Authenticate to GitHub API during docker build to avoid reaching limits

oxsecurity · Feb 11, 2023 · 9f44b9e · 9f44b9e
1 parent 7ec38ab
commit 9f44b9e
Show file tree

Hide file tree

Showing 45 changed files with 89 additions and 69 deletions.
diff --git a/.automation/build.py b/.automation/build.py
@@ -306,15 +306,26 @@ def build_dockerfile(
                     docker_copy += [dockerfile_item]
                     docker_other += ["# Managed with " + dockerfile_item]
                 # Already used item
-                elif dockerfile_item in all_dockerfile_items:
+                elif (
+                    dockerfile_item in all_dockerfile_items
+                    or dockerfile_item.replace(
+                        "RUN ", "RUN --mount=type=secret,id=GITHUB_TOKEN "
+                    )
+                    in all_dockerfile_items
+                ):
                     dockerfile_item = (
                         "# Next line commented because already managed by another linter\n"
                         "# " + "\n# ".join(dockerfile_item.splitlines())
                     )
                     docker_other += [dockerfile_item]
                 # RUN (standalone with GITHUB_TOKEN)
-                elif dockerfile_item.startswith("RUN") and "GITHUB_TOKEN" in dockerfile_item:
-                    dockerfile_item_cmd = dockerfile_item.replace("RUN ", "RUN --mount=type=secret,id=GITHUB_TOKEN ")
+                elif (
+                    dockerfile_item.startswith("RUN")
+                    and "GITHUB_TOKEN" in dockerfile_item
+                ):
+                    dockerfile_item_cmd = dockerfile_item.replace(
+                        "RUN ", "RUN --mount=type=secret,id=GITHUB_TOKEN "
+                    )
                     docker_other += [dockerfile_item_cmd]
                     is_docker_other_run = False
                 # RUN (start)

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,10 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
 
 - Core
   - Upgrade base docker image from python:3.10.4-alpine3.16 to python:3.11.1-alpine3.17
+
+- CI
   - Use docker/build-push-action to build docker images and akhilerm/tag-push-action to release by retagging and pushing beta images instead of rebuilding them
+  - Authenticate to GitHub API during docker build to avoid reaching limits
 
 - Linter versions upgrades
   - [golangci-lint](https://golangci-lint.run/) from 1.51.0 to **1.51.1** on 2023-02-06

diff --git a/Dockerfile b/Dockerfile
@@ -299,9 +299,9 @@ COPY --from=kics /app/bin/assets /opt/kics/assets/
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
 #OTHER__START
-RUN rc-update add docker boot && rc-service docker start || true \
+RUN rc-update add docker boot && rc-service docker start || true
 # ARM installation
-    && mkdir -p ${PWSH_DIRECTORY} \
+RUN --mount=type=secret,id=GITHUB_TOKEN mkdir -p ${PWSH_DIRECTORY} \
     && curl --retry 5 --retry-delay 5 -s \
        -H "Accept: application/vnd.github+json" \
        -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
@@ -311,10 +311,11 @@ RUN rc-update add docker boot && rc-service docker start || true \
         | cut -d '"' -f 4 \
         | xargs -n 1 wget -O - \
         | tar -xzC ${PWSH_DIRECTORY} \
-    && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh \
+    && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh
+
 
 # CSHARP installation
-    && wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
+RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
     && chmod +x dotnet-install.sh \
     && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
 
@@ -341,7 +342,7 @@ RUN wget --tries=5 -q -O phive.phar https://phar.io/releases/phive.phar \
 ENV PATH="/root/.composer/vendor/bin:$PATH"
 
 # POWERSHELL installation
-RUN mkdir -p ${PWSH_DIRECTORY} \
+RUN --mount=type=secret,id=GITHUB_TOKEN mkdir -p ${PWSH_DIRECTORY} \
     && curl --retry 5 --retry-delay 5 -s \
        -H "Accept: application/vnd.github+json" \
        -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
@@ -352,14 +353,15 @@ RUN mkdir -p ${PWSH_DIRECTORY} \
         | xargs -n 1 wget -O - \
         | tar -xzC ${PWSH_DIRECTORY} \
     && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh \
-    && chmod +x /usr/bin/pwsh \
+    && chmod +x /usr/bin/pwsh
+
 
