Merge pull request #5 from sir-gon/feature/docker

Docker image building

Author: sir-gon

.github/workflows/docker-image.yml

@@ -0,0 +1,214 @@
+---
+
+name: Docker Image CI
+
+on: # yamllint disable-line rule:truthy
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  workflow_dispatch:
+
+env:
+  IMAGE_NAME: algorithm-exercises-rust
+  ARTIFACT_NAME: algorithm-exercises-rust_${{ github.sha }}
+
+jobs:
+
+  build:
+    name: "Build Docker images"
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: "LINT: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: lint
+          outputs: |
+            type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_lint.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:lint
+      - name: "LINT: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_lint
+          path: /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
+
+      - name: "TEST: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: testing
+          outputs: |
+            type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_test.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:test
+      - name: "TEST: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_test
+          path: /tmp/${{ env.ARTIFACT_NAME }}_test.tar
+
+      - name: "PRODUCTION: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: production
+          outputs: |
+            type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:${{ github.sha }}
+      - name: "PRODUCTION: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_prod
+          path: /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+
+  lint:
+    name: "Run in docker: LINT"
+    runs-on: ubuntu-24.04
+    needs: build
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Download artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_lint
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
+          docker image ls -a
+
+      - name: Run lint
+        run: >
+          docker
+          compose --profile lint
+          run --rm ${{ env.IMAGE_NAME }}-lint
+          make lint
+
+  test:
+    name: "Run in docker: TEST"
+    runs-on: ubuntu-24.04
+    needs: build
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Download artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_test
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.ARTIFACT_NAME }}_test.tar
+          docker image ls -a
+
+      - name: Run test
+        run: >
+          docker
+          compose --profile test
+          run --rm ${{ env.IMAGE_NAME }}-test
+          make test
+
+  # yamllint disable rule:line-length
+  # security:
+  #   name: "Snyk Container"
+  #   runs-on: ubuntu-24.04
+  #   needs: build
+  #   permissions:
+  #     actions: read
+  #     contents: read
+  #     security-events: write
+  #   steps:
+  #     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+  #     - name: Download artifact
+  #       uses: actions/download-artifact@v4
+  #       with:
+  #         name: ${{ env.ARTIFACT_NAME }}_prod
+  #         path: /tmp/
+
+  #     - name: Load image
+  #       run: |
+  #         docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+  #         docker image ls -a
+
+  #     - name: Run Snyk to check Docker image for vulnerabilities
+  #       # Snyk can be used to break the build when it detects vulnerabilities.
+  #       # In this case we want to upload the issues to GitHub Code Scanning
+  #       continue-on-error: true
+  #       uses: snyk/actions/docker@master
+  #       env:
+  #         # yamllint disable rule:line-length
+  #         # In order to use the Snyk Action you will need to have a Snyk API token.
+  #         # See https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#getting-your-snyk-token
+  #         # or you can sign up for free at https://snyk.io/login
+  #         # yamllint enable rule:line-length
+  #         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+  #       with:
+  #         image: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+  #         args: --file=Dockerfile
+  #     # yamllint disable rule:line-length
+  #     # https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
+  #     - name: Replace security-severity undefined for license-related findings
+  #       run: |
+  #         sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
+  #         sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
+  #     # yamllint enable rule:line-length
+  #     - name: Upload result to GitHub Code Scanning
+  #       uses: github/codeql-action/upload-sarif@v3
+  #       with:
+  #         sarif_file: 'snyk.sarif'
+  # yamllint enable rule:line-length
+
+  scan:
+    name: "Trivy"
+    runs-on: ubuntu-24.04
+    needs: build
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_prod
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
+          docker image ls -a
+
+      - name: Run Trivy vulnerability scanner (cli report)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'table'
+        env:
+          TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
+
+      - name: Run Trivy vulnerability scanner (sarif report)
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+        env:
+          TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'

Cargo.toml

@@ -3,4 +3,8 @@ name = "algorithm-exercises-rust"
 version = "0.1.0"
 edition = "2024"
 
+[lib]
+name = "exercises"
+crate-type = ["rlib", "cdylib"]
+
 [dependencies]

Dockerfile

@@ -0,0 +1,119 @@
+ARG BASE_IMAGE_VERSION=rust:1.89.0-alpine3.20
+FROM ${BASE_IMAGE_VERSION} AS init
+
+ENV WORKDIR=/app
+WORKDIR ${WORKDIR}
+
+RUN apk add --update --no-cache make
+
+# cargo-chef to cache dependencies https://crates.io/crates/cargo-chef
+
+###############################################################################
+
+FROM init AS builder
+
+RUN apk add --no-cache musl-dev
+RUN cargo install cargo-chef
+
+# sources
+COPY ./src ${WORKDIR}/src
+COPY ./Cargo.lock ${WORKDIR}/Cargo.lock
+COPY ./Cargo.toml ${WORKDIR}/Cargo.toml
+COPY ./Makefile ${WORKDIR}/
+
+# dependencies
+RUN make dependencies
+
+# build
+RUN ls -alhR && \
+  make build/debug && \
+  make build/release && \
+  ls -alhR
+
+CMD ["make", "build"]
+
+###############################################################################
+
+FROM builder AS development
+
+# CMD []
+
+CMD ["make", "build"]
+
+###############################################################################
+
+FROM builder AS lint
+
+RUN rustup component add clippy
+RUN \
+  apk add --update --no-cache nodejs npm yamllint && \
+  npm install -g --ignore-scripts markdownlint-cli && \
+  rm -rf /var/lib/apt/lists/*
+
+# Code source
+COPY ./src ${WORKDIR}/src
+COPY ./Cargo.lock ${WORKDIR}/Cargo.lock
+COPY ./Cargo.toml ${WORKDIR}/Cargo.toml
+COPY ./recipe.json ${WORKDIR}/recipe.json
+COPY ./Makefile ${WORKDIR}/
+
+# markdownlint conf
+COPY ./.markdownlint.yaml ${WORKDIR}/
+
+# yamllint conf
+COPY ./.yamllint ${WORKDIR}/
+COPY ./.yamlignore ${WORKDIR}/
+COPY ./.gitignore ${WORKDIR}/
+
+RUN cargo chef cook --release --recipe-path recipe.json
+
+CMD ["make", "lint"]
+
+###############################################################################
+
+FROM development AS testing
+
+ENV WORKDIR=/app
+WORKDIR ${WORKDIR}
+
+RUN mkdir -p ${WORKDIR}/target
+COPY --from=builder ${WORKDIR}/target/debug ${WORKDIR}/target
+
+CMD ["make", "test"]
+
+###############################################################################
+
+FROM alpine:3.20 AS production
+
+ENV LOG_LEVEL=INFO
+ENV BRUTEFORCE=false
+ENV WORKDIR=/app
+WORKDIR ${WORKDIR}
+
+RUN apk add --update --no-cache make
+
+COPY ./Makefile ${WORKDIR}/
+COPY --from=builder ${WORKDIR}/target/release/lib*.rlib ${WORKDIR}/
+# COPY --from=builder ${WORKDIR}/target/release/lib*.dylib ${WORKDIR}/
+
+# create a non-root user to run our application
+ENV USER=app
+ENV GROUPNAME=$USER
+ENV UID=12345
+ENV GID=23456
+
+RUN addgroup \
+    --gid "$GID" \
+    "$GROUPNAME" \
+&&  adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "$(pwd)" \
+    --ingroup "$GROUPNAME" \
+    --no-create-home \
+    --uid "$UID" \
+    $USER
+
+RUN ls -alhR
+
+CMD ["make", "run"]