From 43a10fc4379eefb437fd030bcde8f3254234d852 Mon Sep 17 00:00:00 2001 From: EttoreM Date: Sun, 8 Mar 2026 11:44:28 +0000 Subject: [PATCH 1/4] Added dockerfile and workflow to build Docker image with baked-in profiles when releasing new version of Cratey-Validator --- .github/workflows/build-with-profiles.yml | 52 +++++++++++++++++++++++ Dockerfile.profiles | 27 ++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 .github/workflows/build-with-profiles.yml create mode 100644 Dockerfile.profiles diff --git a/.github/workflows/build-with-profiles.yml b/.github/workflows/build-with-profiles.yml new file mode 100644 index 0000000..16af3e7 --- /dev/null +++ b/.github/workflows/build-with-profiles.yml @@ -0,0 +1,52 @@ +name: Create and publish a Docker image (with profiles) + +on: + release: + types: [published] + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }}-profiles + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@v6 + with: + context: . + file: ./Dockerfile.profiles + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v2 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true diff --git a/Dockerfile.profiles b/Dockerfile.profiles new file mode 100644 index 0000000..6a8a505 --- /dev/null +++ b/Dockerfile.profiles @@ -0,0 +1,27 @@ +FROM python:3.11-slim + +# Install required system packages, including git +RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/* + +WORKDIR /app + +COPY requirements.txt . +RUN pip install --upgrade pip +RUN pip install --no-cache-dir -r requirements.txt + +COPY cratey.py LICENSE /app/ +COPY app /app/app +COPY tests/data/rocrate_validator_profiles /app/profiles + +RUN useradd -ms /bin/bash flaskuser +RUN chown -R flaskuser:flaskuser /app + +ENV PROFILES_PATH=/app/profiles + +USER flaskuser + +EXPOSE 5000 + +CMD ["flask", "run", "--host=0.0.0.0"] + +LABEL org.opencontainers.image.source="https://github.com/eScienceLab/Cratey-Validator" From 20a830fc87542d3f8a6eb74d6f282f92d564e85d Mon Sep 17 00:00:00 2001 From: EttoreM Date: Thu, 12 Mar 2026 08:23:44 +0000 Subject: [PATCH 2/4] This fix adds the curated five-safes profile to the Docker image. Profile version is accessible through a label () or as an environment variable from inside the Docker image (). --- .github/workflows/build-with-profiles.yml | 4 +-- Dockerfile.fivesafes-profile | 40 +++++++++++++++++++++++ Dockerfile.profiles | 27 --------------- 3 files changed, 42 insertions(+), 29 deletions(-) create mode 100644 Dockerfile.fivesafes-profile delete mode 100644 Dockerfile.profiles diff --git a/.github/workflows/build-with-profiles.yml b/.github/workflows/build-with-profiles.yml index 16af3e7..ba77faf 100644 --- a/.github/workflows/build-with-profiles.yml +++ b/.github/workflows/build-with-profiles.yml @@ -7,7 +7,7 @@ on: env: REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }}-profiles + IMAGE_NAME: ${{ github.repository }}-fivesafes-profile jobs: build-and-push-image: @@ -39,7 +39,7 @@ jobs: uses: docker/build-push-action@v6 with: context: . - file: ./Dockerfile.profiles + file: ./Dockerfile.fivesafes-profile push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/Dockerfile.fivesafes-profile b/Dockerfile.fivesafes-profile new file mode 100644 index 0000000..82b9597 --- /dev/null +++ b/Dockerfile.fivesafes-profile @@ -0,0 +1,40 @@ +FROM python:3.11-slim + +ARG FIVE_SAFES_PROFILE_VERSION=five-safes-0.7.3-beta +ARG PROFILES_ARCHIVE_URL=https://github.com/eScienceLab/rocrate-validator/archive/refs/tags/${FIVE_SAFES_PROFILE_VERSION}.tar.gz + +# Install required system packages, including git +RUN apt-get update && apt-get install -y git wget && rm -rf /var/lib/apt/lists/* + +WORKDIR /app + +COPY requirements.txt . +RUN pip install --upgrade pip +RUN pip install --no-cache-dir -r requirements.txt + +COPY cratey.py LICENSE /app/ +COPY app /app/app +RUN < Date: Fri, 13 Mar 2026 07:59:10 +0000 Subject: [PATCH 3/4] The five-safes profile is now baked into the default directory. Also, now the five-safes profile imported contains the fix of the log import. --- Dockerfile.fivesafes-profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile.fivesafes-profile b/Dockerfile.fivesafes-profile index 82b9597..5946e21 100644 --- a/Dockerfile.fivesafes-profile +++ b/Dockerfile.fivesafes-profile @@ -1,7 +1,8 @@ FROM python:3.11-slim -ARG FIVE_SAFES_PROFILE_VERSION=five-safes-0.7.3-beta +ARG FIVE_SAFES_PROFILE_VERSION=five-safes-0.7.4-beta ARG PROFILES_ARCHIVE_URL=https://github.com/eScienceLab/rocrate-validator/archive/refs/tags/${FIVE_SAFES_PROFILE_VERSION}.tar.gz +ARG PY_VER=3.11 # Install required system packages, including git RUN apt-get update && apt-get install -y git wget && rm -rf /var/lib/apt/lists/* @@ -18,7 +19,7 @@ RUN < Date: Fri, 13 Mar 2026 08:41:05 +0000 Subject: [PATCH 4/4] Removed stale lines from Dockerfile.fivesafes-profile. --- Dockerfile.fivesafes-profile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile.fivesafes-profile b/Dockerfile.fivesafes-profile index 5946e21..df234b9 100644 --- a/Dockerfile.fivesafes-profile +++ b/Dockerfile.fivesafes-profile @@ -16,7 +16,6 @@ RUN pip install --no-cache-dir -r requirements.txt COPY cratey.py LICENSE /app/ COPY app /app/app RUN <