 # SALESFORCE installation
 # Next line commented because already managed by another linter
 # ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk
 # Next line commented because already managed by another linter
 # ENV PATH="$JAVA_HOME/bin:${PATH}"
-    && echo y|sfdx plugins:install sfdx-hardis \
+RUN echo y|sfdx plugins:install sfdx-hardis \
     && npm cache clean --force || true \
     && rm -rf /root/.npm/_cacache \
 
@@ -436,21 +438,22 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \
     && golangci-lint --version \
 
 # revive installation
-    && go install github.com/mgechev/revive@latest && go clean --cache \
+    && go install github.com/mgechev/revive@latest && go clean --cache
 
 # checkstyle installation
-    && CHECKSTYLE_LATEST=$(curl -s \
+RUN --mount=type=secret,id=GITHUB_TOKEN CHECKSTYLE_LATEST=$(curl -s \
     -H "Accept: application/vnd.github+json" \
     -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
     https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
         | grep browser_download_url \
         | grep ".jar" \
         | cut -d '"' -f 4) \
     && curl --retry 5 --retry-delay 5 -sSL $CHECKSTYLE_LATEST \
-        --output /usr/bin/checkstyle \
+        --output /usr/bin/checkstyle
+
 
 # pmd installation
-    && wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
+RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
     unzip pmd-bin-${PMD_VERSION}.zip && \
     rm pmd-bin-${PMD_VERSION}.zip && \
     mv pmd-bin-${PMD_VERSION} /usr/bin/pmd && \

diff --git a/flavors/ci_light/Dockerfile b/flavors/ci_light/Dockerfile
@@ -19,8 +19,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/cupcake/Dockerfile b/flavors/cupcake/Dockerfile
@@ -25,8 +25,8 @@ FROM checkmarx/kics:alpine as kics
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -315,21 +315,22 @@ RUN go install github.com/rhysd/actionlint/cmd/actionlint@latest && go clean --c
     && golangci-lint --version \
 
 # revive installation
-    && go install github.com/mgechev/revive@latest && go clean --cache \
+    && go install github.com/mgechev/revive@latest && go clean --cache
 
 # checkstyle installation
-    && CHECKSTYLE_LATEST=$(curl -s \
+RUN --mount=type=secret,id=GITHUB_TOKEN CHECKSTYLE_LATEST=$(curl -s \
     -H "Accept: application/vnd.github+json" \
     -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
     https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
         | grep browser_download_url \
         | grep ".jar" \
         | cut -d '"' -f 4) \
     && curl --retry 5 --retry-delay 5 -sSL $CHECKSTYLE_LATEST \
-        --output /usr/bin/checkstyle \
+        --output /usr/bin/checkstyle
+
 
 # pmd installation
-    && wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
+RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
     unzip pmd-bin-${PMD_VERSION}.zip && \
     rm pmd-bin-${PMD_VERSION}.zip && \
     mv pmd-bin-${PMD_VERSION} /usr/bin/pmd && \

diff --git a/flavors/documentation/Dockerfile b/flavors/documentation/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/dotnet/Dockerfile b/flavors/dotnet/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -223,7 +223,7 @@ COPY --from=gitleaks /usr/bin/gitleaks /usr/bin/
 #############################################################################################
 #OTHER__START
 # ARM installation
-RUN mkdir -p ${PWSH_DIRECTORY} \
+RUN --mount=type=secret,id=GITHUB_TOKEN mkdir -p ${PWSH_DIRECTORY} \
     && curl --retry 5 --retry-delay 5 -s \
        -H "Accept: application/vnd.github+json" \
        -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
@@ -233,17 +233,18 @@ RUN mkdir -p ${PWSH_DIRECTORY} \
         | cut -d '"' -f 4 \
         | xargs -n 1 wget -O - \
         | tar -xzC ${PWSH_DIRECTORY} \
-    && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh \
+    && ln -sf ${PWSH_DIRECTORY}/pwsh /usr/bin/pwsh
+
 
