mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
Teffen Ellis
9543b3c9f6
* core: add .npmrc baseline to block dependency lifecycle scripts Set ignore-scripts=true at the repo root, plus engine-strict, save-exact, audit, and prefer-offline. This neutralizes the dominant npm supply-chain attack vector — postinstall scripts in transitive dependencies — at the cost of requiring an explicit rebuild for the handful of packages that legitimately need install scripts (esbuild, chromedriver, tree-sitter, tree-sitter-json). The next commit wires that rebuild into the Makefile. Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com> * core: route node installs through make to retire website preinstall hook Make docs-install depend on a new root-node-install so the root deps are guaranteed before the website install runs, removing the need for the website/preinstall lifecycle script. Rebuild the small audited list of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json) after the web install so ignore-scripts=true remains the only path that needs maintenance. web/README documents the new workflow. Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com> * Clean up install scripts. * Track .npmrc in CODEOWNERS * Fix formatter config. Reformat. * Fix mounted references. * Flesh out node scripts. * Bump engines. * Prep containers. * Update makefile. * Flesh out github actions. * Clean up docs container. * lint. Bump. Lint. Bump NPM version. * Add limits. * collapse the composite's three setup-node calls to one cache restore * Add SHA. * Bump NPM range. * Run formatter. * Bump NPM. * Remove extra install. * Fix website deps. * Use local prettier. Fix drift in CI. * ci: build frontend in CI with node_env production Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Install docusaurus config. * Fix linter warning, order. * Add linter commands. * Add timeout. * Remove pre install check. --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
103 lines
3.6 KiB
YAML
103 lines
3.6 KiB
YAML
---
|
|
# Re-usable workflow for a single-architecture build
|
|
name: Reusable - Single-arch Container build
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
image_name:
|
|
required: true
|
|
type: string
|
|
image_arch:
|
|
required: true
|
|
type: string
|
|
runs-on:
|
|
required: true
|
|
type: string
|
|
registry_dockerhub:
|
|
default: false
|
|
type: boolean
|
|
registry_ghcr:
|
|
default: false
|
|
type: boolean
|
|
release:
|
|
default: false
|
|
type: boolean
|
|
outputs:
|
|
image-digest:
|
|
value: ${{ jobs.build.outputs.image-digest }}
|
|
|
|
jobs:
|
|
build:
|
|
name: Build ${{ inputs.image_arch }}
|
|
runs-on: ${{ inputs.runs-on }}
|
|
outputs:
|
|
image-digest: ${{ steps.push.outputs.digest }}
|
|
permissions:
|
|
# Needed to upload container images to ghcr.io
|
|
packages: write
|
|
# Needed for attestation
|
|
id-token: write
|
|
attestations: write
|
|
# Needed for checkout
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
|
|
- uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
|
|
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
- name: prepare variables
|
|
uses: ./.github/actions/docker-push-variables
|
|
id: ev
|
|
env:
|
|
DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
|
|
with:
|
|
image-name: ${{ inputs.image_name }}
|
|
image-arch: ${{ inputs.image_arch }}
|
|
release: ${{ inputs.release }}
|
|
- name: Login to Docker Hub
|
|
if: ${{ inputs.registry_dockerhub }}
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
username: ${{ secrets.DOCKER_CORP_USERNAME }}
|
|
password: ${{ secrets.DOCKER_CORP_PASSWORD }}
|
|
- name: Login to GitHub Container Registry
|
|
if: ${{ inputs.registry_ghcr }}
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- uses: ./.github/actions/setup-node
|
|
with:
|
|
working-directory: web
|
|
dependencies: "monorepo"
|
|
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
|
|
with:
|
|
go-version-file: "go.mod"
|
|
- name: Generate API Clients
|
|
run: |
|
|
make gen-client-ts
|
|
- name: Build Docker Image
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
id: push
|
|
with:
|
|
context: .
|
|
file: lifecycle/container/Dockerfile
|
|
push: ${{ steps.ev.outputs.shouldPush == 'true' }}
|
|
secrets: |
|
|
GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
|
|
GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
|
|
build-args: |
|
|
${{ steps.ev.outputs.imageBuildArgs }}
|
|
tags: ${{ steps.ev.outputs.imageTags }}
|
|
platforms: linux/${{ inputs.image_arch }}
|
|
cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
|
|
cache-to: ${{ steps.ev.outputs.cacheTo }}
|
|
- uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
|
|
id: attest
|
|
if: ${{ steps.ev.outputs.shouldPush == 'true' }}
|
|
with:
|
|
subject-name: ${{ steps.ev.outputs.attestImageNames }}
|
|
subject-digest: ${{ steps.push.outputs.digest }}
|
|
push-to-registry: true
|