[Feature] minimal hub container image#145
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Could argue we should updat docs to say that we provide a production based image for hub |
nissessenap
force-pushed
the
hub_container
branch
from
26abc55 to
228dc4c
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a ko configuration for building the scion container image and adds a ko-build-local target to the Makefile. The review feedback recommends pinning the base image in .ko.yaml to a specific version or SHA256 digest to ensure build reproducibility and security. Additionally, it is suggested to use the existing web target as a dependency in the Makefile to avoid duplicating the web frontend build logic.
| @@ -0,0 +1,16 @@ | |||
| # ko configuration for building the scion hub/broker container image. | |||
| # See: https://ko.build/configuration/ | |||
| defaultBaseImage: cgr.dev/chainguard/static:latest | |||
There was a problem hiding this comment.
Using the :latest tag for the base image can lead to non-reproducible builds and potential supply chain security risks, as the underlying image can change without notice. It is recommended to pin the base image to a specific version or, even better, a SHA256 digest to ensure consistency across builds.
| ko-build-local: | ||
| @echo "Building web frontend for container..." | ||
| @cd web && npm install && npm run build |
There was a problem hiding this comment.
The ko-build-local target manually re-implements the web frontend build logic. It is more maintainable to use the existing web target as a dependency to ensure consistency and avoid duplication.
ko-build-local: web
3f27c10 to
4e8cc11
Compare
Add ko configuration and a GitHub Actions workflow to build, publish, and sign a multi-arch (amd64/arm64) hub container image on every tag push. The image uses a distroless base (cgr.dev/chainguard/static) and embeds the web frontend assets. The image is published as `ghcr.io/<owner>/scion:<tag>` and tagged with both the version tag and `latest`. Closes GoogleCloudPlatform#133 (container image portion) Signed-off-by: Edvin Norling <edvin.norling@kognic.com>
nissessenap
force-pushed
the
hub_container
branch
from
4e8cc11 to
7f778ae
Compare
1 participant
Add ko configuration and a GitHub Actions workflow to build, publish, and sign a multi-arch (amd64/arm64) hub container image on every tag push. The image uses a distroless base (cgr.dev/chainguard/static) and embeds the web frontend assets.
The image is published as
ghcr.io/<owner>/scion:<tag>and tagged with both the version tag andlatest.Closes #133 (container image portion)
Fixes #<issue_number_goes_here>