diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 6c7471a38..000000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: "" -labels: "" -assignees: "" ---- - -### Describe the bug - -A clear and concise description of what the bug is. - -### To reproduce - -Steps to reproduce the behavior: - -1. Deploy the NGINX Docker image using ... -2. View output/logs/configuration on ... -3. See error - -### Expected behavior - -A clear and concise description of what you expected to happen. - -### Your environment - -- Version/release of Docker and method of installation (e.g. Docker Desktop / Docker Server) -- Version/tag of the NGINX Docker image (e.g. `nginx:alpine`) -- Target deployment platform (e.g. OpenShift / Kubernetes / Docker Compose / etc...) - -### Additional context - -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index e2242abbe..000000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: "" -labels: "" -assignees: "" ---- - -### Is your feature request related to a problem? Please describe - -A clear and concise description of what the problem is. Ex. I'm always frustrated when ... - -### Describe the solution you'd like - -A clear and concise description of what you want to happen. - -### Describe alternatives you've considered - -A clear and concise description of any alternative solutions or features you've considered. - -### Additional context - -Add any other context or screenshots about the feature request here. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index e869fe513..000000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,12 +0,0 @@ -### Proposed changes - -Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) here in this description (not in the title of the PR). - -### Checklist - -Before creating a PR, run through this checklist and mark each as complete: -- [ ] I have read the [`CONTRIBUTING`](https://github.com/nginxinc/docker-nginx/blob/master/CONTRIBUTING.md) document -- [ ] I have run `./update.sh` and ensured all entrypoint/Dockerfile template changes have been applied to the relevant image entrypoint scripts & Dockerfiles -- [ ] If applicable, I have added tests that prove my fix is effective or that my feature works -- [ ] If applicable, I have checked that any relevant tests pass after adding my changes -- [ ] I have updated any relevant documentation diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 30eccf55b..000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: GitHub CI - -on: - pull_request: - push: - schedule: - - cron: 0 10 * * Mon - -defaults: - run: - shell: 'bash -Eeuo pipefail -x {0}' - -jobs: - - generate-jobs: - name: Generate Jobs - runs-on: ubuntu-latest - outputs: - strategy: ${{ steps.generate-jobs.outputs.strategy }} - steps: - - uses: actions/checkout@v3 - - uses: docker-library/bashbrew@v0.1.8 - - id: generate-jobs - name: Generate Jobs - run: | - strategy="$(GITHUB_REPOSITORY=nginx "$BASHBREW_SCRIPTS/github-actions/generate.sh")" - strategy="$(GITHUB_REPOSITORY=nginx "$BASHBREW_SCRIPTS/github-actions/munge-i386.sh" -c <<<"$strategy")" - echo "strategy=$strategy" >> "$GITHUB_OUTPUT" - jq . <<<"$strategy" # sanity check / debugging aid - - test: - needs: generate-jobs - strategy: ${{ fromJson(needs.generate-jobs.outputs.strategy) }} - name: ${{ matrix.name }} - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v3 - - name: Prepare Environment - run: ${{ matrix.runs.prepare }} - - name: Pull Dependencies - run: ${{ matrix.runs.pull }} - - name: Build ${{ matrix.name }} - run: ${{ matrix.runs.build }} - - name: History ${{ matrix.name }} - run: ${{ matrix.runs.history }} - - name: Test ${{ matrix.name }} - run: ${{ matrix.runs.test }} - - name: '"docker images"' - run: ${{ matrix.runs.images }} diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 000000000..e6fbece78 --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,102 @@ +name: Build Nginx Slim on Alpine + +on: + push: + branches: [ "master" ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Debug Variable Values + run: | + echo "IMAGE_TAG=${{ secrets.IMAGE_TAG }}" + echo "REPOSITORY=${{ secrets.ECR_REPOSITORY }}" + echo "REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" + + - name: Build and Push Docker Image + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + IMAGE_TAG: "1.26.2_3.20.2" + ECR_REPOSITORY: "mdaca/base-images/ironbank-alpine-nginx" + run: | + # Configure AWS credentials + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION + + # Log in to ECR + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com + + # Build Docker image + docker build -f stable/alpine-slim/Dockerfile -t $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG . + + # Push Docker image to ECR + docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + + security: + runs-on: ubuntu-latest + needs: build + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + + - name: Download Docker Image from ECR + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + # Set ENV for AW Cred + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set default.region $AWS_REGION + + # Get token from ECR and Docker login + aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com + + # Download docker image for scanning purposes + docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + docker images + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin + + - name: Scan Docker Image with Trivy + env: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + trivy image --exit-code 1 --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Install Syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin + + - name: Generate SBOM with Syft + env: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_REGION: ${{ secrets.AWS_REGION }} + IMAGE_TAG: 1.26.2_3.20.2 + ECR_REPOSITORY: mdaca/base-images/ironbank-alpine-nginx + run: | + syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG + syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > alpine-nginx-sbom.tf + + - name: Upload SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom + path: alpine-nginx-sbom.tf diff --git a/stable/alpine-slim/Dockerfile b/stable/alpine-slim/Dockerfile index d1d3d8a65..081d2a365 100644 --- a/stable/alpine-slim/Dockerfile +++ b/stable/alpine-slim/Dockerfile @@ -3,7 +3,11 @@ # # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.20 + +ARG BASE_REGISTRY=201959883603.dkr.ecr.us-east-2.amazonaws.com +ARG BASE_IMAGE=mdaca/base-images/ironbank-alpine +ARG BASE_TAG=3.20.2 +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} LABEL maintainer="NGINX Docker Maintainers " @@ -107,17 +111,21 @@ RUN set -x \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ # create a docker-entrypoint.d directory - && mkdir /docker-entrypoint.d + && mkdir /docker-entrypoint.d \ + && chown -R nginx:nginx /var/cache/nginx /etc/nginx /usr/share/nginx /run /var/log/nginx || true + +COPY --chown=nginx:nginx stable/alpine-slim/docker-entrypoint.sh / +COPY --chown=nginx:nginx stable/alpine-slim/10-listen-on-ipv6-by-default.sh /docker-entrypoint.d +COPY --chown=nginx:nginx stable/alpine-slim/15-local-resolvers.envsh /docker-entrypoint.d +COPY --chown=nginx:nginx stable/alpine-slim/20-envsubst-on-templates.sh /docker-entrypoint.d +COPY --chown=nginx:nginx stable/alpine-slim/30-tune-worker-processes.sh /docker-entrypoint.d + +USER nginx -COPY docker-entrypoint.sh / -COPY 10-listen-on-ipv6-by-default.sh /docker-entrypoint.d -COPY 15-local-resolvers.envsh /docker-entrypoint.d -COPY 20-envsubst-on-templates.sh /docker-entrypoint.d -COPY 30-tune-worker-processes.sh /docker-entrypoint.d ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 80 - +EXPOSE 8080 STOPSIGNAL SIGQUIT CMD ["nginx", "-g", "daemon off;"]