pnpm
tags:
- latest-alpine
- latest
dockerfile: latest/Dockerfile
---
kind: signature
hmac: e751fb83a80f0db2389261287d1d9abd39dbfb0a3abf0984b8c03e92235872d3
hmac: 4273bd6d4fadc37a81c8efee1273325e1ee914798eb00baf73790d4a100eed62
...

5
latest/Dockerfile
View File

@ -1,5 +1,6 @@
FROM node:alpine as BASE
ENV PNPM_HOME="./.pnpm" \
PATH="$PNPM_HOME:$PATH"
RUN npm i -g pnpm@latest &&\
apk add --no-cache openssl
RUN wget -qO- https://get.pnpm.io/install.sh | ENV="$HOME/.shrc" SHELL="$(which sh)" sh - &&\
apk add --no-cache openssl
USER node

5
lts/Dockerfile
View File

@ -1,5 +1,6 @@
FROM node:lts-alpine as BASE
ENV PNPM_HOME="./.pnpm" \
PATH="$PNPM_HOME:$PATH"
RUN npm i -g pnpm@latest &&\
apk add --no-cache openssl
RUN wget -qO- https://get.pnpm.io/install.sh | ENV="$HOME/.shrc" SHELL="$(which sh)" sh - &&\
apk add --no-cache openssl
USER node