Publish scancode-toolkit Docker image to ghcr.io

[robertlagrant]

Short Description

Prepackage the software as a Docker image, hosted here on ghcr.io.

Select Category

• [x] Packaging

Describe the Update

Build and upload the Docker image to ghcr.io

How This Feature will help you/your organization

It'll be much simpler to pull in without going through the build process.

Possible Solution/Implementation Details

Perform the automation triggered in Github Actions upon release.

Can you help with this Feature

3027

[pombredanne]

@robertlagrant Thanks... this sounds like a good idea ... one question though: is this a free service? Based on https://github.com/features/packages#pricing there seems to be a price tag attached not only to publishing but also to the mere pulling of images which is something we cannot control?

[robertlagrant]

@pombredanne that page design is very misleading! The prices on the right are for private repos. On the left, public repos, it's unlimited.

[elrayle]

I'd love to see an official image for the latest release as well. From the pricing page, this shows that public repos can put up images for free...

GitHub Packages Documentation

I have time to help work on this, if you like.

[hakandilek]

Any update/progress on this? I'd also love to help if someone can guide to the right direction.

[pombredanne]

The work to do should be to ensure that we are not the proverbial cobbler's son and that we have a basic handle of the license and origin of the packages that go in the base image and collecting the source code. This would mean scanning this is ScanCode.io (with scancode... how circular! )

The second thing would be to have a Ci/CD job that builds, runs smoke tests and publishes the image on each release, and ideally would also collect the source packages for the image (and stuff them in an image or layer to have them published handy)

The third thing would be to do run the job daily to get an updated image with the latest security fixes.

[pombredanne]

@RomainPelletant let's use this instead of https://github.com/nexB/scancode-toolkit/issues/3776

[RomainPelletant]

The main actions to publish docker image in the right way, based on that post (@pombredanne please correct me if I am wrong) are:

• [ ] Create the docker image based on Dockerfile provided in scancode (based on slim-buster : Debian) : already done by @robertlagrant
• [ ] Keep that image as an artifact, and run scancode by following this tutorial This run shall be done in a docker image, with scancode installed (with the latest version? the last release?)
• [ ] Generate attribution by following this tutorial. Keep generated attribution as artifact.
• [ ] Build the docker image still based on Dockerfile provided in scancode, but add a step to download packages using apt-get source
• [ ] Keep that last image as an artifact, and run some smoke tests (do you see a minimum test scope?)
• [ ] If tests succeed, published the image (with packages sources) : tag will depends on the trigger => next chapter

Two kind of images:

• Release / tag images : do all the job on new release creation
• Latest tag: do all the job daily based on main branch