Build and push rootless docker container (#8572)

PR checklist: - [ ] Purpose of the code is [evident to future readers](https://semgrep.dev/docs/contributing/contributing-code/#explaining-code) - [ ] Tests included or PR comment includes a reproducible test plan - [ ] Documentation is up-to-date - [ ] A changelog entry was [added to changelog.d](https://semgrep.dev/docs/contributing/contributing-code/#adding-a-changelog-entry) for any user-facing change - [ ] Change has no security implications (otherwise, ping security team) If you're unsure about any of this, please see: - [Contribution guidelines](https://semgrep.dev/docs/contributing/contributing-code)! - [One of the more specific guides located here](https://semgrep.dev/docs/contributing/contributing/)
semgrep · Aug 30, 2023 · ff099a3 · ff099a3
1 parent 4057f65
commit ff099a3
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 0 deletions.
diff --git a/.github/workflows/build-test-docker.yaml b/.github/workflows/build-test-docker.yaml
@@ -5,6 +5,10 @@ name: build-test-docker
 on:
   workflow_dispatch:
     inputs:
+      docker-flavor:
+        required: true
+        type: string
+        description: A multi-line string in the format accepted by docker metadata tag action for the flavor of the image
       docker-tags:
         required: true
         type: string
@@ -23,13 +27,21 @@ on:
         type: string
         description: Dockerfile to build
         default: Dockerfile
+      target:
+        required: true
+        type: string
+        description: Dockerfile target to build
       enable-tests:
         required: true
         type: boolean
         description: Whether or not to run validation on the built image
 
   workflow_call:
     inputs:
+      docker-flavor:
+        required: true
+        type: string
+        description: A multi-line string in the format accepted by docker metadata tag action for the flavor of the image
       docker-tags:
         required: true
         type: string
@@ -46,6 +58,10 @@ on:
         required: true
         type: string
         description: Dockerfile to build
+      target:
+        required: true
+        type: string
+        description: Dockerfile target to build
       enable-tests:
         required: true
         type: boolean
@@ -71,6 +87,7 @@ jobs:
         uses: docker/metadata-action@v4
         with:
           images: ${{ inputs.repository-name }}
+          flavor: ${{ inputs.docker-flavor }}
           tags: ${{ inputs.docker-tags }}
       - uses: depot/setup-action@v1
       - name: Build image
@@ -83,6 +100,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           file: ${{ inputs.file }}
+          target: ${{ inputs.target }}
           buildx-fallback: true
       - name: Load image
         if: ${{ inputs.enable-tests }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -92,14 +92,33 @@ jobs:
     secrets: inherit
     needs: [inputs]
     with:
+      docker-flavor: |
+        latest=auto
       docker-tags: |
         type=semver,pattern={{version}}
         type=semver,pattern={{major}}.{{minor}}
       repository-name: ${{ github.repository }}
       artifact-name: image-release
       file: Dockerfile
+      target: semgrep-cli
       enable-tests: true
 
+  build-test-docker-nonroot:
+    uses: ./.github/workflows/build-test-docker.yaml
+    secrets: inherit
+    with:
+      docker-flavor: |
+        latest=auto
+        suffix=-nonroot
+      docker-tags: |
+        type=semver,pattern={{version}}
+        type=semver,pattern={{major}}.{{minor}}
+      repository-name: ${{ github.repository }}
+      artifact-name: image-release-nonroot
+      file: Dockerfile
+      target: nonroot
+      enable-tests: false
+
   build-test-osx-x86:
     uses: ./.github/workflows/build-test-osx-x86.yaml
     secrets: inherit
@@ -128,6 +147,7 @@ jobs:
     needs:
       [
         build-test-docker,
+        build-test-docker-nonroot,
         build-test-manylinux-x86,
         build-test-manylinux-aarch64,
         build-test-osx-x86,
@@ -146,6 +166,15 @@ jobs:
       repository-name: ${{ github.repository }}
       dry-run: ${{ needs.inputs.outputs.dry-run == 'true' }}
 
+  push-docker-nonroot:
+    needs: [wait-for-build-test, inputs]
+    uses: ./.github/workflows/push-docker.yaml
+    secrets: inherit
+    with:
+      artifact-name: image-release-nonroot
+      repository-name: ${{ github.repository }}
+      dry-run: ${{ needs.inputs.outputs.dry-run == 'true' }}
+
   upload-wheels:
     name: Upload Wheels to PyPI
     runs-on: ubuntu-latest

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -305,6 +305,8 @@ jobs:
     uses: ./.github/workflows/build-test-docker.yaml
     secrets: inherit
     with:
+      docker-flavor: |
+        latest=auto
       docker-tags: |
         type=semver,pattern={{version}}
         type=semver,pattern={{major}}.{{minor}}
@@ -315,6 +317,7 @@ jobs:
       artifact-name: image-test
       repository-name: ${{ github.repository }}
       file: Dockerfile
+      target: semgrep-cli
       enable-tests: true
 
   push-docker:
@@ -327,6 +330,36 @@ jobs:
       repository-name: ${{ github.repository }}
       dry-run: false
 
+  build-test-docker-nonroot:
+    uses: ./.github/workflows/build-test-docker.yaml
+    secrets: inherit
+    with:
+      docker-flavor: |
+        latest=auto
+        suffix=-nonroot
+      docker-tags: |
+        type=semver,pattern={{version}}
+        type=semver,pattern={{major}}.{{minor}}
+        type=ref,event=pr
+        type=ref,event=branch
+        type=sha,event=branch
+        type=edge
+      artifact-name: image-test-nonroot
+      repository-name: ${{ github.repository }}
+      file: Dockerfile
+      target: nonroot
+      enable-tests: false
+
+  push-docker-nonroot:
+    needs: [build-test-docker-nonroot]
+    uses: ./.github/workflows/push-docker.yaml
+    if: github.ref == 'refs/heads/develop' || (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository))
+    secrets: inherit
+    with:
+      artifact-name: image-test-nonroot
+      repository-name: ${{ github.repository }}
+      dry-run: false
+
   test-semgrep-pro:
     needs: [build-test-docker, push-docker]
     uses: ./.github/workflows/test-semgrep-pro.yaml

diff --git a/Dockerfile b/Dockerfile
@@ -218,6 +218,7 @@ RUN adduser -D -u 1000 -h /home/semgrep semgrep \
 
 # Disabling defaulting to the user semgrep for now
 # We can set it by default once we fix the circle ci workflows
+# See nonroot build stage below.
 #USER semgrep
 
 # Workaround for rootless containers as git operations may fail due to dubious
@@ -232,3 +233,10 @@ RUN printf "[safe]\n	directory = /src"  > ~semgrep/.gitconfig && \
 # to interactively explore the docker image.
 CMD ["semgrep", "--help"]
 LABEL maintainer="support@semgrep.com"
+
+# Additional build stage that sets a non-root user.
+# Can't make this the default in semgrep-cli stage because of permissions errors
+# on the mounted volume when using instructions for running semgrep with docker:
+# `docker run -v "${PWD}:/src" -i returntocorp/semgrep semgrep`
+FROM semgrep-cli AS nonroot
+USER semgrep