From b031dc1ac305908fc253cdef607dee52ff69d6df Mon Sep 17 00:00:00 2001 From: Lukas | AstroGD Date: Sun, 23 Feb 2025 17:58:02 +0100 Subject: [PATCH] feat: Second registry, security hardening - Added second registry - Added non-root user - Added supply-chain attestation flags --- .drone.yml | 74 ++++++++++++++++++++++++++++++++++++++++++++++- latest/Dockerfile | 5 ++-- lts/Dockerfile | 5 ++-- 3 files changed, 79 insertions(+), 5 deletions(-) diff --git a/.drone.yml b/.drone.yml index a70bbd4..34c5b6c 100644 --- a/.drone.yml +++ b/.drone.yml @@ -11,6 +11,8 @@ steps: - name: build-lts image: plugins/docker settings: + purge: false + build_args: --provenance=true --sbom=true username: from_secret: registry_username password: @@ -20,9 +22,27 @@ steps: - lts-alpine - lts dockerfile: lts/Dockerfile + - name: build-lts-astrogd + image: plugins/docker + depends_on: + - build-lts + settings: + registry: registry.astrogd.cloud + build_args: --provenance=true --sbom=true + username: + from_secret: astrogd_registry_username + password: + from_secret: astrogd_registry_key + repo: registry.astrogd.cloud/pnpm + tags: + - lts-alpine + - lts + dockerfile: lts/Dockerfile - name: build-latest image: plugins/docker settings: + purge: false + build_args: --provenance=true --sbom=true username: from_secret: registry_username password: @@ -32,6 +52,22 @@ steps: - latest-alpine - latest dockerfile: latest/Dockerfile + - name: build-latest-astrogd + image: plugins/docker + depends_on: + - build-latest + settings: + registry: registry.astrogd.cloud + build_args: --provenance=true --sbom=true + username: + from_secret: astrogd_registry_username + password: + from_secret: astrogd_registry_key + repo: registry.astrogd.cloud/pnpm + tags: + - latest-alpine + - latest + dockerfile: latest/Dockerfile --- kind: pipeline @@ -46,6 +82,8 @@ steps: - name: build-lts image: plugins/docker settings: + purge: false + build_args: --provenance=true --sbom=true username: from_secret: registry_username password: @@ -55,9 +93,27 @@ steps: - lts-alpine - lts dockerfile: lts/Dockerfile + - name: build-lts-astrogd + image: plugins/docker + depends_on: + - build-lts + settings: + registry: registry.astrogd.cloud + build_args: --provenance=true --sbom=true + username: + from_secret: astrogd_registry_username + password: + from_secret: astrogd_registry_key + repo: registry.astrogd.cloud/pnpm + tags: + - lts-alpine + - lts + dockerfile: lts/Dockerfile - name: build-latest image: plugins/docker settings: + purge: false + build_args: --provenance=true --sbom=true username: from_secret: registry_username password: @@ -67,9 +123,25 @@ steps: - latest-alpine - latest dockerfile: latest/Dockerfile + - name: build-latest-astrogd + image: plugins/docker + depends_on: + - build-latest + settings: + registry: registry.astrogd.cloud + build_args: --provenance=true --sbom=true + username: + from_secret: astrogd_registry_username + password: + from_secret: astrogd_registry_key + repo: registry.astrogd.cloud/pnpm + tags: + - latest-alpine + - latest + dockerfile: latest/Dockerfile --- kind: signature -hmac: e751fb83a80f0db2389261287d1d9abd39dbfb0a3abf0984b8c03e92235872d3 +hmac: 4273bd6d4fadc37a81c8efee1273325e1ee914798eb00baf73790d4a100eed62 ... diff --git a/latest/Dockerfile b/latest/Dockerfile index 039e06d..40748f7 100644 --- a/latest/Dockerfile +++ b/latest/Dockerfile @@ -1,5 +1,6 @@ FROM node:alpine as BASE ENV PNPM_HOME="./.pnpm" \ PATH="$PNPM_HOME:$PATH" -RUN npm i -g pnpm@latest &&\ - apk add --no-cache openssl \ No newline at end of file +RUN wget -qO- https://get.pnpm.io/install.sh | ENV="$HOME/.shrc" SHELL="$(which sh)" sh - &&\ + apk add --no-cache openssl +USER node \ No newline at end of file diff --git a/lts/Dockerfile b/lts/Dockerfile index e713b2d..70049a3 100644 --- a/lts/Dockerfile +++ b/lts/Dockerfile @@ -1,5 +1,6 @@ FROM node:lts-alpine as BASE ENV PNPM_HOME="./.pnpm" \ PATH="$PNPM_HOME:$PATH" -RUN npm i -g pnpm@latest &&\ - apk add --no-cache openssl \ No newline at end of file +RUN wget -qO- https://get.pnpm.io/install.sh | ENV="$HOME/.shrc" SHELL="$(which sh)" sh - &&\ + apk add --no-cache openssl +USER node \ No newline at end of file