-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 6726c10
Showing
12 changed files
with
765 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,231 @@ | ||
name: main | ||
|
||
on: | ||
schedule: | ||
# update the pointers once a week | ||
# https://crontab.guru/once-a-week | ||
- cron: "0 0 * * 0" | ||
push: | ||
branches: main | ||
|
||
jobs: | ||
docker: | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
repository: | ||
- 'ghcr.io' | ||
# - 'docker.io' | ||
python: | ||
- '3.12' | ||
# - '3.11' | ||
# - '3.10' | ||
# - '3.9' | ||
# - '3.8' | ||
alpine: | ||
- '3.20' | ||
os: | ||
- 'ubuntu-latest' | ||
|
||
runs-on: ${{ matrix.os }} | ||
permissions: | ||
packages: write | ||
|
||
steps: | ||
- | ||
name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- | ||
name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
- | ||
name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
- | ||
id: image_env | ||
run: | | ||
. ./env.sh \ | ||
'${{ matrix.alpine }}' \ | ||
'${{ matrix.python }}' \ | ||
'${{ github.repository_owner }}' \ | ||
'${{ matrix.repository }}' | ||
docker pull "${SOURCE_IMAGE}" | ||
echo ALPINE_VERSION="${ALPINE_VERSION}" >> "$GITHUB_OUTPUT" | ||
echo PYTHON_VERSION="${PYTHON_VERSION}" >> "$GITHUB_OUTPUT" | ||
echo SOURCE_IMAGE="${SOURCE_IMAGE}" >> "$GITHUB_OUTPUT" | ||
echo IMAGE_TAG="${IMAGE_TAG}" >> "$GITHUB_OUTPUT" | ||
echo REPOSITORY="${REPOSITORY}" >> "$GITHUB_OUTPUT" | ||
echo BASE_IMAGE_DIGEST="$(digest_of "$SOURCE_IMAGE")" >> "$GITHUB_OUTPUT" | ||
echo 'IMAGE_DESCRIPTION=${{ github.event.repository.description }}. See ${{ github.server_url }}/${{ github.repository }} for more info.' >> "$GITHUB_OUTPUT" | ||
- | ||
name: Buildroot | ||
uses: docker/build-push-action@v6 | ||
with: | ||
platforms: | | ||
linux/amd64 | ||
linux/arm64 | ||
context: "." | ||
file: Dockerfile.alpine | ||
target: buildroot | ||
cache-from: | | ||
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | ||
type=registry,ref=${{ steps.image_env.outputs.SOURCE_IMAGE }}@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
build-args: | | ||
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | ||
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | ||
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | ||
BUILD_ROOT=/d | ||
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot" | ||
- | ||
name: distroless | ||
uses: docker/build-push-action@v6 | ||
with: | ||
platforms: | | ||
linux/amd64 | ||
linux/arm64 | ||
context: "." | ||
file: Dockerfile.alpine | ||
# target: distroless-python | ||
cache-from: | | ||
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | ||
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | ||
type=registry,ref=${{ steps.image_env.outputs.SOURCE_IMAGE }}@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
build-args: | | ||
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | ||
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | ||
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | ||
BUILD_ROOT=/d | ||
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}" | ||
- | ||
name: distroless-tests | ||
uses: docker/build-push-action@v6 | ||
with: | ||
context: "examples/simple-flask" | ||
platforms: linux/amd64 | ||
load: true | ||
cache-from: | | ||
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | ||
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | ||
type=registry,ref=${{ steps.image_env.outputs.SOURCE_IMAGE }}@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
build-args: | | ||
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | ||
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | ||
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | ||
BUILD_ROOT=/d | ||
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}-example1-amd64" | ||
|
||
- | ||
run: | | ||
id=$(docker run --platform=linux/amd64 -p8080:8080 --rm -d ${{ steps.image_env.outputs.IMAGE_TAG }}-example1-amd64) | ||
while ! nc -z localhost 8080; do | ||
sleep 0.1 # wait for 1/10 of the second before check again | ||
done | ||
curl --fail-with-body 'http://localhost:8080' | ||
echo "${{ matr}}" | ||
docker stop $id | ||
- | ||
name: Login to GitHub Container Registry | ||
if: ${{ matrix.repository == 'ghcr.io' }} | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: 'ghcr.io' | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- | ||
name: Login to DockerHub | ||
if: ${{ matrix.repository == 'docker.io' }} | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: 'docker.io' | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
||
- | ||
name: Upload Buildroot | ||
uses: docker/build-push-action@v6 | ||
with: | ||
push: true | ||
platforms: | | ||
linux/amd64 | ||
linux/arm64 | ||
context: "." | ||
file: Dockerfile.alpine | ||
target: buildroot | ||
cache-from: | | ||
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | ||
type=registry,ref=${{ steps.image_env.outputs.SOURCE_IMAGE }}@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
build-args: | | ||
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | ||
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | ||
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | ||
BUILD_ROOT=/d | ||
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot" | ||
- | ||
name: Upload | ||
uses: docker/build-push-action@v6 | ||
env: | ||
SOURCE_DATE_EPOCH: 0 | ||
with: | ||
push: true | ||
context: "." | ||
platforms: | | ||
linux/amd64 | ||
linux/arm64 | ||
file: Dockerfile.alpine | ||
cache-from: | | ||
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | ||
type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | ||
type=registry,ref=${{ steps.image_env.outputs.SOURCE_IMAGE }}@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
build-args: | | ||
ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | ||
BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | ||
SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | ||
BUILD_ROOT=/d | ||
tags: "${{ steps.image_env.outputs.IMAGE_TAG }}" | ||
labels: ${{steps.image_env.outputs.IMAGE_LABELS}} | ||
sbom: true | ||
annotations: | | ||
index,manifest:org.opencontainers.image.authors=distroless-python image developers <[email protected]> | ||
index,manifest:org.opencontainers.image.source=https://github.com/autumnjolitz/distroless-python | ||
index,manifest:org.opencontainers.image.title=distroless-python${{ steps.image_env.outputs.PYTHON_VERSION }}-alpine${{ steps.image_env.outputs.ALPINE_VERSION }} | ||
index,manifest:org.opencontainers.image.description=${{ steps.image_env.outputs.IMAGE_DESCRIPTION }} | ||
index,manifest:org.opencontainers.image.base.digest=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | ||
index,manifest:org.opencontainers.image.base.name=${{ steps.image_env.outputs.SOURCE_IMAGE }} | ||
index,manifest:distroless.python-version=${{ steps.image_env.outputs.PYTHON_VERSION }} | ||
