Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add musl images #10

Merged
merged 17 commits into from
Nov 19, 2024
Merged

Add musl images #10

merged 17 commits into from
Nov 19, 2024

Conversation

lloeki
Copy link
Member

@lloeki lloeki commented Nov 14, 2024

  • musl is "slim" compilerless
  • gcc and clang add build elements with respective compilers to the above

Also:

  • adds convenience Docker rake tasks
  • fixes the glibc Ruby 3.4 FROM

Test with:

# build everything
bundle exec rake docker:build[**:*]

# build only musl
bundle exec rake docker:build[engines/*:*-musl*]

# build only ruby 3.4
bundle exec rake docker:build[engines/ruby:3.4]

# test e.g ruby 3.3
bundle exec rake docker:cmd[engines/ruby:3.3-musl]
bundle exec rake docker:shell[engines/ruby:3.3-musl]
bundle exec rake docker:run[engines/ruby:3.3-musl]

Base automatically changed from lloeki/use-nix-flake to main November 14, 2024 10:01
@lloeki lloeki force-pushed the lloeki/add-musl-images branch from fdb85b5 to 06fc075 Compare November 14, 2024 11:31
echo "TAG=${{ matrix.version }}-${{ matrix.libc }}" >> $GITHUB_OUTPUT
echo "DOCKERFILE=src/engines/${{ matrix.engine }}/${{ matrix.version }}/Dockerfile.${{ matrix.libc }}" >> $GITHUB_OUTPUT
- name: Checkout
uses: actions/checkout@v4

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

@lloeki lloeki force-pushed the lloeki/add-musl-images branch 6 times, most recently from a1ad5a2 to a204140 Compare November 14, 2024 13:30
Copy link
Contributor

@sarahchen6 sarahchen6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@lloeki lloeki force-pushed the lloeki/add-musl-images branch from a204140 to 46007e8 Compare November 14, 2024 14:30
@lloeki lloeki requested a review from a team as a code owner November 14, 2024 14:30
@lloeki lloeki force-pushed the lloeki/add-musl-images branch 2 times, most recently from 3f1feb9 to 031627d Compare November 14, 2024 14:45
@lloeki lloeki force-pushed the lloeki/add-musl-images branch from 031627d to 799df17 Compare November 14, 2024 14:48
@lloeki lloeki force-pushed the lloeki/add-musl-images branch from 34dcb64 to 19fa5f7 Compare November 14, 2024 16:24
docker-container does not see local images and always fetches from
remote
@lloeki lloeki force-pushed the lloeki/add-musl-images branch from 1f8b5b0 to 2f7b4b9 Compare November 15, 2024 08:32
steps:
- name: Set up Docker
uses: crazy-max/ghaction-setup-docker@v3

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

@lloeki lloeki merged commit fd24f1b into main Nov 19, 2024
31 checks passed
@lloeki lloeki deleted the lloeki/add-musl-images branch November 19, 2024 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants