Skip to content

Commit

Permalink
[ADD] Secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
@az-adhoc
az-adhoc committed Jan 13, 2025
1 parent 68985e6 commit 4c2bf16
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 28 deletions.
37 changes: 20 additions & 17 deletions .github/workflows/build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,12 @@ name: build
on:
workflow_dispatch:
inputs:
# TODO: skip geoIP check
odoo_target:
description: "Odoo Version"
required: true
type: choice
options:
options:
- "18.0"
default: "18.0"
odoo_build_force:
Expand Down Expand Up @@ -44,7 +45,7 @@ jobs:
steps:
- name: Check if GeoIP has any update
id: get-last-modified
run: |
run: |
MAXMIND_UPDATE=$(curl -I -sL -u ${MAXMIND_LICENSE_USR}:${MAXMIND_LICENSE_KEY} 'https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz' | grep -i 'Last-Modified')
MAXMIND_UPDATE=${MAXMIND_UPDATE#*: }
MAXMIND_UPDATE=$(date -d "$MAXMIND_UPDATE" +"%Y%m%d%H%M%S")
Expand Down Expand Up @@ -92,18 +93,20 @@ jobs:
cache-to: type=gha,mode=max
context: .
push: true
build-args: |
MAXMIND_LICENSE_USER=${{ secrets.MAXMIND_LICENSE_USR }}
secrets: |
MAXMIND_LICENSE_USR=${{ secrets.MAXMIND_LICENSE_USR }}
MAXMIND_LICENSE_KEY=${{ secrets.MAXMIND_LICENSE_KEY }}
MAXMIND_UPDATE=${{ env.MAXMIND_UPDATE }}
ODOO_VERSION=${{ env.ODOO_TARGET }}
ODOO_BUILD=${{ steps.get-odoo-build.outputs.date }}.${{ env.ODOO_BUILD }}
# SAAS_PROVIDER_URL=${{ secrets.SAAS_PROVIDER_URL }}
# SAAS_PROVIDER_TOKEN=${{ secrets.SAAS_PROVIDER_TOKEN }}
# GITHUB_BOT_TOKEN=${{ secrets.BOT_TOKEN_GITHUB }}
build-args: |
SAAS_PROVIDER_URL=${{ secrets.SAAS_PROVIDER_URL }}
SAAS_PROVIDER_TOKEN=${{ secrets.SAAS_PROVIDER_TOKEN }}
GITHUB_BOT_TOKEN=${{ secrets.BOT_TOKEN_GITHUB }}
MAXMIND_UPDATE=${{ env.MAXMIND_UPDATE }}
ODOO_VERSION=${{ env.ODOO_TARGET }}
ODOO_BUILD=${{ steps.get-odoo-build.outputs.date }}.${{ env.ODOO_BUILD }}
ODOO_BY_ADHOC_BUILD=${{ steps.get-odoo-adhoc-build.outputs.date }}.${{ github.run_number }}.${{ env.ODOO_BY_ADHOC_BUILD }}
# Force to recreate this layer (this is no longer needed due the ODOO_BY_ADHOC_BUILD)
# no-cache-filters: aggregate-source
target: dev
tags: |
docker.io/adhoc/odoo-adhoc:${{ env.ODOO_TARGET }}.next.${{ steps.get-odoo-adhoc-build.outputs.date }}.${{ github.run_number }}.dev
Expand All @@ -117,22 +120,22 @@ jobs:
cache-to: type=gha,mode=max
context: .
push: true
build-args: |
MAXMIND_LICENSE_USER=${{ secrets.MAXMIND_LICENSE_USR }}
secrets: |
MAXMIND_LICENSE_USR=${{ secrets.MAXMIND_LICENSE_USR }}
MAXMIND_LICENSE_KEY=${{ secrets.MAXMIND_LICENSE_KEY }}
MAXMIND_UPDATE=${{ env.MAXMIND_UPDATE }}
ODOO_VERSION=${{ env.ODOO_TARGET }}
ODOO_BUILD=${{ steps.get-odoo-build.outputs.date }}
# SAAS_PROVIDER_URL=${{ secrets.SAAS_PROVIDER_URL }}
# SAAS_PROVIDER_TOKEN=${{ secrets.SAAS_PROVIDER_TOKEN }}
# GITHUB_BOT_TOKEN=${{ secrets.BOT_TOKEN_GITHUB }}
build-args: |
SAAS_PROVIDER_URL=${{ secrets.SAAS_PROVIDER_URL }}
SAAS_PROVIDER_TOKEN=${{ secrets.SAAS_PROVIDER_TOKEN }}
GITHUB_BOT_TOKEN=${{ secrets.BOT_TOKEN_GITHUB }}
MAXMIND_UPDATE=${{ env.MAXMIND_UPDATE }}
ODOO_VERSION=${{ env.ODOO_TARGET }}
ODOO_BUILD=${{ steps.get-odoo-build.outputs.date }}.${{ env.ODOO_BUILD }}
ODOO_BY_ADHOC_BUILD=${{ steps.get-odoo-adhoc-build.outputs.date }}.${{ github.run_number }}.${{ env.ODOO_BY_ADHOC_BUILD }}
target: prod
tags: |
docker.io/adhoc/odoo-adhoc:${{ env.ODOO_TARGET }}.next.${{ steps.get-odoo-adhoc-build.outputs.date }}.${{ github.run_number }}
docker.io/adhoc/odoo-adhoc:${{ env.ODOO_TARGET }}.next.${{ steps.get-odoo-adhoc-build.outputs.date }}
docker.io/adhoc/odoo-adhoc:${{ env.ODOO_TARGET }}.next
34 changes: 23 additions & 11 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,16 @@
# GeoIP db from MaxMind (need to be refreshed TODO: refresh ¿on update/daily?)
# GeoIP db from MaxMind
FROM debian:12-slim AS geo-ip
ARG MAXMIND_LICENSE_KEY=default \
MAXMIND_LICENSE_USR=1011117 \
MAXMIND_UPDATE=default
RUN mkdir -p /GeoIP \
ARG MAXMIND_UPDATE=default
RUN --mount=type=secret,id=MAXMIND_LICENSE_KEY,env=MAXMIND_LICENSE_KEY \
--mount=type=secret,id=MAXMIND_LICENSE_USR,env=MAXMIND_LICENSE_USR \
mkdir -p /GeoIP \
&& cd /GeoIP \
&& apt-get -qq update \
&& apt-get install -yqq --no-install-recommends curl ca-certificates \
&& curl -L -u ${MAXMIND_LICENSE_USR}:${MAXMIND_LICENSE_KEY} "https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz" -o /GeoIP/GeoLite2-City.tar.gz \
&& tar -xzf /GeoIP/GeoLite2-City.tar.gz -C /GeoIP \
&& find /GeoIP/GeoLite2-City_* | grep "GeoLite2-City.mmdb" | xargs -I{} mv {} /GeoIP \
&& rm /GeoIP/GeoLite2-City.tar.gz \
&& chown -R $ODOO_USER:$ODOO_USER /GeoIP \
&& apt-get purge -yqq curl ca-certificates \
&& rm -Rf /var/lib/apt/lists/* /tmp/*