index,manifest:distroless.alpine-version=${{ steps.image_env.outputs.ALPINE_VERSION }} | ||
index,manifest:distroless.base-image=alpine${{ steps.image_env.outputs.ALPINE_VERSION }} | ||
update-dockerhub-desc: | ||
needs: [docker] | ||
runs-on: "ubuntu-latest" | ||
steps: | ||
- | ||
name: Checkout | ||
uses: actions/checkout@v4 | ||
- | ||
name: Convert README.rst to markdown | ||
uses: docker://pandoc/core:2.9 | ||
with: | ||
args: >- | ||
-s | ||
--wrap=none | ||
-t gfm | ||
-o README.md | ||
README.rst | ||
- name: Update repo description | ||
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0 | ||
with: | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
short-description: ${{ github.event.repository.description }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
*.egg-info/ | ||
.idea/* | ||
*.idx | ||
*.sublime-* | ||
*.pyc | ||
dist/ | ||
.cache/ | ||
*.dat | ||
.DS_Store | ||
python/ | ||
.pytest_cache/ | ||
build/* | ||
.pytype/* | ||
instruct/about.py | ||
python*/ | ||
.coverage |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
repos: | ||
- | ||
repo: https://github.com/pre-commit/pre-commit-hooks | ||
rev: v4.5.0 | ||
hooks: | ||
- | ||
id: check-ast | ||
- | ||
id: check-case-conflict | ||
- | ||
id: check-executables-have-shebangs | ||
- | ||
id: check-merge-conflict | ||
- | ||
id: check-yaml | ||
- | ||
id: end-of-file-fixer | ||
- | ||
id: check-shebang-scripts-are-executable | ||
- | ||
id: detect-private-key | ||
- | ||
id: trailing-whitespace | ||
args: | ||
- '--markdown-linebreak-ext=rst' | ||
- | ||
repo: https://github.com/python/black | ||
rev: '23.11.0' | ||
hooks: | ||
- | ||
id: black | ||
language_version: python3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
#syntax=docker/dockerfile:1 | ||
|
||
ARG ALPINE_VERSION=3.20 | ||
ARG PYTHON_VERSION=3.12 | ||
ARG SOURCE_IMAGE=docker.io/python:${PYTHON_VERSION}-alpine${ALPINE_VERSION} | ||
ARG BASE_IMAGE_DIGEST | ||
|
||
FROM --platform=$BUILDPLATFORM $SOURCE_IMAGE@${BASE_IMAGE_DIGEST} AS buildroot | ||
ARG PYTHON_VERSION=3.12 | ||
|
||
ARG BUILD_ROOT='/dest' | ||
ARG CACHE_ROOT='/cache' | ||
ENV BUILD_ROOT=$BUILD_ROOT \ | ||
CACHE_ROOT=$CACHE_ROOT \ | ||
PYTHON_VERSION=$PYTHON_VERSION \ | ||
_sys_apk_add="/usr/bin/env apk add --no-cache" \ | ||
_apk_add="/usr/bin/env apk add --root $BUILD_ROOT --no-cache" \ | ||
_apk_del="/usr/bin/env apk del --root $BUILD_ROOT --purge" \ | ||
_sh="chroot $BUILD_ROOT sh" \ | ||
_ln="chroot $BUILD_ROOT ln" \ | ||
_chroot="chroot $BUILD_ROOT" | ||
|
||
RUN set -eu ; \ | ||
python -m pip install -U pip setuptools ; \ | ||
# Add to buildroot: | ||
$_sys_apk_add \ | ||
# dash is used as a /bin/sh replacement | ||
dash \ | ||
# TLS certs | ||
ca-certificates \ | ||
# zip is used to take all the bytecode compiled standard | ||
# library and create a pythonXY.zip file that will | ||
# be imported from. This makes the stdlib immutable. | ||
zip \ | ||
; \ | ||
# remove all ``__pycache__`` directories | ||
find /usr/local/lib/python$PYTHON_VERSION -type d -name '__pycache__' -print0 | xargs -0 rm -rf ; \ | ||
# compile all py to an adjacent pyc and remove the original, leaving only the bytecode | ||
python -m compileall -b /usr/local/lib/python$PYTHON_VERSION ; \ | ||
find -type f -name '*.py' -exec sh -c "[ -f \"{}c\" ] && echo 'Removing \"{}\"' && rm -f \"{}\"" \; ;\ | ||
# make the new root: | ||
mkdir -p \ | ||
$CACHE_ROOT/ \ | ||
$BUILD_ROOT/etc \ | ||
$BUILD_ROOT/bin \ | ||
