Merge pull request #136 from eScienceLab/135-add-release-triggered-github-actions-workflow-to-build-docker-image-with-baked-in-profiles

douglowe · web-flow · commit 7697b5e44cb7 · 2026-03-13T12:29:30.000+02:00
Added dockerfile and workflow to build Docker image with baked-in five-safes profile
diff --git a/.github/workflows/build-with-profiles.yml b/.github/workflows/build-with-profiles.yml
@@ -0,0 +1,52 @@
+name: Create and publish a Docker image (with profiles)
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}-fivesafes-profile
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile.fivesafes-profile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/Dockerfile.fivesafes-profile b/Dockerfile.fivesafes-profile
@@ -0,0 +1,39 @@
+FROM python:3.11-slim
+
+ARG FIVE_SAFES_PROFILE_VERSION=five-safes-0.7.4-beta
+ARG PROFILES_ARCHIVE_URL=https://github.com/eScienceLab/rocrate-validator/archive/refs/tags/${FIVE_SAFES_PROFILE_VERSION}.tar.gz
+ARG PY_VER=3.11
+
+# Install required system packages, including git
+RUN apt-get update && apt-get install -y git wget && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+COPY requirements.txt .
+RUN pip install --upgrade pip
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY cratey.py LICENSE /app/
+COPY app /app/app
+RUN <<EOF_WRF
+wget -O /tmp/rocrate-validator-profiles.tar.gz "$PROFILES_ARCHIVE_URL"
+tar -xzf /tmp/rocrate-validator-profiles.tar.gz \
+    -C /usr/local/lib/python${PY_VER}/site-packages/rocrate_validator/profiles/ \
+    --strip-components=3 \
+    "rocrate-validator-${FIVE_SAFES_PROFILE_VERSION}/rocrate_validator/profiles/five-safes-crate"
+rm /tmp/rocrate-validator-profiles.tar.gz
+EOF_WRF
+
+RUN useradd -ms /bin/bash flaskuser
+RUN chown -R flaskuser:flaskuser /app
+
+ENV FIVE_SAFES_PROFILE_VERSION=${FIVE_SAFES_PROFILE_VERSION}
+
+USER flaskuser
+
+EXPOSE 5000
+
+CMD ["flask", "run", "--host=0.0.0.0"]
+
+LABEL org.opencontainers.image.source="https://github.com/eScienceLab/Cratey-Validator"
+LABEL org.cratey.five-safes-profile-version="${FIVE_SAFES_PROFILE_VERSION}"
