Skip to content

Dockerfile #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
abhishekagrawal-atlan wants to merge 47 commits into
base: main
Choose a base branch
from
Open

Dockerfile #110

abhishekagrawal-atlan wants to merge 47 commits into from

Conversation

@abhishekagrawal-atlan
Copy link
Contributor

@abhishekagrawal-atlan abhishekagrawal-atlan commented Nov 13, 2025

Changelog

  • to be added

Additional context (e.g. screenshots, logs, links)

  • to be added

Checklist

  • Additional tests added
  • All CI checks passed
  • Relevant documentation updated

@github-actions
Copy link

github-actions bot commented Nov 13, 2025
edited
Loading

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines Covered Coverage Threshold Status
391 384 98% 0% 🟢

New Files

No new covered files...

Modified Files

No covered modified files...

updated for commit: 7702c0b by action🐍

@github-actions
Copy link

github-actions bot commented Nov 13, 2025
edited
Loading

📦 Trivy Vulnerability Scan Results

Schema Version Created At Artifact Type
2 2026-01-06T11:59:50.5173711Z . filesystem

Report Summary

Target Type Vulnerabilities . filesystem ✅ None found

Scan Result Details

✅ No vulnerabilities found during the scan for ..

@github-actions
Copy link

github-actions bot commented Nov 13, 2025
edited
Loading

📦 Trivy Secret Scan Results

Schema Version Created At Artifact Type
2 2026-01-06T12:00:04.925444235Z . filesystem

Report Summary

Target Type Secrets . filesystem ✅ None found

Scan Result Details

✅ No secrets found during the scan for ..

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 14, 2025
View reviewed changes
.github/workflows/build-image.yaml Outdated
Comment on lines 17 to 120
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.app }}
cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
timeout-minutes: 20
strategy:
matrix:
app:
- quickstart/ai_giphy
- quickstart/giphy
- quickstart/hello_world
- quickstart/polyglot
- connectors/mysql
- connectors/anaplan
- templates/generic

steps:
# Checkout current repo (your app)
- uses: actions/[email protected]
with:
fetch-depth: 0
token: ${{ secrets.ORG_PAT_GITHUB }}

# Checkout the private atlanhq/.github repo to a folder
- name: Checkout private action repo
uses: actions/checkout@v4
with:
repository: atlanhq/.github
token: ${{ secrets.ORG_PAT_GITHUB }}
path: private_github

- name: Get branch name
run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
id: get_branch

- run: echo "REPOSITORY_NAME=`echo "$GITHUB_REPOSITORY" | awk -F / '{print $2}' | sed -e "s/:refs//"`" >> $GITHUB_ENV
shell: bash

- name: Get version tag
run: echo "version=$(echo `git ls-remote https://${{ secrets.ORG_PAT_GITHUB }}@github.com/atlanhq/${REPOSITORY_NAME}.git ${{ steps.get_branch.outputs.branch }} | awk '{ print $1}' | cut -c1-7`)abcd" >> $GITHUB_OUTPUT
id: get_version

- name: Lowercase branch name
run: echo "lowercase_branch=$(echo '${{ steps.get_branch.outputs.branch }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
id: get_lowercase_branch

- name: Normalize app name for image tags
run: echo "app_name=$(echo '${{ matrix.app }}' | tr '/' '-')" >> $GITHUB_OUTPUT
id: get_app_name

- name: Set up Buildx
id: buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2

- name: Login to GitHub Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
with:
registry: ghcr.io
username: $GITHUB_ACTOR
password: ${{ secrets.ORG_PAT_GITHUB }}

- name: Build and push docker image to GHCR
id: ghcr_docker_build
uses: ./private_github/.github/actions/secure-build-push-apps
with:
branch: ${{ github.ref_name }}
snyk-token: ${{ secrets.SNYK_TOKEN_BU_APPS }}
context: ./${{ matrix.app }}
file: ./${{ matrix.app }}/Dockerfile
push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/atlanhq/${{ github.event.repository.name }}-${{ steps.get_app_name.outputs.app_name }}-${{ steps.get_lowercase_branch.outputs.lowercase_branch }}:latest
ghcr.io/atlanhq/${{ github.event.repository.name }}-${{ steps.get_app_name.outputs.app_name }}-${{ steps.get_lowercase_branch.outputs.lowercase_branch }}:${{ steps.get_version.outputs.version }}
build-args: |
ACCESS_TOKEN_USR=$GITHUB_ACTOR
ACCESS_TOKEN_PWD=${{ secrets.ORG_PAT_GITHUB }}
env:
DOCKER_CLIENT_TIMEOUT: 600
COMPOSE_HTTP_TIMEOUT: 600

# Login to Docker Hub
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: atlanhq
password: ${{ secrets.DOCKER_HUB_PAT_RW }}

