From 0da30813da9903ba40e03842fe8d2eb613e95f22 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Tue, 30 Jan 2024 12:24:45 +0000 Subject: [PATCH 01/16] Add new steps to publish a containerized CyberChef to GHCR --- .github/workflows/pull_requests.yml | 4 +++ .github/workflows/releases.yml | 47 ++++++++++++++++++++++++++++- Containerfile | 3 ++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 Containerfile diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index b485edad..42027c93 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -38,3 +38,7 @@ jobs: run: | sudo apt-get install xvfb xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui + image: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index b1be78f9..8fbac9f3 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -6,6 +6,12 @@ on: tags: - 'v*' +env: + REGISTRY: ghcr.io + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} + IMAGE_NAME: ${{ github.repository }} + jobs: main: runs-on: ubuntu-latest @@ -16,10 +22,14 @@ jobs: uses: actions/setup-node@v3 with: node-version: '18.x' + - name: Install qemu dependency + run: | + sudo apt-get update + sudo apt-get install -y qemu-user-static - name: Install run: | - npm install + npm ci npm run setheapsize - name: Lint @@ -40,6 +50,31 @@ jobs: sudo apt-get install xvfb xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui + - name: Image Metadata + if: success() + id: image-metadata + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=semver,pattern={{major}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{version}} + + - name: Production Image Build + if: success() + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: ${{ steps.image-metadata.outputs.tags }} + labels: ${{ steps.image-metadata.outputs.labels }} + containerfiles: ./Containerfile + platforms: linux/arm64, linux/amd64 + oci: true + extra-args: | + --ulimit nofile=4096:4096 + - name: Upload Release Assets if: success() id: upload-release-assets @@ -57,3 +92,13 @@ jobs: uses: JS-DevTools/npm-publish@v1 with: token: ${{ secrets.NPM_TOKEN }} + + - name: Publish to GHCR + if: success() + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: ${{ env.REGISTRY }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} diff --git a/Containerfile b/Containerfile new file mode 100644 index 00000000..7727754d --- /dev/null +++ b/Containerfile @@ -0,0 +1,3 @@ +FROM ghcr.io/static-web-server/static-web-server:2.25-alpine + +COPY ./build/prod /public From 3b265322e09286cad8b593bccef4ebb1c1a7a67a Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Tue, 30 Jan 2024 15:18:45 +0000 Subject: [PATCH 02/16] Build container on PR (but don't publish) to verify Containerfile syntax --- .github/workflows/pull_requests.yml | 14 ++++++++++++++ .github/workflows/releases.yml | 2 -- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 42027c93..654669d1 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -5,6 +5,10 @@ on: pull_request: types: [synchronize, opened, reopened] +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: main: runs-on: ubuntu-latest @@ -33,6 +37,16 @@ jobs: if: success() run: npx grunt prod + - name: Production Image Build + if: success() + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + containerfiles: ./Containerfile + platforms: linux/arm64, linux/amd64 + oci: true + - name: UI Tests if: success() run: | diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 8fbac9f3..c5c4cf2e 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -72,8 +72,6 @@ jobs: containerfiles: ./Containerfile platforms: linux/arm64, linux/amd64 oci: true - extra-args: | - --ulimit nofile=4096:4096 - name: Upload Release Assets if: success() From 40a4872f70f0da19557642a2d43069535114375f Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Tue, 6 Feb 2024 10:26:33 +0000 Subject: [PATCH 03/16] Generate prod build inside container --- .github/workflows/pull_requests.yml | 6 +----- .github/workflows/releases.yml | 4 ++++ Containerfile | 8 +++++++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 654669d1..16fbb6de 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -44,7 +44,7 @@ jobs: with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} containerfiles: ./Containerfile - platforms: linux/arm64, linux/amd64 + platforms: linux/amd64 oci: true - name: UI Tests @@ -52,7 +52,3 @@ jobs: run: | sudo apt-get install xvfb xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui - image: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index c5c4cf2e..c016e24c 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -72,6 +72,10 @@ jobs: containerfiles: ./Containerfile platforms: linux/arm64, linux/amd64 oci: true + # Webpack seems to use a lot of open files, increase the max open file limit to accomodate. + extra-args: | + --ulimit nofile=10000 + - name: Upload Release Assets if: success() diff --git a/Containerfile b/Containerfile index 7727754d..125ef18c 100644 --- a/Containerfile +++ b/Containerfile @@ -1,3 +1,9 @@ +FROM node:18-alpine AS build + +COPY . . +RUN npm ci +RUN npm run build + FROM ghcr.io/static-web-server/static-web-server:2.25-alpine -COPY ./build/prod /public +COPY --from=build ./build/prod /public From 7588e50f9fe2dc94efd8fd074c15177c53e607e2 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Tue, 6 Feb 2024 10:28:02 +0000 Subject: [PATCH 04/16] Remove unecessary QEMU install step --- .github/workflows/releases.