VulnerableApp icon indicating copy to clipboard operation
VulnerableApp copied to clipboard

Published 20 hours ago verified publisher icon SasanLabs

Currently docker images are not versioned which can be an issue going further

Open preetkaran20 opened this issue 2 years ago • 7 comments

Is your feature request related to a problem? Please describe. Docker images for VulnerableApp have just 2 versions latest and unreleased. It should be latest (whcih is unreleased) and specific tags for released versions.

For more information about the existing images: https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

How do we create images ? we have a Github action for creating and pushing docker images: https://github.com/SasanLabs/VulnerableApp/blob/master/.github/workflows/docker.yml, we use a tool called jib for this

preetkaran20 avatar Feb 22 '22 06:02 preetkaran20

Hello,

I would like to take on this issue.

I was looking into GitHub Workflow, actions, jib, the current docker.yml, docker hub and had a few questions.

  1. To make sure I understand the issue, the Docker 'unreleased' tag is on the most recently pushed image (that has not been released).
  2. Then, did you want the Docker 'latest' tag on the most recently pushed image (it can be either released or unreleased)? Or should it always be tagged to a released version?
  3. I was also looking into gitversion to automate the semantic versioning. There is a GitHub action available for that or would you rather have developers create tags that the workflow can use.
  4. Currently the workflow is triggered when a push to main occurs. What do you think of having this triggered instead, when a pull request is approved?

Thank you

merry-degaga avatar Mar 25 '22 19:03 merry-degaga

@merry-degaga sorry, I missed your message. Are you working on this task ?

preetkaran20 avatar Jul 31 '22 03:07 preetkaran20

Hello,

I would like to take on this issue.

I was looking into GitHub Workflow, actions, jib, the current docker.yml, docker hub and had a few questions.

  1. To make sure I understand the issue, the Docker 'unreleased' tag is on the most recently pushed image (that has not been released).

Yes, unreleased is the not yet release docker image.

  1. Then, did you want the Docker 'latest' tag on the most recently pushed image (it can be either released or unreleased)? Or should it always be tagged to a released version?

I think latest should be released tag.

  1. I was also looking into gitversion to automate the semantic versioning. There is a GitHub action available for that or would you rather have developers create tags that the workflow can use.

How would github action know, we want to release a newer version ?

  1. Currently the workflow is triggered when a push to main occurs. What do you think of having this triggered instead, when a pull request is approved?

I think we should always triggered on merge on the main branch. For PR docker's, we are not getting any requirement till now.

Thank you

preetkaran20 avatar Jul 31 '22 03:07 preetkaran20

@merry-degaga sorry, I missed your message. Are you working on this task ?

Yes, I can work on this, thank you

merry-degaga avatar Aug 01 '22 18:08 merry-degaga

  1. I was also looking into gitversion to automate the semantic versioning. There is a GitHub action available for that or would you rather have developers create tags that the workflow can use.

How would github action know, we want to release a newer version ?

The github action gitversion uses the github action checkout@v2 with a fetch-depth: 0 to grab all tags. Using the commit message from a merge request, a contributer can enter in either +semver:major | minor | patch. Patch is the default incremented value if +semver: is not included in the commit message. I included another github action that will update the tag as well in GitHub, that is the softprops/action-gh-release@v1 action.

merry-degaga avatar Aug 03 '22 21:08 merry-degaga

So far the functionalities I am able to set up is: On a push event to main, given a contributer includes +semver:major | minor , this will update both the Github tag and build and push docker image with the version tag, and latest tag. On a push event to main, given a contributer does not include +semver:major | minor, this will automatically increment the semantic version's patch value and update both the Github tag and build and push docker image with the version tag and latest tag.

Does this meet your expectations? If so, I will put in a pull request. Thank you.

merry-degaga avatar Aug 03 '22 22:08 merry-degaga

@merry-degaga sounds good. Please raise the PR and we can do modifications there if required.

thanks, Karan

preetkaran20 avatar Aug 04 '22 11:08 preetkaran20