Skip to content

Commit b72e690

Browse files
kilemensikilemensi
authored
Merge pull request #1274 from CodeForAfrica/fix_docker_build_security
Fix docker build security
2 parents c137687 + faebb6d commit b72e690

38 files changed

+421
-339
lines changed

.github/workflows/build-docker-image.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,13 +56,14 @@ jobs:
5656
with:
5757
build-args: |
5858
${{ inputs.build_args }}
59-
SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
60-
SENTRY_ORG=${{ vars.SENTRY_ORG }}
6159
cache-from: type=local,src=/tmp/.buildx-cache
6260
cache-to: type=local,dest=/tmp/.buildx-cache-new
6361
context: .
6462
platforms: linux/arm64
6563
push: true
64+
secrets: |
65+
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
66+
"sentry_org=${{ secrets.SENTRY_ORG }}"
6667
tags: ${{ inputs.tags }}
6768
target: ${{ inputs.target }}
6869

.github/workflows/charterafrica-deploy-dev.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -58,20 +58,20 @@ jobs:
5858
uses: docker/build-push-action@v6
5959
with:
6060
build-args: |
61-
MONGO_URL=${{ secrets.CHARTERAFRICA_MONGO_URL }}
6261
NEXT_PUBLIC_APP_URL=${{ env.NEXT_PUBLIC_APP_URL }}
6362
NEXT_PUBLIC_SENTRY_DSN=${{ secrets.CHARTERAFRICA_SENTRY_DSN }}
64-
PAYLOAD_SECRET_KEY=${{ secrets.CHARTERAFRICA_PAYLOAD_SECRET_KEY }}
6563
SENTRY_ENVIRONMENT=${{ env.SENTRY_ENVIRONMENT }}
66-
SENTRY_ORG=${{ secrets.SENTRY_ORG }}
67-
SENTRY_PROJECT=${{ secrets.CHARTERAFRICA_SENTRY_PROJECT }}
6864
cache-from: type=local,src=/tmp/.buildx-cache
6965
cache-to: type=local,dest=/tmp/.buildx-cache-new
7066
context: .
7167
platforms: linux/arm64
7268
push: true
7369
secrets: |
70+
"mongo_url=${{ secrets.CHARTERAFRICA_MONGO_URL }}"
71+
"payload_secret_key=${{ secrets.CHARTERAFRICA_PAYLOAD_SECRET_KEY }}"
7472
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
73+
"sentry_org=${{ secrets.SENTRY_ORG }}"
74+
"sentry_project=${{ secrets.CHARTERAFRICA_SENTRY_PROJECT }}"
7575
tags: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
7676
target: charterafrica-runner
7777

.github/workflows/charterafrica-deploy-prod.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -81,22 +81,22 @@ jobs:
8181
uses: docker/build-push-action@v6
8282
with:
8383
build-args: |
84-
MONGO_URL=${{ secrets.CHARTERAFRICA_MONGO_URL }}
8584
NEXT_PUBLIC_APP_URL=${{ env.NEXT_PUBLIC_APP_URL }}
8685
NEXT_PUBLIC_SENTRY_DSN=${{ secrets.CHARTERAFRICA_SENTRY_DSN }}
8786
NEXT_PUBLIC_SEO_DISABLED=${{ env.NEXT_PUBLIC_SEO_DISABLED }}
88-
PAYLOAD_SECRET_KEY=${{ secrets.CHARTERAFRICA_PAYLOAD_SECRET_KEY }}
8987
SENTRY_ENVIRONMENT=${{ env.SENTRY_ENVIRONMENT }}
90-
SENTRY_ORG=${{ secrets.SENTRY_ORG }}
91-
SENTRY_PROJECT=${{ secrets.CHARTERAFRICA_SENTRY_PROJECT }}
9288
cache-from: type=local,src=/tmp/.buildx-cache
9389
cache-to: type=local,dest=/tmp/.buildx-cache-new
9490
context: .
9591
# TODO(xavier): Follow up if we can switch this to arm64
9692
platforms: linux/amd64
9793
push: true
9894
secrets: |
95+
"mongo_url=${{ secrets.CHARTERAFRICA_MONGO_URL }}"
96+
"payload_secret_key=${{ secrets.CHARTERAFRICA_PAYLOAD_SECRET_KEY }}"
9997
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
98+
"sentry_org=${{ secrets.SENTRY_ORG }}"
99+
"sentry_project=${{ secrets.CHARTERAFRICA_SENTRY_PROJECT }}"
100100
tags: "${{ env.IMAGE_NAME }}:${{ steps.version-check.outputs.version }}"
101101
target: charterafrica-runner
102102

