fix: security build issue (#198)

leovct · web-flow · commit 1bc7aaaddb12 · 2024-02-05T17:49:20.000+01:00
* ci: trigger security build job in PRs

* chore: clean up

* fix: sonarqube warnings

* fix: issue with copying parts of the source code

* chore: nit
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -2,9 +2,7 @@ name: "Build Pipeline (Docker)"
 
 on:
   push:
-    branches:
-      - jesse/pipeline-deploy
-      - main
+    branches: [main]
 
 env:
   IMAGE_NAME: "${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ secrets.DOCKER_REPOSITORY }}/polygon-cli"
@@ -55,9 +53,9 @@ jobs:
       #   run: |-
       #     export CLOUDSDK_CORE_DISABLE_PROMPTS=1
       #     gcloud components install beta --quiet
-          
+
       #     DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} --format='get(image_summary.digest)')
-          
+
       #     gcloud beta container binauthz attestations sign-and-create \
       #         --artifact-url="${{ env.IMAGE_NAME }}@${DIGEST}" \
       #         --attestor="${{ env.ATTESTOR }}" \
diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -2,9 +2,7 @@ name: "Build Pipeline (Debian)"
 
 on:
   push:
-    branches:
-      - jesse/pipeline-deploy
-      - main
+    branches: [main]
 
 jobs:
   build-pipeline-apt:
diff --git a/.github/workflows/security-build.yml b/.github/workflows/security-build.yml
@@ -1,10 +1,10 @@
 name: Security Build
 
 on:
+  pull_request:
+  merge_group:
   push:
-    branches:
-      - main
-  workflow_dispatch: {}
+    branches: [main]
 
 jobs:
   sonarqube:
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,31 @@
-FROM golang:1.21 as builder
-WORKDIR /go/src/app
+FROM golang:1.21 AS builder
+WORKDIR /workspace
 COPY go.mod go.sum ./
 RUN go mod download
-COPY . .
-RUN CGO_ENABLED=0 make build
 
-FROM scratch
+COPY abi/ abi/
+COPY bindings/ bindings/
+COPY cmd/ cmd/
+COPY dashboard/ dashboard/
+COPY gethkeystore/ gethkeystore/
+COPY hdwallet/ hdwallet/
+COPY metrics/ metrics/
+COPY p2p/ p2p/
+COPY proto/ proto/
+COPY rpctypes/ rpctypes/
+COPY util/ util/
+COPY main.go ./
+RUN CGO_ENABLED=0 go build -o polycli main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=builder /go/src/app/out/polycli /usr/bin/polycli
+COPY --from=builder /workspace/polycli /usr/bin/polycli
+USER 65532:65532
 ENTRYPOINT ["polycli"]
-CMD ["--help"]
+CMD ["--help"]
+
+# How to test this image?
+# https://github.com/maticnetwork/polygon-cli/pull/189#discussion_r1464486344