$BUILD_ROOT/usr/local/lib/python$PYTHON_VERSION/site-packages \ | ||
$BUILD_ROOT/usr/local/bin \ | ||
; \ | ||
# use a symlink to hold the apk related confs | ||
ln -s /etc/apk $BUILD_ROOT/etc/apk ; \ | ||
$_apk_add --initdb ; \ | ||
$_apk_add \ | ||
alpine-baselayout-data \ | ||
alpine-release \ | ||
musl \ | ||
libffi \ | ||
# needed for update-ca-certificates to work: | ||
run-parts \ | ||
# install the runtime dependencies for python | ||
$(apk info -R .python-rundeps | grep -vE ':$') \ | ||
; \ | ||
cp -p /bin/busybox $BUILD_ROOT/bin/busybox ; \ | ||
ls -lt $BUILD_ROOT/bin/busybox ; \ | ||
chroot $BUILD_ROOT /bin/busybox ln -sf /bin/busybox /bin/ln ; \ | ||
# copy dash into the container so we can use it as the default bin/sh | ||
tar -C / -cpf - $(\ | ||
apk info -L \ | ||
dash \ | ||
ca-certificates \ | ||
| grep -vE ':$' \ | ||
) | tar -C $BUILD_ROOT -xpf - ; \ | ||
$_ln -sf /usr/bin/dash /bin/sh ; \ | ||
(\ | ||
cd /usr/local/lib && \ | ||
tar -C /usr/local/lib -cpf - python$PYTHON_VERSION/lib-dynload libpython* | tar -C $BUILD_ROOT/usr/local/lib -xpf - ; \ | ||
tar -C /usr/local/bin -cpf - python* | tar -C $BUILD_ROOT/usr/local/bin -xpf -; \ | ||
(cd python$PYTHON_VERSION && zip -9 -X $BUILD_ROOT/usr/local/lib/python$(echo $PYTHON_VERSION | tr -d '.').zip $(\ | ||
find . | grep -vE "(__pycache__|^\./(test|site-packages|lib-dynload|idlelib|lib2to3|tkinter|turtle|ensurepip|pydoc))" \ | ||
)); \ | ||
cp -p python$PYTHON_VERSION/os.pyc $BUILD_ROOT/usr/local/lib/python$PYTHON_VERSION/os.pyc ; \ | ||
touch $BUILD_ROOT/usr/local/lib/python$PYTHON_VERSION/ensurepip.py ; \ | ||
rm $BUILD_ROOT/usr/local/lib/python$PYTHON_VERSION/lib-dynload/_tkinter* ; \ | ||
) && \ | ||
$_ln -sf /usr/local/bin/python$PYTHON_VERSION /usr/local/bin/python3 && \ | ||
$_ln -sf /usr/local/bin/python$PYTHON_VERSION /usr/local/bin/python && \ | ||
tar -C "$BUILD_ROOT" -cpf - etc/apk bin/ln bin/busybox var/cache/apk usr/share/apk | tar -C "$CACHE_ROOT" -xpf - ; \ | ||
rm -rf $BUILD_ROOT/bin/ln $BUILD_ROOT/bin/busybox $BUILD_ROOT/etc/apk $BUILD_ROOT/var/cache/apk /usr/share/apk && \ | ||
# regenerate the ca-certs! | ||
chroot $BUILD_ROOT update-ca-certificates | ||
|
||
|
||
FROM scratch AS distroless-python | ||
ARG ALPINE_VERSION=3.20 | ||
ARG PYTHON_VERSION=3.12 | ||
ARG SOURCE_IMAGE=docker.io/python:${PYTHON_VERSION}-alpine${ALPINE_VERSION} | ||
ARG BASE_IMAGE_DIGEST | ||
ARG BUILD_ROOT='/dest' | ||
ENV BUILD_ROOT=$BUILD_ROOT \ | ||
PYTHON_VERSION=$PYTHON_VERSION \ | ||
ALPINE_VERSION=$ALPINE_VERSION | ||
|
||
COPY --from=buildroot $BUILD_ROOT / | ||
LABEL \ | ||
org.opencontainers.image.authors="distroless-python image developers <[email protected]>" \ | ||
org.opencontainers.image.source="https://github.com/autumnjolitz/distroless-python" \ | ||
org.opencontainers.image.title="Distroless Python ${PYTHON_VERSION} on alpine${ALPINE_VERSION}" \ | ||
org.opencontainers.image.description="Distroless, optimized Python images distilled from the DockerHub official Python images. These images only have a python interpreter and the dash shell." \ | ||
org.opencontainers.image.base.digest="${BASE_IMAGE_DIGEST}" \ | ||
org.opencontainers.image.base.name="$SOURCE_IMAGE" \ | ||
distroless.python-version="${PYTHON_VERSION}" \ | ||
distroless.alpine-version="${ALPINE_VERSION}" \ | ||
distroless.base-image="alpine${ALPINE_VERSION}" | ||
|
||
ENTRYPOINT [ "/usr/local/bin/python" ] |
Oops, something went wrong.