(docker)resolve Dockerfile issue & fix CVEs (#100)

Remaining CVEs that need fixing: | Lib | CVE | Current version | Fixed version | Indirect | | -------- | ------------------------------------------------------------------------ | --------------- | ------------- | -------- | | CometBFT | [GHSA-p7mv-53f2-4cwj](GHSA-p7mv-53f2-4cwj) | 0.38.11 | 0.38.15 | | | CometBFT | [GHSA-g5xx-c4hv-9ccc](GHSA-g5xx-c4hv-9ccc) | 0.38.11 | 0.38.12 | |
babylonlabs-io · Nov 21, 2024 · 35d0a53 · 35d0a53
1 parent 6205af5
commit 35d0a53
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 10 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -25,7 +25,13 @@ jobs:
 
   docker_pipeline:
     needs: ["lint_test"]
-    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.7.0
+    uses: babylonlabs-io/.github/.github/workflows/reusable_docker_pipeline.yml@v0.10.2
     secrets: inherit
     with:
-      publish: true
+      publish: true
+      docker_scan: true
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ## Unreleased
 
+* [#100](https://github.com/babylonlabs-io/vigilante/pull/100) bump docker workflow to 0.10.2,
+fix some dockerfile issue
+
 ## v0.16.1
 
 ### Improvements

diff --git a/Dockerfile b/Dockerfile
@@ -9,10 +9,10 @@ ARG VERSION
 
 # Use muslc for static libs
 ARG BUILD_TAGS="muslc"
-
+# hadolint ignore=DL3018
 RUN apk add --no-cache --update openssh git make build-base linux-headers libc-dev \
                                 pkgconfig zeromq-dev musl-dev alpine-sdk libsodium-dev \
-                                libzmq-static libsodium-static gcc
+                                libzmq-static libsodium-static gcc && rm -rf /var/cache/apk/*
 
 # Build
 WORKDIR /go/src/github.com/babylonlabs-io/vigilante
@@ -27,23 +27,25 @@ RUN if [ -n "${VERSION}" ]; then \
     fi
 
 # Cosmwasm - Download correct libwasmvm version
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 RUN WASMVM_VERSION=$(go list -m github.com/CosmWasm/wasmvm/v2 | cut -d ' ' -f 2) && \
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc.$(uname -m).a \
-        -O /lib/libwasmvm_muslc.$(uname -m).a && \
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/libwasmvm_muslc.$(uname -m).a \
+        -O /lib/libwasmvm_muslc."$(uname -m)".a && \
     # verify checksum
-    wget https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
-    sha256sum /lib/libwasmvm_muslc.$(uname -m).a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc.$(uname -m) | cut -d ' ' -f 1)
+    wget -q https://github.com/CosmWasm/wasmvm/releases/download/$WASMVM_VERSION/checksums.txt -O /tmp/checksums.txt && \
+    sha256sum /lib/libwasmvm_muslc."$(uname -m)".a | grep $(cat /tmp/checksums.txt | grep libwasmvm_muslc."$(uname -m)" | cut -d ' ' -f 1)
 
 RUN CGO_LDFLAGS="$CGO_LDFLAGS -lstdc++ -lm -lsodium" \
     CGO_ENABLED=1 \
     BUILD_TAGS=$BUILD_TAGS \
     LINK_STATICALLY=true \
     make build
 
-FROM alpine:3.16 AS run
+FROM alpine:3.20 AS run
 # Create a user
 RUN addgroup --gid 1138 -S vigilante && adduser --uid 1138 -S vigilante -G vigilante
-RUN apk add bash curl jq
+# hadolint ignore=DL3018
+RUN apk --no-cache add bash curl jq && rm -rf /var/cache/apk/*
 
 # Label should match your github repo
 LABEL org.opencontainers.image.source="https://github.com/babylonlabs-io/vigilante:${VERSION}"