feat: add psql image (#943)

* feat: add psql image

* chore(:robot:): dhall update

* test

* add bash

Co-authored-by: Social Groovy Bot <45039513+SocialGroovyBot@users.noreply.github.com>

.github/workflows/psql.branches.workflow.yaml

@@ -0,0 +1,116 @@
+concurrency:
+  cancel-in-progress: true
+  group: "psql-${{ github.ref }}"
+jobs:
+  build:
+    name: Build
+    needs:
+      - Lint
+    outputs:
+      digest: "${{ steps.docker_push.outputs.digest }}"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - id: docker_meta
+        uses: "crazy-max/ghaction-docker-meta@f6efe56d565add159ad605568120f5b22712a870"
+        with:
+          images: ghcr.io/socialgouv/docker/psql
+          labels: |
+            org.opencontainers.image.title=psql
+            org.opencontainers.image.documentation=https://github.com/SocialGouv/docker/tree/${{ github.sha }}/psql
+          tags: |
+            type=sha
+            type=raw,value=sha-${{ github.sha }}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - id: docker_buildx
+        name: Set up Docker Buildx
+        uses: "docker/setup-buildx-action@abe5d8f79a1606a2d3e218847032f3f2b1726ab0"
+        with: {}
+      - if: "${{ github.event_name != 'pull_request' }}"
+        name: Login to ghcr.io/socialgouv Registry
+        uses: "docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9"
+        with:
+          password: "${{ secrets.GHCR_REGISTRY_TOKEN }}"
+          registry: ghcr.io
+          username: "${{ secrets.SOCIALGROOVYBOT_NAME }}"
+      - id: docker_push
+        name: Push
+        uses: "docker/build-push-action@1bc1040caef9e604eb543693ba89b5bf4fc80935"
+        with:
+          builder: "${{ steps.docker_buildx.outputs.name }}"
+          cache-from: type=gha
+          cache-to: "type=gha,mode=max"
+          context: "./psql"
+          labels: "${{ steps.docker_meta.outputs.labels }}"
+          push: 'true'
+          tags: "${{ steps.docker_meta.outputs.tags }}"
+      - name: Image digest
+        run: |
+          echo "${{ steps.docker_push.outputs.digest }}"
+  container_test:
+    name: Container Test
+    needs:
+      - Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - name: Container structure test
+        uses: "docker://gcr.io/gcp-runtimes/container-structure-test:v1.10.0@sha256:78c0abfdc3696ec9fb35840d62342cf28f65d890d56beceb2113638d59f2cce8"
+        with:
+          args: "test   --config psql/tests/container-structure-test.yml -v debug --image ghcr.io/socialgouv/docker/psql@${{ needs.Build.outputs.digest }} --pull"
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - uses: "docker://ghcr.io/hadolint/hadolint:2.4.0@sha256:ed22c9de9b884383094edb8930696a256c4450335945c68153d8fc8fbb27bf03"
+        with:
+          args: hadolint ./psql/Dockerfile
+  security_scan:
+    name: Vulnerability Scanner
+    needs:
+      - Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - run: "docker pull ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}"
+      - name: Run Trivy vulnerability scanner
+        uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
+        with:
+          image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}"
+      - name: Export Trivy Results as sarif
+        uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
+        with:
+          format: template
+          image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}"
+          output: trivy-results.sarif
+          template: "@/contrib/sarif.tpl"
+      - name: Change hardcoded Dockerfile path
+        run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"psql\\/Dockerfile\"/' trivy-results.sarif"
+      - uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
+        with:
+          sarif_file: trivy-results.sarif
+  version_test:
+    container: "docker://ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}"
+    name: Test Version
+    needs:
+      - Build
+    runs-on: ubuntu-latest
+    steps:
+      - run: psql --version
+name: "psql (branch)"
+on:
+  push:
+    branches-ignore:
+      - master
+      - next
+      - next-major
+      - beta
+      - alpha
+      - "+([0-9])?(.{+([0-9]),x}).x"
+    paths:
+      - "psql/**"
+      - ".github/workflows/psql.branches.workflow.yaml"