 # CSHARP installation
-    && wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
+RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
     && chmod +x dotnet-install.sh \
     && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
 
 ENV PATH="${PATH}:/root/.dotnet/tools:/usr/share/dotnet"
 
 # POWERSHELL installation
-RUN mkdir -p ${PWSH_DIRECTORY} \
+RUN --mount=type=secret,id=GITHUB_TOKEN mkdir -p ${PWSH_DIRECTORY} \
     && curl --retry 5 --retry-delay 5 -s \
        -H "Accept: application/vnd.github+json" \
        -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \

diff --git a/flavors/go/Dockerfile b/flavors/go/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/java/Dockerfile b/flavors/java/Dockerfile
@@ -22,8 +22,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -236,21 +236,22 @@ RUN go install github.com/rhysd/actionlint/cmd/actionlint@latest && go clean --c
 # Managed with COPY --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checker
 
 # dotenv-linter installation
-    && wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/master/install.sh | sh -s \
+    && wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/master/install.sh | sh -s
 
 # checkstyle installation
-    && CHECKSTYLE_LATEST=$(curl -s \
+RUN --mount=type=secret,id=GITHUB_TOKEN CHECKSTYLE_LATEST=$(curl -s \
     -H "Accept: application/vnd.github+json" \
     -H "Authorization: Bearer $(cat /run/secrets/GITHUB_TOKEN)" \
     https://api.github.com/repos/checkstyle/checkstyle/releases/latest \
         | grep browser_download_url \
         | grep ".jar" \
         | cut -d '"' -f 4) \
     && curl --retry 5 --retry-delay 5 -sSL $CHECKSTYLE_LATEST \
-        --output /usr/bin/checkstyle \
+        --output /usr/bin/checkstyle
+
 
 # pmd installation
-    && wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
+RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-bin-${PMD_VERSION}.zip && \
     unzip pmd-bin-${PMD_VERSION}.zip && \
     rm pmd-bin-${PMD_VERSION}.zip && \
     mv pmd-bin-${PMD_VERSION} /usr/bin/pmd && \

diff --git a/flavors/javascript/Dockerfile b/flavors/javascript/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/php/Dockerfile b/flavors/php/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/python/Dockerfile b/flavors/python/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/ruby/Dockerfile b/flavors/ruby/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/rust/Dockerfile b/flavors/rust/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/salesforce/Dockerfile b/flavors/salesforce/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/security/Dockerfile b/flavors/security/Dockerfile
@@ -22,8 +22,8 @@ FROM checkmarx/kics:alpine as kics
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/swift/Dockerfile b/flavors/swift/Dockerfile
@@ -21,8 +21,8 @@ FROM zricethezav/gitleaks:v8.15.3 as gitleaks
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/flavors/terraform/Dockerfile b/flavors/terraform/Dockerfile
@@ -25,8 +25,8 @@ FROM checkmarx/kics:alpine as kics
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/linters/ansible_ansible_lint/Dockerfile b/linters/ansible_ansible_lint/Dockerfile
@@ -16,8 +16,8 @@
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/linters/bash_shellcheck/Dockerfile b/linters/bash_shellcheck/Dockerfile
@@ -16,8 +16,8 @@
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/linters/cloudformation_cfn_lint/Dockerfile b/linters/cloudformation_cfn_lint/Dockerfile
@@ -16,8 +16,8 @@
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##

diff --git a/linters/dockerfile_hadolint/Dockerfile b/linters/dockerfile_hadolint/Dockerfile
@@ -16,8 +16,8 @@ FROM hadolint/hadolint:v2.12.0-alpine as hadolint
 ##################
 # Get base image #
 ##################
-# 3.10.5 is not usable until https://github.com/jruere/multiprocessing-logging/issues/56 is fixed
 FROM python:3.11.1-alpine3.17
+ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##