ci: add docker build pipeline

Signed-off-by: rare-magma <[email protected]>
rare-magma · Aug 4, 2024 · bc002d5 · bc002d5
1 parent a249638
commit bc002d5
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 7 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,9 @@
+.github/
+*.conf
+*.png
+*.json
+*.service
+*.timer
+*.yml
+Makefile
+*.md
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,46 @@
+name: Create and publish a container image
+
+on:
+  push:
+    branches: main
+  schedule:
+    - cron: "2 02 4 * *"
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
@@ -2,6 +2,7 @@ FROM docker.io/library/alpine:latest
 ENV RUNNING_IN_DOCKER=true
 ENTRYPOINT ["/bin/bash"]
 CMD ["/app/cloudflare_exporter.sh"]
+COPY cloudflare_exporter.sh /app/cloudflare_exporter.sh
 RUN addgroup -g 10001 user \
     && adduser -H -D -u 10000 -G user user
 RUN apk add --quiet --no-cache bash coreutils curl jq

diff --git a/README.md b/README.md
@@ -49,8 +49,8 @@ Bash script that uploads the Cloudflare Analytics API data to influxdb on an hou
 1. Run it.
 
    ```bash
-   docker run --rm --init --tty --interactive --volume $(pwd):/app localhost/cloudflare-exporter
-   ```
+    docker run --rm --init --tty --interactive --read-only --cap-drop ALL --security-opt no-new-privileges:true --cpus 2 -m 64m --pids-limit 16 --volume ./cloudflare_exporter.conf:/app/cloudflare_exporter.conf:ro --volume ./cloudflare_zone_list.json:/app/cloudflare_zone_list.json:ro ghcr.io/rare-magma/cloudflare-exporter:latest
+    ```
 
 ### With the Makefile
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,18 @@
 version: "3"
 services:
   scheduler:
-    image: ghcr.io/reddec/compose-scheduler:1.0.1
+    image: ghcr.io/reddec/compose-scheduler:1.1.0
+    read_only: true
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    deploy:
+      resources:
+        limits:
+          cpus: "2"
+          memory: 250m
+          pids: 1024
     privileged: true
     restart: unless-stopped
     volumes:
@@ -10,10 +21,19 @@ services:
   cloudflare-exporter:
     image: cloudflare-exporter:latest
     init: true
-    build:
-      context: .
-      dockerfile: ./Dockerfile
+    read_only: true
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
+    deploy:
+      resources:
+        limits:
+          cpus: "2"
+          memory: 64m
+          pids: 16
     volumes:
-      - ./:/app:z
+      - ./cloudflare_exporter.conf:/app/cloudflare_exporter.conf:ro
+      - ./cloudflare_zone_list.json:/app/cloudflare_zone_list.json:ro
     labels:
       net.reddec.scheduler.cron: "5 * * * *"