.github/workflows/civicsignalblog-deploy-prod.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -80,19 +80,18 @@ jobs:
8080
uses: docker/build-push-action@v6
8181
with:
8282
build-args: |
83-
MONGO_URL=${{ secrets.CIVICSIGNALBLOG_MONGO_URL }}
8483
NEXT_PUBLIC_APP_URL=${{ env.NEXT_PUBLIC_APP_URL }}
85-
PAYLOAD_SECRET=${{ secrets.CIVICSIGNALBLOG_PAYLOAD_SECRET }}
86-
SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
87-
SENTRY_ORG=${{ secrets.SENTRY_ORG }}
88-
SENTRY_PROJECT=${{ secrets.CIVICSIGNALBLOG_SENTRY_PROJECT }}
8984
cache-from: type=local,src=/tmp/.buildx-cache
9085
cache-to: type=local,dest=/tmp/.buildx-cache-new
9186
context: .
9287
platforms: linux/arm64
9388
push: true
9489
secrets: |
90+
"mongo_url=${{ secrets.CIVICSIGNALBLOG_MONGO_URL }}"
91+
"payload_secret=${{ secrets.CIVICSIGNALBLOG_PAYLOAD_SECRET }}"
9592
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
93+
"sentry_org=${{ secrets.SENTRY_ORG }}"
94+
"sentry_project=${{ secrets.CIVICSIGNALBLOG_SENTRY_PROJECT }}"
9695
tags: "${{ env.IMAGE_NAME }}:${{ steps.version-check.outputs.version }}"
9796
target: civicsignalblog-runner
9897

.github/workflows/climatemappedafrica-deploy-dev.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -59,13 +59,17 @@ jobs:
5959
uses: docker/build-push-action@v6
6060
with:
6161
build-args: |
62-
MONGO_URL=${{ secrets.CLIMATEMAPPEDAFRICA_MONGO_URL }}
6362
NEXT_PUBLIC_APP_URL=${{ env.NEXT_PUBLIC_APP_URL }}
64-
PAYLOAD_SECRET=${{ secrets.CLIMATEMAPPEDAFRICA_PAYLOAD_SECRET }}
6563
cache-from: type=local,src=/tmp/.buildx-cache
6664
cache-to: type=local,dest=/tmp/.buildx-cache-new
6765
context: .
6866
platforms: linux/arm64
67+
secrets: |
68+
"mongo_url=${{ secrets.CLIMATEMAPPEDAFRICA_MONGO_URL }}"
69+
"payload_secret=${{ secrets.CLIMATEMAPPEDAFRICA_PAYLOAD_SECRET }}"
70+
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
71+
"sentry_org=${{ secrets.SENTRY_ORG }}"
72+
"sentry_project=${{ secrets.CLIMATEMAPPEDAFRICA_SENTRY_PROJECT }}"
6973
target: climatemappedafrica-runner
7074
push: true
7175
tags: "${{ env.IMAGE_NAME }}:${{ github.sha }}"

.github/workflows/codeforafrica-deploy-dev.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -60,21 +60,21 @@ jobs:
6060
uses: docker/build-push-action@v6
6161
with:
6262
build-args: |
63-
MONGODB_URL=${{ secrets.CODEFORAFRICA_MONGO_URL }}/${{ env.APP_NAME }}
6463
NEXT_PUBLIC_APP_URL=${{ env.NEXT_PUBLIC_APP_URL }}
65-
PAYLOAD_SECRET=${{ secrets.CODEFORAFRICA_PAYLOAD_SECRET }}
6664
NEXT_PUBLIC_APP_LOGO_URL=${{ secrets.NEXT_PUBLIC_CODEFORAFRICA_APP_LOGO_URL }}
6765
NEXT_PUBLIC_APP_NAME=${{ secrets.NEXT_PUBLIC_CODEFORAFRICA_APP_NAME }}
6866
SENTRY_ENVIRONMENT=${{ env.SENTRY_ENVIRONMENT }}
69-
SENTRY_ORG=${{ secrets.SENTRY_ORG }}
70-
SENTRY_PROJECT=${{ secrets.CODEFORAFRICA_SENTRY_PROJECT }}
7167
cache-from: type=local,src=/tmp/.buildx-cache
7268
cache-to: type=local,dest=/tmp/.buildx-cache-new
7369
context: .
7470
platforms: linux/arm64
7571
push: true
7672
secrets: |
73+
"mongodb_url=${{ secrets.CODEFORAFRICA_MONGO_URL }}/${{ env.APP_NAME }}"
74+
"payload_secret=${{ secrets.CODEFORAFRICA_PAYLOAD_SECRET }}"
7775
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
76+
"sentry_org=${{ secrets.SENTRY_ORG }}"
77+
"sentry_project=${{ secrets.CODEFORAFRICA_SENTRY_PROJECT }}"
7878
tags: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
7979
target: codeforafrica-runner
8080