.github/workflows/psql.main.workflow.yaml

@@ -0,0 +1,115 @@
+concurrency:
+  cancel-in-progress: true
+  group: "psql-${{ github.ref }}"
+jobs:
+  build:
+    name: Build
+    needs:
+      - Lint
+    outputs:
+      digest: "${{ steps.docker_push.outputs.digest }}"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - id: docker_meta
+        uses: "crazy-max/ghaction-docker-meta@f6efe56d565add159ad605568120f5b22712a870"
+        with:
+          images: ghcr.io/socialgouv/docker/psql
+          labels: |
+            org.opencontainers.image.title=psql
+            org.opencontainers.image.documentation=https://github.com/SocialGouv/docker/tree/${{ github.sha }}/psql
+          tags: |
+            type=sha
+            type=raw,value=sha-${{ github.sha }}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - id: docker_buildx
+        name: Set up Docker Buildx
+        uses: "docker/setup-buildx-action@abe5d8f79a1606a2d3e218847032f3f2b1726ab0"
+        with: {}
+      - if: "${{ github.event_name != 'pull_request' }}"
+        name: Login to ghcr.io/socialgouv Registry
+        uses: "docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9"
+        with:
+          password: "${{ secrets.GHCR_REGISTRY_TOKEN }}"
+          registry: ghcr.io
+          username: "${{ secrets.SOCIALGROOVYBOT_NAME }}"
+      - id: docker_push
+        name: Push
+        uses: "docker/build-push-action@1bc1040caef9e604eb543693ba89b5bf4fc80935"
+        with:
+          builder: "${{ steps.docker_buildx.outputs.name }}"
+          cache-from: type=gha
+          cache-to: "type=gha,mode=max"
+          context: "./psql"
+          labels: "${{ steps.docker_meta.outputs.labels }}"
+          push: 'true'
+          tags: "${{ steps.docker_meta.outputs.tags }}"
+      - name: Image digest
+        run: |
+          echo "${{ steps.docker_push.outputs.digest }}"
+  container_test:
+    name: Container Test
+    needs:
+      - Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - name: Container structure test
+        uses: "docker://gcr.io/gcp-runtimes/container-structure-test:v1.10.0@sha256:78c0abfdc3696ec9fb35840d62342cf28f65d890d56beceb2113638d59f2cce8"
+        with:
+          args: "test   --config psql/tests/container-structure-test.yml -v debug --image ghcr.io/socialgouv/docker/psql@${{ needs.Build.outputs.digest }} --pull"
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - uses: "docker://ghcr.io/hadolint/hadolint:2.4.0@sha256:ed22c9de9b884383094edb8930696a256c4450335945c68153d8fc8fbb27bf03"
+        with:
+          args: hadolint ./psql/Dockerfile
+  security_scan:
+    name: Vulnerability Scanner
+    needs:
+      - Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - run: "docker pull ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}"
+      - name: Run Trivy vulnerability scanner
+        uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
+        with:
+          image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}"
+      - name: Export Trivy Results as sarif
+        uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
+        with:
+          format: template
+          image-ref: "ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}"
+          output: trivy-results.sarif
+          template: "@/contrib/sarif.tpl"
+      - name: Change hardcoded Dockerfile path
+        run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"psql\\/Dockerfile\"/' trivy-results.sarif"
+      - uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
+        with:
+          sarif_file: trivy-results.sarif
+  version_test:
+    container: "docker://ghcr.io/socialgouv/docker/psql:sha-${{ github.sha }}"
+    name: Test Version
+    needs:
+      - Build
+    runs-on: ubuntu-latest
+    steps:
+      - run: psql --version
+name: "psql (main)"
+on:
+  push:
+    branches:
+      - master
+      - next
+      - next-major
+      - beta
+      - alpha
+      - "+([0-9])?(.{+([0-9]),x}).x"
+    tags:
+      - "v*"

