feat: Support for buildx

project-copacetic / copa-action

:octocat: GitHub Action for Copacetic: Directly patch container image vulnerabilities

https://project-copacetic.github.io/copacetic/website/

MIT License

19 stars 8 forks source link

feat: Support for buildx #37

Closed ashnamehrotra closed 8 months ago

ashnamehrotra commented 8 months ago

Adds support and documentation for private and local image patching.

default approach in action is changed to create a buildx instance
the buildx instance needed to be created in entrypoint.sh since creating an instance outside of the container itself does not change anything about the Docker socket that we are mounting
if user supplies a buildkit-version input, action will create a buildkit container for connection instead
if user supplies a custom-socket input, action will connect to the custom socket which should have containerd img store enabled (Copacetic still outputs the patched img to the "default" docker context rather than the "setup-docker-action" context used to create a socket with containerd img store. I think this is intentional on Copa's side?)
adds documentation for these approaches assuming Copacetic v0.6.1 will be released after this

default buildx test run buildkit container test run custom socket test run

Fixes #32 #16

sozercan commented 8 months ago

@ashnamehrotra looks like build e2e failed with a timeout https://github.com/project-copacetic/copa-action/actions/runs/7878674392/job/21497411542?pr=37 do we need to increase the timeout

ashnamehrotra commented 8 months ago

@ashnamehrotra looks like build e2e failed with a timeout https://github.com/project-copacetic/copa-action/actions/runs/7878674392/job/21497411542?pr=37 do we need to increase the timeout

Looking into this, I tested with 20min timeout and its still failing, there might be something else wrong. I also re-ran a test that was originally passing which is failing now.

sozercan commented 8 months ago

just fyi if you are passing timeout in the action, I don't think this'll be available in action yet (in non-test) since we didn't cut a release

ashnamehrotra commented 8 months ago

just fyi if you are passing timeout in the action, I don't think this'll be available in action yet (in non-test) since we didn't cut a release

The timeout flag should be available in copa-action in v1.1.0 release. Also looks like the timeout error was specific to the nginx image in the build test, created an issue here: https://github.com/project-copacetic/copacetic/issues/504 and changed the test to use the OPA image for now.

Final issue to resolve is for custom-socket approach, trivy is unable to find the patched image in the bats test since it was created in a different context, even when switched to the new context.