feat: scratch docker image (#15)

* feat: scratch docker image

This moves to a scratch based docker image to reduce image size and
attack surface further.

The new image uses pyinstaller and staticx to compile the python app to
a binary and staticly link it. This binary is copied into a scratch
container and set to run as a non root user

* ci: update docker ci jobs

* ci: remove docker build

we test this with the integration test

Author: andrewthetechie

.github/workflows/release.yml

@@ -52,8 +52,7 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          # we're only using this docker image in gha, so only build a linux/amd64
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#registry-cache
           cache-from: type=gha
           cache-to: type=gha,mode=max
@@ -82,8 +81,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.THIS_PAT }}
         with:
-          tag_name:  ${{ inputs.version }}
-          release_name:  ${{ inputs.version }}
-          body:  ${{ inputs.releaseNotes }}
+          tag_name: ${{ inputs.version }}
+          release_name: ${{ inputs.version }}
+          body: ${{ inputs.releaseNotes }}
           draft: false
           prerelease: ${{ inputs.prerelease }}

Docker/Dockerfile

@@ -1,47 +1,30 @@
-FROM python:3.11-slim AS python-base
-ADD Docker/builder/rootfs /
-ADD repo_manager /app/repo_manager
-ADD main.py /app/main.py
+FROM python:3.11-slim AS builder
 WORKDIR /app
 
-# We are installing a dependency here directly into our app source dir
-RUN pip install --upgrade pip && \
-    pip install --no-warn-script-location --upgrade virtualenv && \
-    pip install --target=/app -r /requirements.txt
+# install build requirements
+RUN apt-get update && apt-get install -y binutils patchelf upx build-essential scons
+RUN pip install --no-warn-script-location --upgrade virtualenv pip pyinstaller staticx
 
+# copy the app
+COPY Docker/builder/rootfs/requirements.txt ./
+COPY repo_manager ./repo_manager
+COPY main.py ./
 
-# use distroless/cc as the base for our final image
-# lots of python depends on glibc
-FROM gcr.io/distroless/cc-debian11
+## build the app
+# install requirements
+RUN pip install -r requirements.txt
+# pyinstaller package the app
+RUN python -OO -m PyInstaller -F main.py --name repo-manager --hidden-import _cffi_backend
+# static link the repo-manager binary
+RUN cd ./dist && \
+    staticx repo-manager repo-manager-static
+# will be copied over to the scratch container, pyinstaller needs a /tmp to exist
+RUN mkdir /app/tmp
 
-# Copy python from the python-builder
-# this carries more risk than installing it fully, but makes the image a lot smaller
-COPY --from=python-base /usr/local/lib/ /usr/local/lib/
-COPY --from=python-base /usr/local/bin/python /usr/local/bin/python
-COPY --from=python-base /etc/ld.so.cache /etc/ld.so.cache
 
-# Add some common compiled libraries
-# If seeing ImportErrors, check if in the python-base already and copy as below
-# required by lots of packages - e.g. six, numpy, wsgi
-# *-linux-gnu makes this builder work with either linux/arm64 or linux/amd64
-COPY --from=python-base /lib/*-linux-gnu/libz.so.1 /lib/libs/
-COPY --from=python-base /usr/lib/*-linux-gnu/libffi* /lib/libs/
-COPY --from=python-base /lib/*-linux-gnu/libexpat* /lib/libs/
+FROM scratch
 
-# Copy over the app
-COPY --from=python-base /app /app
+ENTRYPOINT ["/repo-manager"]
 
-
-# Add /lib/libs to our path
-ENV LD_LIBRARY_PATH="/lib/libs:${LD_LIBRARY_PATH}" \
-# Add the app path to our path
-    PATH="/app/bin:${PATH}" \
-# Add the app path to your python path
-    PYTHONPATH="/app:${PYTHONPATH}" \
-# standardise on locale, don't generate .pyc, enable tracebacks on seg faults
-    LANG=C.UTF-8 \
-    LC_ALL=C.UTF-8 \
-    PYTHONDONTWRITEBYTECODE=1 \
-    PYTHONFAULTHANDLER=1
-
-CMD ["python", "/app/main.py"]
+COPY --from=builder /app/dist/repo-manager-static /repo-manager
+COPY --from=builder /app/tmp /tmp

Makefile

@@ -21,7 +21,7 @@ setup-pre-commit:
 	pre-commit install
 
 build: ## build a docker image locally
-	docker build --platform linux/amd64 -t gha-repo-manager -f Docker/Dockerfile .
+	docker build -t gha-repo-manager -f Docker/Dockerfile .
 
 generate-inputs: ## Generate a dict of inputs from actions.yml into repo_manager/utils/__init__.py
 	./.github/scripts/replace_inputs.sh