.github/workflows/codeforafrica-deploy-prod.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -81,21 +81,21 @@ jobs:
8181
uses: docker/build-push-action@v6
8282
with:
8383
build-args: |
84-
MONGODB_URL=${{ secrets.CODEFORAFRICA_MONGODB_URL }}
8584
NEXT_PUBLIC_APP_LOGO_URL=${{ secrets.NEXT_PUBLIC_CODEFORAFRICA_APP_LOGO_URL }}
8685
NEXT_PUBLIC_APP_NAME=${{ secrets.NEXT_PUBLIC_CODEFORAFRICA_APP_NAME }}
8786
NEXT_PUBLIC_APP_URL=${{ env.NEXT_PUBLIC_APP_URL }}
88-
PAYLOAD_SECRET=${{ secrets.CODEFORAFRICA_PAYLOAD_SECRET }}
8987
SENTRY_ENVIRONMENT=${{ env.SENTRY_ENVIRONMENT }}
90-
SENTRY_ORG=${{ secrets.SENTRY_ORG }}
91-
SENTRY_PROJECT=${{ secrets.CODEFORAFRICA_SENTRY_PROJECT }}
9288
cache-from: type=local,src=/tmp/.buildx-cache
9389
cache-to: type=local,dest=/tmp/.buildx-cache-new
9490
context: .
9591
platforms: linux/arm64
9692
push: true
9793
secrets: |
94+
"mongodb_url=${{ secrets.CODEFORAFRICA_MONGODB_URL }}"
95+
"payload_secret=${{ secrets.CODEFORAFRICA_PAYLOAD_SECRET }}"
9896
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
97+
"sentry_org=${{ secrets.SENTRY_ORG }}"
98+
"sentry_project=${{ secrets.CODEFORAFRICA_SENTRY_PROJECT }}"
9999
tags: "${{ env.IMAGE_NAME }}:${{ steps.version-check.outputs.version }}"
100100
target: codeforafrica-runner
101101

.github/workflows/codeforafrica-deploy-review-app.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ env:
2222
NEXT_PUBLIC_APP_URL: "https://codeforafrica-ui-pr-${{github.event.pull_request.number}}.dev.codeforafrica.org"
2323
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2424
APP_NAME: codeforafrica-ui-pr-${{ github.event.pull_request.number }}
25+
SENTRY_ENVIRONMENT: "development"
2526

2627
jobs:
2728
deploy_review_app:
@@ -58,15 +59,20 @@ jobs:
5859
uses: docker/build-push-action@v6
5960
with:
6061
build-args: |
61-
MONGODB_URL=${{ secrets.CODEFORAFRICA_MONGO_URL }}/${{ env.APP_NAME }}
6262
NEXT_PUBLIC_APP_LOGO_URL=${{ secrets.NEXT_PUBLIC_CODEFORAFRICA_APP_LOGO_URL }}
6363
NEXT_PUBLIC_APP_NAME=${{ secrets.NEXT_PUBLIC_CODEFORAFRICA_APP_NAME }}
6464
NEXT_PUBLIC_APP_URL=${{ env.NEXT_PUBLIC_APP_URL }}
65-
PAYLOAD_SECRET=${{ secrets.CODEFORAFRICA_PAYLOAD_SECRET }}
65+
SENTRY_ENVIRONMENT=${{ env.SENTRY_ENVIRONMENT }}
6666
cache-from: type=local,src=/tmp/.buildx-cache
6767
cache-to: type=local,dest=/tmp/.buildx-cache-new
6868
context: .
6969
platforms: linux/arm64
70+
secrets: |
71+
"mongodb_url=${{ secrets.CODEFORAFRICA_MONGO_URL }}/${{ env.APP_NAME }}"
72+
"payload_secret=${{ secrets.CODEFORAFRICA_PAYLOAD_SECRET }}"
73+
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
74+
"sentry_org=${{ secrets.SENTRY_ORG }}"
75+
"sentry_project=${{ secrets.CODEFORAFRICA_SENTRY_PROJECT }}"
7076
target: codeforafrica-runner
7177
push: true
7278
tags: "${{ env.IMAGE_NAME }}:${{ github.sha }}"