Expand Down Expand Up @@ -180,9 +179,7 @@ USER odoo
## ---------------------------------------------------------------- SO

FROM os-base AS os-base-updated
ARG ODOO_BY_ADHOC_MINOR_VERSION="" \
ODOO_BY_ADHOC_BUILD=0
ENV ODOO_BY_ADHOC_MINOR_VERSION="$ODOO_BY_ADHOC_MINOR_VERSION"
ARG ODOO_BY_ADHOC_BUILD=0
USER root
RUN export NEEDRESTART_MODE=a \
&& export DEBIAN_FRONTEND=noninteractive \
Expand All @@ -198,10 +195,17 @@ RUN export NEEDRESTART_MODE=a \
USER $ODOO_USER

FROM os-base-updated AS aggregate-source
ARG DOCKER_IMAGE="adhoc/odoo-adhoc"
# TODO: Change this when gitagrregate on entry point is disabled
ARG SAAS_PROVIDER_TOKEN=default \

Check warning on line 200 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "SAAS_PROVIDER_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 200 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "GITHUB_BOT_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 200 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "SAAS_PROVIDER_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 200 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "GITHUB_BOT_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 200 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "SAAS_PROVIDER_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 200 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "GITHUB_BOT_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 200 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "SAAS_PROVIDER_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 200 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "GITHUB_BOT_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
SAAS_PROVIDER_URL="" \
DOCKER_IMAGE="adhoc/odoo-adhoc" \
GITHUB_BOT_TOKEN=""
ENV SAAS_PROVIDER_TOKEN=$SAAS_PROVIDER_TOKEN \

Check warning on line 203 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "SAAS_PROVIDER_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 203 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "GITHUB_BOT_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 203 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "SAAS_PROVIDER_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 203 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "GITHUB_BOT_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 203 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "SAAS_PROVIDER_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 203 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "GITHUB_BOT_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 203 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "GITHUB_BOT_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/

Check warning on line 203 in Dockerfile

View workflow job for this annotation

GitHub Actions / Build

Sensitive data should not be used in the ARG or ENV commands 

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "SAAS_PROVIDER_TOKEN")
More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
SAAS_PROVIDER_URL=$SAAS_PROVIDER_URL \
GITHUB_BOT_TOKEN=$GITHUB_BOT_TOKEN
# --mount=type=secret,id=SAAS_PROVIDER_TOKEN,env=SAAS_PROVIDER_TOKEN \
# --mount=type=secret,id=SAAS_PROVIDER_URL,env=SAAS_PROVIDER_URL \
# --mount=type=secret,id=GITHUB_BOT_TOKEN,env=GITHUB_BOT_TOKEN \
RUN git config --global init.defaultBranch main \
&& git config --global pull.rebase true \
&& git config --global user.name "John Doe" \
Expand All @@ -227,6 +231,10 @@ RUN find $SOURCES \( -path $SOURCES/openupgradelib -o -path $SOURCES/upgrade-uti
FROM os-base-updated AS prod
COPY --from=aggregate-source-without-git --chown=$ODOO_USER:$ODOO_USER $SOURCES $SOURCES
COPY --from=aggregate-source --chown=$ODOO_USER:$ODOO_USER $RESOURCES/saas-odoo_project_repos.yml $RESOURCES/saas-odoo_project_version_repos.yml $RESOURCES
# TODO: Change this when gitagrregate on entry point is disabled
# --mount=type=secret,id=SAAS_PROVIDER_TOKEN,env=SAAS_PROVIDER_TOKEN \
# --mount=type=secret,id=SAAS_PROVIDER_URL,env=SAAS_PROVIDER_URL \
# --mount=type=secret,id=GITHUB_BOT_TOKEN,env=GITHUB_BOT_TOKEN \
RUN pip install --user --no-cache-dir -e $SOURCES/odoo \
&& autoaggregate_pip --config "$RESOURCES/saas-odoo_project_repos.yml" --output "$SOURCES/repositories" \
&& autoaggregate_pip --config "$RESOURCES/saas-odoo_project_version_repos.yml" --output "$SOURCES/repositories" \
Expand All @@ -236,6 +244,10 @@ FROM os-base-updated AS dev
COPY --from=aggregate-source --chown=$ODOO_USER:$ODOO_USER $SOURCES $SOURCES
COPY --from=aggregate-source --chown=$ODOO_USER:$ODOO_USER $RESOURCES/saas-odoo_project_repos.yml $RESOURCES/saas-odoo_project_version_repos.yml $RESOURCES
USER root

# --mount=type=secret,id=SAAS_PROVIDER_TOKEN,env=SAAS_PROVIDER_TOKEN \
# --mount=type=secret,id=SAAS_PROVIDER_URL,env=SAAS_PROVIDER_URL \
# --mount=type=secret,id=GITHUB_BOT_TOKEN,env=GITHUB_BOT_TOKEN \
RUN --mount=type=bind,src=requirements/tools/dev/dev.packages,dst=/home/odoo/tools.dev.dev.packages \
--mount=type=bind,src=requirements/tools/test/test.packages,dst=/home/odoo/tools.test.test.packages \
--mount=type=bind,src=requirements/tools/test/requirements.txt,dst=/home/odoo/tools.test.requirements.txt \
Expand All @@ -251,5 +263,5 @@ RUN --mount=type=bind,src=requirements/tools/dev/dev.packages,dst=/home/odoo/too
&& su - $ODOO_USER -c "autoaggregate_pip --config \"$RESOURCES/saas-odoo_project_repos.yml\" --output \"$SOURCES/repositories\"" \
&& su - $ODOO_USER -c "autoaggregate_pip --config \"$RESOURCES/saas-odoo_project_version_repos.yml\" --output \"$SOURCES/repositories\"" \
&& rm $RESOURCES/saas-odoo_project_repos.yml $RESOURCES/saas-odoo_project_version_repos.yml \
&& chsh -s /bin/false $ODOO_USER
&& chsh -s /bin/false $ODOO_USER
USER $ODOO_USER

0 comments on commit 4c2bf16

Please sign in to comment.