From 640d0553976a4101197d39248fc785a8e61ec8a4 Mon Sep 17 00:00:00 2001
From: Simon Hammes <simonhammes@users.noreply.github.com>
Date: Wed, 11 Sep 2024 17:44:39 +0200
Subject: [PATCH 1/4] Upgrade setuptools to fix vulnerabilities

---
 runner/Dockerfile    | 4 +++-
 scheduler/Dockerfile | 5 ++++-
 starter/Dockerfile   | 4 +++-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/runner/Dockerfile b/runner/Dockerfile
index 9a4affe..5eec0bb 100644
--- a/runner/Dockerfile
+++ b/runner/Dockerfile
@@ -30,7 +30,9 @@ WORKDIR /settings
 
 COPY ./requirements.txt .
 
-RUN pip install -r requirements.txt --no-cache-dir --user
+# Upgrade setuptools to fix vulnerabilities
+RUN pip install --upgrade setuptools && \
+    pip install -r requirements.txt --no-cache-dir --user
 
 
 ## Runtime image
diff --git a/scheduler/Dockerfile b/scheduler/Dockerfile
index a4e2241..e7fcc9a 100644
--- a/scheduler/Dockerfile
+++ b/scheduler/Dockerfile
@@ -36,7 +36,10 @@ COPY ["version", "/opt/scheduler/version"]
 COPY ["logrotate/", "/opt/scheduler/logrotate/"]
 RUN mkdir -p /opt/scheduler/logs
 RUN mkdir -p /opt/seatable/logs
-RUN pip3 install -r /opt/scheduler/requirements.txt --user
+
+# Upgrade setuptools to fix vulnerabilities
+RUN pip3 install --upgrade setuptools && \
+    pip3 install -r /opt/scheduler/requirements.txt --user
 
 # Add Tini
 ENV TINI_VERSION v0.19.0
diff --git a/starter/Dockerfile b/starter/Dockerfile
index 060e5ea..c8ceb30 100644
--- a/starter/Dockerfile
+++ b/starter/Dockerfile
@@ -6,8 +6,10 @@ RUN apt-get update --fix-missing && \
 
 WORKDIR /opt/seatable-python-starter
 COPY ["./requirements.txt", "/opt/seatable-python-starter/"]
-RUN pip install -r /opt/seatable-python-starter/requirements.txt --user --break-system-packages
 
+# Upgrade setuptools to fix vulnerabilities
+RUN pip install --upgrade setuptools && \
+    pip install -r /opt/seatable-python-starter/requirements.txt --user --break-system-packages
 
 ### Runtime image
 FROM python:3.11-slim-bookworm AS runtime-image

From 1796c1a84562794237f5a161a7a066a8964281b9 Mon Sep 17 00:00:00 2001
From: Simon Hammes <simonhammes@users.noreply.github.com>
Date: Wed, 11 Sep 2024 17:49:36 +0200
Subject: [PATCH 2/4] CI: Run trivy against local images

---
 .github/workflows/build-image-on-push.yml | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build-image-on-push.yml b/.github/workflows/build-image-on-push.yml
index 875bb36..cbddb63 100644
--- a/.github/workflows/build-image-on-push.yml
+++ b/.github/workflows/build-image-on-push.yml
@@ -102,14 +102,15 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Build and push image
+      - name: Build image
         uses: docker/build-push-action@v5
         with:
           context: ${{ needs.init-vars.outputs.component }}
-          push: true
+          # Load build result to `docker images`
+          load: true
           tags: |
-            seatable/seatable-python-${{ needs.init-vars.outputs.component }}-verify:commit-${{ steps.get_commit.outputs.short_sha }}
-            seatable/seatable-python-${{ needs.init-vars.outputs.component }}-verify:${{ needs.init-vars.outputs.image_tag_prefix }}${{ needs.init-vars.outputs.version }}
+            seatable/seatable-python-${{ needs.init-vars.outputs.component }}:commit-${{ steps.get_commit.outputs.short_sha }}
+            seatable/seatable-python-${{ needs.init-vars.outputs.component }}:${{ needs.init-vars.outputs.image_tag_prefix }}${{ needs.init-vars.outputs.version }}
           labels: |
             org.opencontainers.image.title=seatable/seatable-python-${{ needs.init-vars.outputs.component }}
             org.opencontainers.image.version=${{ needs.init-vars.outputs.image_tag_prefix }}${{ needs.init-vars.outputs.version }}
@@ -123,22 +124,16 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'docker.io/seatable/seatable-python-${{ needs.init-vars.outputs.component }}-verify:commit-${{ steps.get_commit.outputs.short_sha }}'
+          image-ref: 'seatable/seatable-python-${{ needs.init-vars.outputs.component }}:commit-${{ steps.get_commit.outputs.short_sha }}'
           format: 'table'
           exit-code: '0'
           scanners: 'vuln,misconfig'
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
-        env:
-          TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-          TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Move image to non verify repository
-        id: move_image
+      - name: Push image
+        id: push_image
         run: |
-          docker pull seatable/seatable-python-${{ needs.init-vars.outputs.component }}-verify:commit-${{ steps.get_commit.outputs.short_sha }}
-          docker tag seatable/seatable-python-${{ needs.init-vars.outputs.component }}-verify:commit-${{ steps.get_commit.outputs.short_sha }} seatable/seatable-python-${{ needs.init-vars.outputs.component }}:commit-${{ steps.get_commit.outputs.short_sha }}
-          docker tag seatable/seatable-python-${{ needs.init-vars.outputs.component }}:commit-${{ steps.get_commit.outputs.short_sha }} seatable/seatable-python-${{ needs.init-vars.outputs.component }}:${{ needs.init-vars.outputs.image_tag_prefix }}${{ needs.init-vars.outputs.version }}
           docker push seatable/seatable-python-${{ needs.init-vars.outputs.component }}:commit-${{ steps.get_commit.outputs.short_sha }}
           docker push seatable/seatable-python-${{ needs.init-vars.outputs.component }}:${{ needs.init-vars.outputs.image_tag_prefix }}${{ needs.init-vars.outputs.version }}

