ci(build): align CI, Docker build and Helm deployment

jonathan-irvin · jonathan-irvin · commit 0685e6204058 · 2025-03-02T15:31:14.000-06:00
- Update GitHub Action versions for consistency
- Configure Docker build to use proper versioning tags
- Fix Helm chart to use the correct image repository
- Add security improvements to Docker and Helm deployment
- Add volume initialization logic for persistent data
diff --git a/.github/workflows/docker-build-publish.yml b/.github/workflows/docker-build-publish.yml
@@ -13,23 +13,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
           push: true
-          tags: ghcr.io/offendingcommit/bingo:latest 
+          tags: |
+            ghcr.io/offendingcommit/bingo:latest
+            ghcr.io/offendingcommit/bingo:${{ github.sha }}
+            ${{ github.event_name == 'release' && format('ghcr.io/offendingcommit/bingo:{0}', github.ref_name) || '' }}
           build-args: BUILD_ENVIRONMENT=production
diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Helm
         uses: azure/setup-helm@v1
@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Helm
         uses: azure/setup-helm@v1
diff --git a/Dockerfile b/Dockerfile
@@ -43,8 +43,17 @@ RUN --mount=type=cache,target=$POETRY_CACHE_DIR \
 # Copy the rest of the project
 COPY . /app
 
+# Create a non-root user and switch to it
+RUN adduser --disabled-password --gecos "" appuser && \
+    chown -R appuser:appuser /app
+USER appuser
+
 # Expose port 8080 (if required)
 EXPOSE 8080
 
+# Add healthcheck
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:8080/ || exit 1
+
 # Set the default command to run the application
 CMD ["python", "main.py"]
diff --git a/helm/bingo/templates/deployment.yaml b/helm/bingo/templates/deployment.yaml
@@ -27,6 +27,29 @@ spec:
       serviceAccountName: {{ include "bingo.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- if .Values.persistence.enabled }}
+      initContainers:
+        - name: init-data
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              # Initialize phrases.txt if it doesn't exist
+              if [ ! -f /data/phrases/phrases.txt ]; then
+                cp /app/phrases.txt /data/phrases/phrases.txt
+              fi
+              # Initialize static files if directory is empty
+              if [ ! -d /data/static ] || [ -z "$(ls -A /data/static)" ]; then
+                mkdir -p /data/static
+                cp -r /app/static/* /data/static/
+              fi
+          volumeMounts:
+            - name: phrases-volume
+              mountPath: /data/phrases
+            - name: static-volume
+              mountPath: /data/static
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
diff --git a/helm/bingo/values.yaml b/helm/bingo/values.yaml
@@ -1,11 +1,12 @@
 replicaCount: 1
 
 image:
-  repository: bingo
+  repository: ghcr.io/offendingcommit/bingo
   pullPolicy: IfNotPresent
   tag: "latest"
 
-imagePullSecrets: []
+imagePullSecrets:
+  - name: ghcr-pull-secret
 nameOverride: ""
 fullnameOverride: ""
 
@@ -16,9 +17,19 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
 
-securityContext: {}
+securityContext:
+  allowPrivilegeEscalation: false
+  runAsNonRoot: true
+  runAsUser: 1000
+  capabilities:
+    drop:
+      - ALL
 
 service:
   type: ClusterIP
