ci: remove dev container (#239)

.github/dependabot.yml

@@ -18,13 +18,6 @@ updates:
     commit-message:
       prefix: "chore"
 
-  - package-ecosystem: "docker"
-    directory: "/.devcontainer"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "chore"
-
   - package-ecosystem: "npm"
     directory: "/website"
     schedule:

.github/workflows/build.yml

@@ -3,7 +3,7 @@
 # Licensed under the MIT License.
 # ------------------------------------------------------------
 
-name: Build in DevContainer
+name: Build
 on:
   push:
     branches:
@@ -28,13 +28,33 @@ on:
   workflow_dispatch:
 
 env:
-  DEVCON_NAME: ghcr.io/project-copacetic/copacetic/devcontainer
-  DEVCON_VERSION: latest
+  TRIVY_VERSION: 0.44.0
+  BUILDKIT_VERSION: 0.12.0
 
 jobs:
+  unit-test:
+    name: Unit Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions: read-all
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.3.1
+        with:
+          egress-policy: audit
+      - name: Check out code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Unit test
+        shell: bash
+        env:
+          CODECOV_OPTS: "-coverprofile=coverage.txt -covermode=atomic"
+        run: make test
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
   build:
-    name: Build and unit test
+    name: Build
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 5
     permissions:
       packages: write
       contents: read
@@ -46,36 +66,21 @@ jobs:
         uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.3.1
         with:
           egress-policy: audit
-
       - name: Check out code
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build copa in dev container
-        uses: devcontainers/ci@57eaf0c9b518a76872bc429cdceefd65a912309b # v0.3.1900000329
-        with:
-          imageName: ${{ env.DEVCON_NAME }}
-          imageTag: ${{ env.DEVCON_VERSION }}
-          env: |
-            CODECOV_OPTS=-coverprofile=coverage.txt -covermode=atomic
-          runCmd: |
-            set -e
-            make build
-            make test
-            make archive
-      - name: Upload built tool
+      - name: Build copa
+        shell: bash
+        run: |
+          make build
+          make archive
+      - name: Upload copa to build artifacts
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: copa_edge_linux_amd64.tar.gz
           path: dist/linux_amd64/release/copa_edge_linux_amd64.tar.gz
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
       - name: Load test cases for patch testing
         id: load-tests
+        shell: bash
         run: |
           json="$(cat .github/workflows/test-images.json)"
           json="${json//[$'\n'$'\r']/''}"
@@ -87,24 +92,31 @@ jobs:
     needs: build
     name: Test patch ${{ matrix.image }}:${{ matrix.tag }}
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions: read-all
     strategy:
+      fail-fast: false
       matrix:
         include: ${{ fromJson(needs.build.outputs.include) }}
     steps:
-      - name: Check out dev container definition
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Download the patch tool
+      - name: Download copa from build artifacts
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: copa_edge_linux_amd64.tar.gz
-      - name: Extract patch tool
-        run: tar xzf copa_edge_linux_amd64.tar.gz
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract copa
+        shell: bash
+        run: |
+          tar xzf copa_edge_linux_amd64.tar.gz
+          ./copa --version
+      - name: Install required tools
+        shell: bash
+        run: |
+          curl -sfL https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb -o trivy.deb \
+            && sudo dpkg -i trivy.deb \
+            && rm trivy.deb
+          curl -sfL https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-amd64.tar.gz -o buildkit.tar.gz \
+            && sudo tar -zxvf buildkit.tar.gz -C /usr/local/ \
+            && rm buildkit.tar.gz
       - name: Create Trivy ignore policy
         shell: bash
         run: |
@@ -125,24 +137,19 @@ jobs:
             input.VulnerabilityID == ignore_vulnerability_ids[_]
           }
           EOF
-      - name: Run functional test in dev container
-        uses: devcontainers/ci@57eaf0c9b518a76872bc429cdceefd65a912309b # v0.3.1900000329
-        with:
-          cacheFrom: ${{ env.DEVCON_NAME }}
-          push: never
-          env: |
-            BUILDKIT_PORT=30321
-            BUILDKIT_VERSION=0.12.0
-          runCmd: |
-            set -e
-            echo "[INFO]: Patching ${{ matrix.distro }} image with: ${{ matrix.description }}"
-            echo "[INFO]: Scanning image with trivy ..."
-            trivy image --vuln-type os --ignore-unfixed --scanners vuln -f json -o scan.json "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" --exit-on-eol 1 --ignore-policy trivy_ignore.rego
-            echo "[INFO]: Start buildkitd in the background ..."
-            docker run --detach --rm --privileged -p 0.0.0.0:$BUILDKIT_PORT:$BUILDKIT_PORT/tcp --name buildkitd --entrypoint buildkitd "moby/buildkit:v$BUILDKIT_VERSION" --addr tcp://0.0.0.0:$BUILDKIT_PORT
-            docker stats buildkitd --no-stream
-            sudo lsof -nP -iTCP -sTCP:LISTEN
-            echo "[INFO]: Run copa on target ..."
-            ./copa patch -i "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" -r scan.json -t "${{ matrix.tag }}-patched" -a tcp://0.0.0.0:$BUILDKIT_PORT --timeout 20m
-            echo "[INFO]: Rescanning patched image with same vuln DB ..."
-            trivy image --vuln-type os --ignore-unfixed --skip-db-update --scanners vuln "${{ matrix.image }}:${{ matrix.tag }}-patched" --exit-code 1 --exit-on-eol 1 --ignore-policy trivy_ignore.rego
+      - name: Run functional test
+        shell: bash
+        run: |
+          echo "[INFO]: Patching ${{ matrix.distro }} image with: ${{ matrix.description }}"
+
+          echo "[INFO]: Scanning image with trivy ..."
+          trivy image --vuln-type os --ignore-unfixed --scanners vuln -f json -o scan.json "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" --exit-on-eol 1 --ignore-policy trivy_ignore.rego
+
+          echo "[INFO]: Start buildkitd in the background ..."
+          docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888/tcp --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888
+
+          echo "[INFO]: Run copa on target ..."
+          ./copa patch -i "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" -r scan.json -t "${{ matrix.tag }}-patched" -a tcp://127.0.0.1:8888 --timeout 10m
+
+          echo "[INFO]: Rescanning patched image with same vuln DB ..."
+          trivy image --vuln-type os --ignore-unfixed --skip-db-update --scanners vuln "${{ matrix.image }}:${{ matrix.tag }}-patched" --exit-code 1 --exit-on-eol 1 --ignore-policy trivy_ignore.rego