.github/workflows/pesayetu-deploy-dev.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -61,19 +61,21 @@ jobs:
6161
build-args: |
6262
WORDPRESS_URL=${{ secrets.PESAYETU_WORDPRESS_URL }}
6363
WORDPRESS_MULTISITE_PREFIX=${{ secrets.PESAYETU_WORDPRESS_MULTISITE_PREFIX }}
64-
WORDPRESS_PREVIEW_SECRET=${{ secrets.PESAYETU_WORDPRESS_PREVIEW_SECRET }}
65-
WORDPRESS_APPLICATION_USERNAME=${{ secrets.PESAYETU_WORDPRESS_APPLICATION_USERNAME }}
66-
WORDPRESS_APPLICATION_PASSWORD=${{ secrets.PESAYETU_WORDPRESS_APPLICATION_PASSWORD }}
67-
JWT_SECRET_KEY=${{ secrets.PESAYETU_JWT_SECRET_KEY }}
6864
HURUMAP_API_URL=${{ secrets.PESAYETU_HURUMAP_API_URL }}
6965
SENTRY_ENVIRONMENT=${{ env.SENTRY_ENVIRONMENT }}
70-
SENTRY_ORG=${{ secrets.SENTRY_ORG }}
71-
SENTRY_PROJECT=${{ secrets.PESAYETU_SENTRY_PROJECT }}
7266
cache-from: type=local,src=/tmp/.buildx-cache
7367
cache-to: type=local,dest=/tmp/.buildx-cache-new
7468
context: .
7569
platforms: linux/arm64
7670
push: true
71+
secrets: |
72+
"jwt_secret_key=${{ secrets.PESAYETU_JWT_SECRET_KEY }}"
73+
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
74+
"sentry_org=${{ secrets.SENTRY_ORG }}"
75+
"sentry_project=${{ secrets.PESAYETU_SENTRY_PROJECT }}"
76+
"wordpress_preview_secret=${{ secrets.PESAYETU_WORDPRESS_PREVIEW_SECRET }}"
77+
"wordpress_application_username=${{ secrets.PESAYETU_WORDPRESS_APPLICATION_USERNAME }}"
78+
"wordpress_application_password=${{ secrets.PESAYETU_WORDPRESS_APPLICATION_PASSWORD }}"
7779
tags: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
7880
target: pesayetu-runner
7981

.github/workflows/roboshield-deploy-dev.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -61,20 +61,20 @@ jobs:
6161
uses: docker/build-push-action@v6
6262
with:
6363
build-args: |
64-
MONGO_URL=${{ secrets.ROBOSHIELD_MONGO_URL }}
6564
NEXT_PUBLIC_APP_URL=${{ env.NEXT_PUBLIC_APP_URL }}
6665
NEXT_PUBLIC_SENTRY_DSN=${{ secrets.ROBOSHIELD_SENTRY_DSN }}
67-
PAYLOAD_SECRET=${{ secrets.ROBOSHIELD_PAYLOAD_SECRET }}
6866
SENTRY_ENVIRONMENT=${{ env.SENTRY_ENVIRONMENT }}
69-
SENTRY_ORG=${{ secrets.SENTRY_ORG }}
70-
SENTRY_PROJECT=${{ secrets.ROBOSHIELD_SENTRY_PROJECT }}
7167
cache-from: type=local,src=/tmp/.buildx-cache
7268
cache-to: type=local,dest=/tmp/.buildx-cache-new
7369
context: .
7470
platforms: linux/arm64
7571
push: true
7672
secrets: |
73+
"mongo_url=${{ secrets.ROBOSHIELD_MONGO_URL }}"
74+
"payload_secret=${{ secrets.ROBOSHIELD_PAYLOAD_SECRET }}"
7775
"sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}"
76+
"sentry_org=${{ secrets.SENTRY_ORG }}"
77+
"sentry_project=${{ secrets.ROBOSHIELD_SENTRY_PROJECT }}"
7878
tags: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
7979
target: roboshield-runner
8080

0 commit comments

Comments
 (0)