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index c016e24c..f00e44f6 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -22,10 +22,6 @@ jobs: uses: actions/setup-node@v3 with: node-version: '18.x' - - name: Install qemu dependency - run: | - sudo apt-get update - sudo apt-get install -y qemu-user-static - name: Install run: | From dbdcb460e542ce57199dd550e76f51d7d50ecb83 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Tue, 6 Feb 2024 10:29:20 +0000 Subject: [PATCH 05/16] Remove unecessary `if: success()` from Github release workflow --- .github/workflows/releases.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index f00e44f6..f3895f8c 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -37,17 +37,14 @@ jobs: npm run testnodeconsumer - name: Production Build - if: success() run: npx grunt prod - name: UI Tests - if: success() run: | sudo apt-get install xvfb xvfb-run --server-args="-screen 0 1200x800x24" npx grunt testui - name: Image Metadata - if: success() id: image-metadata uses: docker/metadata-action@v4 with: @@ -58,7 +55,6 @@ jobs: type=semver,pattern={{version}} - name: Production Image Build - if: success() id: build-image uses: redhat-actions/buildah-build@v2 with: @@ -74,7 +70,6 @@ jobs: - name: Upload Release Assets - if: success() id: upload-release-assets uses: svenstaro/upload-release-action@v2 with: @@ -86,13 +81,11 @@ jobs: body: "See the [CHANGELOG](https://github.com/gchq/CyberChef/blob/master/CHANGELOG.md) and [commit messages](https://github.com/gchq/CyberChef/commits/master) for details." - name: Publish to NPM - if: success() uses: JS-DevTools/npm-publish@v1 with: token: ${{ secrets.NPM_TOKEN }} - name: Publish to GHCR - if: success() uses: redhat-actions/push-to-registry@v2 with: image: ${{ steps.build-image.outputs.image }} From a0729304d1441accc032232c37406d7db79f9c75 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Thu, 8 Feb 2024 10:15:29 +0000 Subject: [PATCH 06/16] Add packages write permission --- .github/workflows/releases.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index f3895f8c..76a426be 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -15,6 +15,8 @@ env: jobs: main: runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: actions/checkout@v3 From 4b95ab2477bc3fbc79969266c8e686db55b4d699 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Thu, 8 Feb 2024 10:28:14 +0000 Subject: [PATCH 07/16] Increase nofile limit to 10,000 when building container on PR workflow too --- .github/workflows/pull_requests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 16fbb6de..f6a9683c 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -46,6 +46,9 @@ jobs: containerfiles: ./Containerfile platforms: linux/amd64 oci: true + # Webpack seems to use a lot of open files, increase the max open file limit to accomodate. + extra-args: | + --ulimit nofile=10000 - name: UI Tests if: success() From 2b85336c71695c2d1aa15ed46bcd23419c018427 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Thu, 8 Feb 2024 19:32:56 +0000 Subject: [PATCH 08/16] Remove ARM64 Container build from release workflow --- .github/workflows/releases.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 76a426be..89e4efc5 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -64,7 +64,7 @@ jobs: tags: ${{ steps.image-metadata.outputs.tags }} labels: ${{ steps.image-metadata.outputs.labels }} containerfiles: ./Containerfile - platforms: linux/arm64, linux/amd64 + platforms: linux/amd64 oci: true # Webpack seems to use a lot of open files, increase the max open file limit to accomodate. extra-args: | From 1a2207a045f069032d1e6317de8d6ab3c8892dcf Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Sun, 11 Feb 2024 13:29:18 +0000 Subject: [PATCH 09/16] Swtich to nginx for container --- Containerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Containerfile b/Containerfile index 125ef18c..be4c8bad 100644 --- a/Containerfile +++ b/Containerfile @@ -4,6 +4,6 @@ COPY . . RUN npm ci RUN npm run build -FROM ghcr.io/static-web-server/static-web-server:2.25-alpine +FROM nginx:1.25-alpine3.18 AS cyberchef -COPY --from=build ./build/prod /public +COPY --from=build ./build/prod /usr/share/nginx/html/ From d700d1d459751c0c1d28092396c3691393e9d7fa Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Sun, 11 Feb 2024 13:30:15 +0000 Subject: [PATCH 10/16] Switch to using Dockerfile --- Containerfile => Dockerfile | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Containerfile => Dockerfile (100%) diff --git a/Containerfile b/Dockerfile similarity index 100% rename from Containerfile rename to Dockerfile From 314b925ec916057799f30a229446f6600d816a0f Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Sun, 11 Feb 2024 13:31:03 +0000 Subject: [PATCH 11/16] Add a comment to the README about using Docker --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index 24f56e77..2f951d66 100755 --- a/README.md +++ b/README.md @@ -20,6 +20,22 @@ Cryptographic operations in CyberChef should not be relied upon to provide secur [A live demo can be found here][1] - have fun! +## Containers + +If you would like to try out CyberChef locally you can either build it yourself: + +```bash +docker build --tag cyberchef --ulimit nofile=10000 . +docker run -it -p 8080:80 cyberchef +``` + +Or you can use our image directly: + +```bash +docker run -it -p 8080:80 ghcr.io/gchq/cyberchef:latest +``` + +This image is built and published through our [GitHub Workflows](.github/workflows/docker.yml) ## How it works From abd90240975e33aeee12ad6242046a3bf6b787eb Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Sun, 11 Feb 2024 13:32:26 +0000 Subject: [PATCH 12/16] Add a .dockerignore file --- .dockerignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..dd87e2d7 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +node_modules +build From c5e880628a1b769105b4586aa3ef1be221b05fd4 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Sun, 11 Feb 2024 13:38:43 +0000 Subject: [PATCH 13/16] Fix CI using Containerfile --- .github/workflows/pull_requests.yml | 2 +- .github/workflows/releases.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index f6a9683c..5d2b7e40 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -43,7 +43,7 @@ jobs: uses: redhat-actions/buildah-build@v2 with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - containerfiles: ./Containerfile + containerfiles: ./Dockerfile platforms: linux/amd64 oci: true # Webpack seems to use a lot of open files, increase the max open file limit to accomodate. diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 89e4efc5..c5433742 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -63,7 +63,7 @@ jobs: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: ${{ steps.image-metadata.outputs.tags }} labels: ${{ steps.image-metadata.outputs.labels }} - containerfiles: ./Containerfile + containerfiles: ./Dockerfile platforms: linux/amd64 oci: true # Webpack seems to use a lot of open files, increase the max open file limit to accomodate. From 3f89a94df2a438245d4881ec5c581d1532517a62 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Mon, 12 Feb 2024 09:49:44 +0000 Subject: [PATCH 14/16] Remove `image` property from Container build & push actions --- .github/workflows/pull_requests.yml | 5 ----- .github/workflows/releases.yml | 2 -- 2 files changed, 7 deletions(-) diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 5d2b7e40..af1c6422 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -5,10 +5,6 @@ on: pull_request: types: [synchronize, opened, reopened] -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} - jobs: main: runs-on: ubuntu-latest @@ -42,7 +38,6 @@ jobs: id: build-image uses: redhat-actions/buildah-build@v2 with: - image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} containerfiles: ./Dockerfile platforms: linux/amd64 oci: true diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index c5433742..421cb5cd 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -60,7 +60,6 @@ jobs: id: build-image uses: redhat-actions/buildah-build@v2 with: - image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: ${{ steps.image-metadata.outputs.tags }} labels: ${{ steps.image-metadata.outputs.labels }} containerfiles: ./Dockerfile @@ -90,7 +89,6 @@ jobs: - name: Publish to GHCR uses: redhat-actions/push-to-registry@v2 with: - image: ${{ steps.build-image.outputs.image }} tags: ${{ steps.build-image.outputs.tags }} registry: ${{ env.REGISTRY }} username: ${{ env.REGISTRY_USER }} From 7582abfa277f00478fa3b235e6f442d1a7b52096 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Mon, 12 Feb 2024 10:41:45 +0000 Subject: [PATCH 15/16] Fix PR workflow, Buildah requires atleast an image name if no tags specified --- .github/workflows/pull_requests.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index af1c6422..daa59490 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -38,6 +38,8 @@ jobs: id: build-image uses: redhat-actions/buildah-build@v2 with: + # Not being uploaded to any registry, use a simple name to allow Buildah to build correctly. + image: cyberchef containerfiles: ./Dockerfile platforms: linux/amd64 oci: true From 62dfa8f9dddbb76ffa620a972bf13d04095494b9 Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Mon, 12 Feb 2024 10:45:20 +0000 Subject: [PATCH 16/16] Point to the correct workflow in the README for Container releases. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2f951d66..5549bda2 100755 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ Or you can use our image directly: docker run -it -p 8080:80 ghcr.io/gchq/cyberchef:latest ``` -This image is built and published through our [GitHub Workflows](.github/workflows/docker.yml) +This image is built and published through our [GitHub Workflows](.github/workflows/releases.yml) ## How it works