CONTRIBUTING.md

@@ -65,7 +65,7 @@ $ docker run --rm -i ghcr.io/hadolint/hadolint < ./<image>/Dockerfile
 $ docker run --rm -i ghcr.io/hadolint/hadolint < ./helm/Dockerfile
 ```
 
-## Generate GitLab Workflow
+## Generate GitHub Workflow
 
 ### Lint Dockerfiles
 

README.md

@@ -36,6 +36,7 @@ $ docker pull ghcr.io/socialgouv/docker/<image>
 | **dhall**             | `docker pull ghcr.io/socialgouv/docker/dhall:6.69.1`             | [![README](https://img.shields.io/badge/README--green.svg)](./dhall/README.md)             |
 | **nginx**             | `docker pull ghcr.io/socialgouv/docker/nginx:6.69.1`             | [![README](https://img.shields.io/badge/README--green.svg)](./nginx/README.md)             |
 | **nginx4spa**         | `docker pull ghcr.io/socialgouv/docker/nginx4spa:6.69.1`         | [![README](https://img.shields.io/badge/README--green.svg)](./nginx4spa/README.md)         |
+| **psql**              | `docker pull ghcr.io/socialgouv/docker/psql:6.69.1`              | [![README](https://img.shields.io/badge/README--green.svg)](./psql/README.md)              |
 | **wait-for-http**     | `docker pull ghcr.io/socialgouv/docker/wait-for-http:6.69.1`     | [![README](https://img.shields.io/badge/README--green.svg)](./wait-for-http/README.md)     |
 | **wait-for-postgres** | `docker pull ghcr.io/socialgouv/docker/wait-for-postgres:6.69.1` | [![README](https://img.shields.io/badge/README--green.svg)](./wait-for-postgres/README.md) |
 

psql/.env

@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=socialgouv_docker_psql

psql/.github/AssemblyLine.dhall

@@ -0,0 +1,22 @@
+let AssemblyLine =
+      ../../.github/dhall/workflows/AssemblyLine.dhall
+        sha256:2bab6cac12fe90f5a724f023c87129b3354a0103826aebb8013353bd3a7785a9
+
+let InceptionJob =
+      ../../.github/dhall/jobs/Inception.dhall
+        sha256:037f4c6e58bcec39375d74afb5ded6db30caa1e372b399bf7f30da1d6c1cdc4f
+
+let GithubActions =
+      https://raw.githubusercontent.com/SocialGouv/.github/9fe59f60d6a941dd76df40d67b3428fdf85865aa/dhall/github-actions/package.dhall
+        sha256:61e7d862f54e9514379feaadbc80a85b7bd870dad5e31e2e83d8b3dd9eda8e1b
+
+let name = "psql"
+
+let version_test =
+      InceptionJob
+        { package = name }
+        { name = "Test Version"
+        , steps = [ GithubActions.Step::{ run = Some "psql --version" } ]
+        }
+
+in  AssemblyLine.Worklflow { name, jobs = toMap { version_test } }

psql/.github/branches.workflow.dhall

@@ -0,0 +1,8 @@
+let On =
+      ../../.github/dhall/workflows/On.dhall
+        sha256:d1cce9f45a9ccada3c6152cc684d23678d27bb58410c642b7396c13c3f7f99c9
+
+in  ./AssemblyLine.dhall
+      sha256:91d7d10f27ce446fabf02d690abc68e90c3da668c129280043cc58628c92da43
+  with on = On.match On.Event.FeatureBranches "psql"
+  with name = "psql (branch)"

psql/.github/main.workflow.dhall

@@ -0,0 +1,8 @@
+let On =
+      ../../.github/dhall/workflows/On.dhall
+        sha256:d1cce9f45a9ccada3c6152cc684d23678d27bb58410c642b7396c13c3f7f99c9
+
+in  ./AssemblyLine.dhall
+      sha256:91d7d10f27ce446fabf02d690abc68e90c3da668c129280043cc58628c92da43
+  with on = On.match On.Event.ReleasesBranches "psql"
+  with name = "psql (main)"

psql/Dockerfile

@@ -0,0 +1,5 @@
+FROM alpine:3.14
+
+RUN apk --no-cache add bash=5.1.4-r0 postgresql-client=13.5-r0 jq=1.6-r1
+
+ENTRYPOINT []

psql/Makefile

@@ -0,0 +1,19 @@
+#
+
+DOCKER_COMPOSE = docker-compose
+BATS_BIN = $$(yarn bin)/bats
+
+all: test build lint
+
+lint:
+	$(DOCKER_COMPOSE) run --rm lint
+
+build: lint
+	$(DOCKER_COMPOSE) build
+
+test: build test_structure
+
+test_structure:
+	$(DOCKER_COMPOSE) run --rm test
+
+

psql/README.md

@@ -0,0 +1,3 @@
+# psql
+
+Image with `psql` and `jq`

psql/docker-compose.yml

@@ -0,0 +1,31 @@
+services:
+  alpine:
+    build:
+      context: .
+    deploy:
+      replicas: 0
+  #
+
+  lint:
+    image: ghcr.io/hadolint/hadolint:v2.8.0-alpine
+    entrypoint: hadolint
+    command: Dockerfile
+    volumes:
+      - .:/home/socialgouv
+    working_dir: /home/socialgouv
+
+  #
+
+  test:
+    image: gcr.io/gcp-runtimes/container-structure-test:v1.11.0
+    depends_on:
+      - alpine
+    command: >
+      test
+      --config tests/container-structure-test.yml
+      --image ${COMPOSE_PROJECT_NAME}_alpine
+      -v debug
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - .:/home/socialgouv
+    working_dir: /home/socialgouv

psql/tests/container-structure-test.yml

@@ -0,0 +1,11 @@
+schemaVersion: "2.0.0"
+
+commandTests:
+  - name: "psql version"
+    command: "psql"
+    args: ["--version"]
+    expectedOutput: ["psql \\(PostgreSQL\\) \\d+\\.\\d+"]
+  - name: "jq version"
+    command: "jq"
+    args: ["--version"]
+    expectedOutput: ["jq-master-v.*"]