CONTRIBUTING.md

@@ -19,10 +19,7 @@ When opening an issue, please select the most appropriate template for what you'
 
 ### Getting Started
 
-Follow the instructions to either:
-
-* [Setup your dev environment to build copa](./docs/tutorials/dev-setup.md).
-* [Use the copa development container](./.devcontainer/README.md) in [Visual Studio Code](https://code.visualstudio.com/).
+Follow the instructions to [setup your dev environment to build copa](./docs/tutorials/dev-setup.md).
 
 For an overview of the project components, refer to the [copa design](./docs/vulnerability-driven-patching.md) document.
 

README.md

@@ -1,6 +1,5 @@
 # Project Copacetic: Directly patch container image vulnerabilities
 
-[![Build in DevContainer](https://github.com/project-copacetic/copacetic/actions/workflows/build.yml/badge.svg)](https://github.com/project-copacetic/copacetic/actions/workflows/build.yml)
 [![codecov](https://codecov.io/gh/project-copacetic/copacetic/branch/main/graph/badge.svg?token=PBC8EPNHRL)](https://codecov.io/gh/project-copacetic/copacetic)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/project-copacetic/copacetic/badge)](https://api.securityscorecards.dev/projects/github.com/project-copacetic/copacetic)
 [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)

docs/tutorials/dev-setup.md

@@ -1,6 +1,6 @@
 # Setup and build copa
 
-The following instructions are for **Ubuntu 22.04** with the dependency versions supported as part of the [dev container](../../.devcontainer/README.md) environment we use for builds and tests. For other distributions and OS, refer to the appropriate installation instructions for each of the components instead.
+The following instructions are for **Ubuntu 22.04** environment we use for builds and tests. For other distributions and OS, refer to the appropriate installation instructions for each of the components instead.
 
 1. Install [Go v1.19](https://go.dev/doc/install) or newer.
 

docs/tutorials/patch.md

@@ -4,7 +4,7 @@ This sample illustrates how to [patch containers using vulnerability reports](..
 
 ## Prerequisites
 
-* An Ubuntu 22.04 VM configured through the [setup instructions](./dev-setup.md) or a VSCode [devcontainer](../../.devcontainer/README.md) environment. This includes:
+* An Ubuntu 22.04 VM configured through the [setup instructions](./dev-setup.md). This includes:
   * `copa` tool [built & pathed](./dev-setup.md).
   * [buildkit](https://github.com/moby/buildkit/#quick-start) daemon installed & pathed.
   * [docker](https://docs.docker.com/desktop/linux/install/#generic-installation-steps) daemon running and CLI installed & pathed.

pkg/buildkit/buildkit.go

@@ -128,7 +128,7 @@ func InitializeBuildkitConfig(ctx context.Context, buildkitAddr, image string, m
 		return nil, err
 	}
 
-	config.Client, err = client.New(ctx, buildkitAddr, client.WithFailFast())
+	config.Client, err = client.New(ctx, buildkitAddr)
 	if err != nil {
 		return nil, err
 	}

website/docs/contributing.md

@@ -40,14 +40,6 @@ For an overview of the project components, refer to the [copa design](./design.m
 2. [Visual Studio Code](https://code.visualstudio.com/)
 3. [Visual Studio Code Remote - Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers)
 
-#### Using the dev container
-
-1. After you have cloned this repo locally, open the repo folder in VSCode. VSCode will detect the presence of this `.devcontainer` subfolder and will prompt you to reopen the project in a container.
-
-   Alternatively, you can open the command palette and use the `Remote-Containers: Reopen in Container` command.
-
-2. Once the container is loaded, open an [integrated terminal](https://code.visualstudio.com/docs/editor/integrated-terminal) in VSCode and you can start running the demo instructions.
-
 > **⚠ If running via Docker Desktop for Windows**
 >
 > Note that the [mounted workspace files appear owned by `root`](https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user) in the dev container, which will cause `git` commands to fail with a `fatal: detected dubious ownership in a repository` error due to [safe.directory](https://git-scm.com/docs/git-config/2.35.2#Documentation/git-config.txt-safedirectory) checks. This can be addressed by changing the mapped ownership of the workspace files in the dev container to the `vscode` user:

website/docs/quick-start.md

@@ -6,7 +6,7 @@ This sample illustrates how to patch containers using vulnerability reports with
 
 ## Prerequisites
 
-* An Ubuntu 22.04 VM configured through the [setup instructions](./installation.md) or a VSCode [devcontainer](./contributing.md/#visual-studio-code-development-container) environment. This includes:
+* An Ubuntu 22.04 VM configured through the [setup instructions](./installation.md). This includes:
   * `copa` tool [built & pathed](./installation.md).
   * [buildkit](https://github.com/moby/buildkit/#quick-start) daemon installed & pathed.
   * [docker](https://docs.docker.com/desktop/linux/install/#generic-installation-steps) daemon running and CLI installed & pathed.