From de0888c5783b7bedb41275ad8eb1b802c2e1b106 Mon Sep 17 00:00:00 2001
From: Simon Hammes <simonhammes@users.noreply.github.com>
Date: Wed, 11 Sep 2024 18:02:29 +0200
Subject: [PATCH 3/4] Add --user to pip commands

---
 runner/Dockerfile    | 2 +-
 scheduler/Dockerfile | 2 +-
 starter/Dockerfile   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/runner/Dockerfile b/runner/Dockerfile
index 5eec0bb..45be80a 100644
--- a/runner/Dockerfile
+++ b/runner/Dockerfile
@@ -31,7 +31,7 @@ WORKDIR /settings
 COPY ./requirements.txt .
 
 # Upgrade setuptools to fix vulnerabilities
-RUN pip install --upgrade setuptools && \
+RUN pip install --upgrade --user setuptools && \
     pip install -r requirements.txt --no-cache-dir --user
 
 
diff --git a/scheduler/Dockerfile b/scheduler/Dockerfile
index e7fcc9a..c5d9ef5 100644
--- a/scheduler/Dockerfile
+++ b/scheduler/Dockerfile
@@ -38,7 +38,7 @@ RUN mkdir -p /opt/scheduler/logs
 RUN mkdir -p /opt/seatable/logs
 
 # Upgrade setuptools to fix vulnerabilities
-RUN pip3 install --upgrade setuptools && \
+RUN pip3 install --upgrade --user setuptools && \
     pip3 install -r /opt/scheduler/requirements.txt --user
 
 # Add Tini
diff --git a/starter/Dockerfile b/starter/Dockerfile
index c8ceb30..23b6d55 100644
--- a/starter/Dockerfile
+++ b/starter/Dockerfile
@@ -8,7 +8,7 @@ WORKDIR /opt/seatable-python-starter
 COPY ["./requirements.txt", "/opt/seatable-python-starter/"]
 
 # Upgrade setuptools to fix vulnerabilities
-RUN pip install --upgrade setuptools && \
+RUN pip install --upgrade --user setuptools && \
     pip install -r /opt/seatable-python-starter/requirements.txt --user --break-system-packages
 
 ### Runtime image

From c4dc2362aec5a3fd2cc66f1521abb00cd1f845b7 Mon Sep 17 00:00:00 2001
From: Simon Hammes <simonhammes@users.noreply.github.com>
Date: Wed, 11 Sep 2024 18:10:40 +0200
Subject: [PATCH 4/4] =?UTF-8?q?Doppelt=20h=C3=A4lt=20besser?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 runner/Dockerfile    | 3 ++-
 scheduler/Dockerfile | 3 ++-
 starter/Dockerfile   | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/runner/Dockerfile b/runner/Dockerfile
index 45be80a..fe62057 100644
--- a/runner/Dockerfile
+++ b/runner/Dockerfile
@@ -31,7 +31,8 @@ WORKDIR /settings
 COPY ./requirements.txt .
 
 # Upgrade setuptools to fix vulnerabilities
-RUN pip install --upgrade --user setuptools && \
+RUN pip install --upgrade setuptools && \
+    pip install --upgrade --user setuptools && \
     pip install -r requirements.txt --no-cache-dir --user
 
 
diff --git a/scheduler/Dockerfile b/scheduler/Dockerfile
index c5d9ef5..4ccb293 100644
--- a/scheduler/Dockerfile
+++ b/scheduler/Dockerfile
@@ -38,7 +38,8 @@ RUN mkdir -p /opt/scheduler/logs
 RUN mkdir -p /opt/seatable/logs
 
 # Upgrade setuptools to fix vulnerabilities
-RUN pip3 install --upgrade --user setuptools && \
+RUN pip3 install --upgrade setuptools && \
+    pip3 install --upgrade --user setuptools && \
     pip3 install -r /opt/scheduler/requirements.txt --user
 
 # Add Tini
diff --git a/starter/Dockerfile b/starter/Dockerfile
index 23b6d55..05abfa7 100644
--- a/starter/Dockerfile
+++ b/starter/Dockerfile
@@ -8,7 +8,8 @@ WORKDIR /opt/seatable-python-starter
 COPY ["./requirements.txt", "/opt/seatable-python-starter/"]
 
 # Upgrade setuptools to fix vulnerabilities
-RUN pip install --upgrade --user setuptools && \
+RUN pip install --upgrade setuptools && \
+    pip install --upgrade --user setuptools && \
     pip install -r /opt/seatable-python-starter/requirements.txt --user --break-system-packages
 
 ### Runtime image