Build and push rootless docker container

semgrep · Aug 30, 2023 · 59a166c · 59a166c
1 parent be9ecb4
commit 59a166c
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/.github/workflows/build-test-docker.yaml b/.github/workflows/build-test-docker.yaml
@@ -23,6 +23,10 @@ on:
         type: string
         description: Dockerfile to build
         default: Dockerfile
+      target:
+        required: true
+        type: string
+        description: Dockerfile target to build
       enable-tests:
         required: true
         type: boolean
@@ -46,6 +50,10 @@ on:
         required: true
         type: string
         description: Dockerfile to build
+      target:
+        required: true
+        type: string
+        description: Dockerfile target to build
       enable-tests:
         required: true
         type: boolean
@@ -71,6 +79,8 @@ jobs:
         uses: docker/metadata-action@v4
         with:
           images: ${{ inputs.repository-name }}
+          flavor: |
+            latest=false # pass latest tag in inputs
           tags: ${{ inputs.docker-tags }}
       - uses: depot/setup-action@v1
       - name: Build image
@@ -83,6 +93,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           file: ${{ inputs.file }}
+          target: ${{ inputs.target }}
           buildx-fallback: true
       - name: Load image
         if: ${{ inputs.enable-tests }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -95,9 +95,25 @@ jobs:
       docker-tags: |
         type=semver,pattern={{version}}
         type=semver,pattern={{major}}.{{minor}}
+        type=raw,value=latest
       repository-name: ${{ github.repository }}
       artifact-name: image-release
       file: Dockerfile
+      target: semgrep-cli
+      enable-tests: true
+
+  build-test-docker-rootless:
+    uses: ./.github/workflows/build-test-docker.yaml
+    secrets: inherit
+    with:
+      docker-tags: |
+        type=semver,pattern={{version}}
+        type=semver,pattern={{major}}.{{minor}}
+        type=raw,value=latest-rootless
+      repository-name: ${{ github.repository }}
+      artifact-name: image-release-rootless
+      file: Dockerfile
+      target: rootless
       enable-tests: true
 
   build-test-osx-x86:
@@ -128,6 +144,7 @@ jobs:
     needs:
       [
         build-test-docker,
+        build-test-docker-rootless,
         build-test-manylinux-x86,
         build-test-manylinux-aarch64,
         build-test-osx-x86,
@@ -146,6 +163,15 @@ jobs:
       repository-name: ${{ github.repository }}
       dry-run: ${{ needs.inputs.outputs.dry-run == 'true' }}
 
+  push-docker-rootless:
+    needs: [wait-for-build-test, dry-run]
+    uses: ./.github/workflows/push-docker.yaml
+    secrets: inherit
+    with:
+      artifact-name: image-release-rootless
+      repository-name: ${{ github.repository }}
+      dry-run: ${{ needs.dry-run.outputs.dry-run == 'true' }}
+
   upload-wheels:
     name: Upload Wheels to PyPI
     runs-on: ubuntu-latest

diff --git a/Dockerfile b/Dockerfile
@@ -232,3 +232,6 @@ RUN printf "[safe]\n	directory = /src"  > ~semgrep/.gitconfig && \
 # to interactively explore the docker image.
 CMD ["semgrep", "--help"]
 LABEL maintainer="support@semgrep.com"
+
+FROM semgrep-cli AS rootless
+USER semgrep