- name: Build and push docker image to Docker Hub
id: docker_build
uses: ./private_github/.github/actions/secure-build-push-apps
with:
branch: ${{ github.ref_name }}
snyk-token: ${{ secrets.SNYK_TOKEN_BU_APPS }}
context: ./${{ matrix.app }}
file: ./${{ matrix.app }}/Dockerfile
push: true
platforms: linux/amd64,linux/arm64
tags: |
registry-1.docker.io/atlanhq/${{ github.event.repository.name }}-${{ steps.get_app_name.outputs.app_name }}:${{ steps.get_branch.outputs.branch }}-${{ steps.get_version.outputs.version }}
registry-1.docker.io/atlanhq/${{ github.event.repository.name }}-${{ steps.get_app_name.outputs.app_name }}:${{ steps.get_branch.outputs.branch }}-latest
env:
DOCKER_CLIENT_TIMEOUT: 300
COMPOSE_HTTP_TIMEOUT: 300

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}
@abhishekagrawal-atlan
chore: adding Dockerfile for all the utility apps
d253805
@abhishekagrawal-atlan
chore: making generic app use chainguard image
6867a7a
@abhishekagrawal-atlan
chore: updated the base-image and added secure-build-push action
ce688f4
@abhishekagrawal-atlan
fix: build-image wf
dc3eba0
@abhishekagrawal-atlan
fix: Dockerfile
b8daba8
@abhishekagrawal-atlan
chore: removing upload image to dockerhub
0cc2320 
- lack of permissions on the token to upload the image.

#42 exporting to image
#42 pushing layers 0.8s done
#42 ERROR: failed to push registry-1.docker.io/atlanhq/atlan-sample-apps-utilities-workflows_observability:dockerfile-b8daba8abcd: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fatlan-sample-apps-utilities-workflows_observability%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes
------
 > exporting to image:
------
ERROR: failed to build: failed to solve: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fatlan-sample-apps-utilities-workflows_observability%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes
Reference
Check build summary support
Error: buildx failed with: ERROR: failed to build: failed to solve: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Aatlanhq%2Fatlan-sample-apps-utilities-workflows_observability%3Apull%2Cpush&service=registry.docker.io: 401 Unauthorized: access token has insufficient scopes
@abhishekagrawal-atlan
chore: adding uv.lock for polyglot app
9bb82ec
@abhishekagrawal-atlan abhishekagrawal-atlan marked this pull request as ready for review December 15, 2025 13:39
Copilot AI review requested due to automatic review settings December 15, 2025 13:39
Copilot AI reviewed Dec 15, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Dockerfiles for multiple applications and establishes comprehensive CI/CD workflows including security scanning with Snyk and Trivy. The changes standardize containerization across quickstart examples, connectors, and utilities while introducing automated security checks.

  • Adds standardized Dockerfiles across 9 applications using Chainguard base images with Dapr integration
  • Implements GitHub Actions workflows for pre-commit checks, container scanning (Snyk/Trivy), and automated image builds
  • Removes uv.lock from .gitignore for the polyglot quickstart

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 35 comments.

Show a summary per file
File Description
utilities/workflows_observability/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
utilities/freshness_monitor/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
utilities/asset_descriptor_reminder/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
templates/generic/Dockerfile Refactored to use application-sdk-chainguard-image base and Dapr 1.16.2
quickstart/polyglot/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
quickstart/polyglot/.gitignore Removed uv.lock exclusion to track dependency locks
quickstart/hello_world/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
quickstart/giphy/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
quickstart/ai_giphy/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
connectors/mysql/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
connectors/anaplan/Dockerfile New Dockerfile with Python, uv, and Dapr 1.16.x setup
.github/workflows/verify-snyk-status.yaml Workflow to verify Snyk PR check status
.github/workflows/trivy-container.yaml Reusable workflow for Trivy container scanning
.github/workflows/snyk-container-scan.yaml Workflow for Snyk container scanning with Slack notifications
.github/workflows/schedule.yaml Scheduled workflow for stale PR cleanup and Trivy scans
.github/workflows/docstring-coverage.yaml Workflow to check docstring coverage on PRs
.github/workflows/commits.yaml Workflow to validate conventional commit format
.github/workflows/checks.yaml Pre-commit checks workflow with app discovery
.github/workflows/build-image.yaml Multi-app Docker image build and push workflow
.github/actions/secure_build_push_apps/action.yaml Composite action for building, scanning, and pushing Docker images with Snyk/Trivy
Comments suppressed due to low confidence (10)

utilities/workflows_observability/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

quickstart/polyglot/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

connectors/anaplan/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

utilities/asset_descriptor_reminder/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

templates/generic/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.2

quickstart/hello_world/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

quickstart/ai_giphy/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

connectors/mysql/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

utilities/freshness_monitor/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

quickstart/giphy/Dockerfile:36

  • Security concern: Downloading and executing a script directly from the internet without verification. Consider pinning the script to a specific commit hash or adding checksum verification to prevent potential supply chain attacks.
RUN curl -fsSL https://raw.githubusercontent.com/dapr/cli/master/install/install.sh | DAPR_INSTALL_DIR="/usr/local/bin" /bin/bash -s 1.16.3

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

vishnub-atlan
vishnub-atlan previously approved these changes Dec 16, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vishnub-atlan vishnub-atlan vishnub-atlan left review comments

@firecast firecast Awaiting requested review from firecast firecast is a code owner

@inishchith inishchith Awaiting requested review from inishchith inishchith is a code owner

@AtMrun AtMrun Awaiting requested review from AtMrun AtMrun is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@abhishekagrawal-atlan @vishnub-atlan @nishantmunjal7 @AtMrun