From c915b61bafcfc9b20ea00dede96a883da318f990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Fri, 1 Aug 2025 15:59:23 +0200 Subject: [PATCH] [BRE-915] Update and harden container images (#412) * Update base image for get-checksum to gcr.io/distroless/python3-debian12:nonroot * Update base image in version-bump to gcr.io/distroless/python3-debian12:nonroot * Remove unnecessary pip install commands from Dockerfile * Refactor Dockerfile to use python:3-slim base image and streamline package installation * Refactor Dockerfile to improve build process and update main.py to use xml.etree.ElementTree * Add step to fix file permissions in test-version-bump workflow * Remove file permission fix step from test-version-bump workflow and update Dockerfile to use non-root base image * Update crowdin --- crowdin/Dockerfile | 2 +- get-checksum/Dockerfile | 7 ++----- version-bump/Dockerfile | 16 ++++++++-------- version-bump/main.py | 4 ++-- 4 files changed, 13 insertions(+), 16 deletions(-) diff --git a/crowdin/Dockerfile b/crowdin/Dockerfile index 80e60cd1..01a02942 100644 --- a/crowdin/Dockerfile +++ b/crowdin/Dockerfile @@ -1,4 +1,4 @@ -FROM crowdin/cli:3.19.4 +FROM crowdin/cli:4.9.0 RUN apk --no-cache add curl git jq gnupg; diff --git a/get-checksum/Dockerfile b/get-checksum/Dockerfile index 7b5beda5..0c3e21fb 100644 --- a/get-checksum/Dockerfile +++ b/get-checksum/Dockerfile @@ -1,12 +1,9 @@ -FROM python:3-slim +FROM gcr.io/distroless/python3-debian12:nonroot ADD . /app WORKDIR /app -RUN pip3 install lxml --target=/app -RUN pip3 install pyyaml --target=/app - -ENV PYTHONPATH /app +ENV PYTHONPATH=/app ENTRYPOINT [ "python", "/app/main.py" ] \ No newline at end of file diff --git a/version-bump/Dockerfile b/version-bump/Dockerfile index 39094e0a..37522c4d 100644 --- a/version-bump/Dockerfile +++ b/version-bump/Dockerfile @@ -1,13 +1,13 @@ -FROM python:3-slim - -ADD . /app +FROM python:3-slim AS builder WORKDIR /app +RUN pip3 install --no-cache-dir pyyaml --target=. +ADD ./main.py . -RUN pip3 install lxml --target=/app -RUN pip3 install pyyaml --target=/app +FROM gcr.io/distroless/python3-debian12 -ENV PYTHONPATH /app +WORKDIR /app +COPY --from=builder /app /app +ENV PYTHONPATH=/app -CMD ["/app/main.py"] -ENTRYPOINT [ "python", "-u" ] +ENTRYPOINT ["/usr/bin/python3", "-u", "/app/main.py"] diff --git a/version-bump/main.py b/version-bump/main.py index e3406327..bf65e0bc 100644 --- a/version-bump/main.py +++ b/version-bump/main.py @@ -2,7 +2,7 @@ import os import json import plistlib import re -import lxml.etree as ET +import xml.etree.ElementTree as ET import yaml @@ -58,7 +58,7 @@ def update_xml(version, file_path): f.write(data_new) # Microsoft .NET project files - elif myroot.attrib.has_key("Sdk") and "Microsoft.NET.Sdk" in myroot.attrib["Sdk"]: + elif "Sdk" in myroot.attrib and "Microsoft.NET.Sdk" in myroot.attrib["Sdk"]: version_property = [x for x in myroot[0] if x.tag == "Version"][-1] version_property.text = version mytree.write(file_path)