Merge pull request #10 from agenixframework/feature/add-docker-compose-artifact-generation

Enhance GitHub workflow: Add docker-compose artifact generation, SBOM…

Author: asuruceanu

.github/workflows/publish-nuget-and-containers.yml

@@ -309,6 +309,28 @@ jobs:
           cache-from: type=gha,scope=dashboard
           cache-to: type=gha,scope=dashboard,mode=max
 
+      - name: Generate docker-compose artifact
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "Preparing docker-compose artifact from published images..."
+          mkdir -p ./artifacts/compose
+          export GHCR_OWNER="${{ github.repository_owner }}"
+          export GHCR_REPO="${{ github.event.repository.name }}"
+          export IMAGE_TAG="${{ needs.build.outputs.version }}"
+          docker compose version || true
+          docker compose -f docker-compose.yml -f docker-compose.images.yml config > ./artifacts/compose/docker-compose-${{ needs.build.outputs.version }}.yml
+          cp ./artifacts/compose/docker-compose-${{ needs.build.outputs.version }}.yml ./artifacts/compose/docker-compose.yml
+          echo "Resolved compose generated at ./artifacts/compose/docker-compose-${{ needs.build.outputs.version }}.yml (and copied as docker-compose.yml)"
+          head -n 50 ./artifacts/compose/docker-compose-${{ needs.build.outputs.version }}.yml || true
+
+      - name: Upload docker-compose artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-compose-${{ needs.build.outputs.version }}
+          path: ./artifacts/compose/
+          retention-days: 30
+
   scan-and-sbom:
     runs-on: ubuntu-latest
     needs: [publish-containers, build]
@@ -386,15 +408,15 @@ jobs:
       - name: Upload Trivy SARIF to code scanning
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: trivy-${{ matrix.component }}.sarif
-          category: trivy-${{ matrix.component }}
+          sarif_file: "trivy-${{ matrix.component }}.sarif"
+          category: "trivy-${{ matrix.component }}"
 
       - name: Upload Trivy SARIF as artifact
         uses: actions/upload-artifact@v4
         with:
-          name: trivy-sarif-${{ matrix.component }}
-          path: trivy-${{ matrix.component }}.sarif
-          retention-days: 14
+          name: "trivy-sarif-${{ matrix.component }}"
+          path: "trivy-${{ matrix.component }}.sarif"
+          retention-days: "14"
 
       - name: Generate SBOM (CycloneDX)
         uses: anchore/sbom-action@v0
@@ -404,6 +426,68 @@ jobs:
           upload-artifact: true
           artifact-name: sbom-${{ matrix.component }}
 
+      - name: Trivy SBOM (CycloneDX JSON)
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ steps.vars.outputs.image }}
+          format: 'cyclonedx'
+          output: trivy-sbom-${{ matrix.component }}.cdx.json
+          exit-code: '0'
+        env:
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Render Trivy SBOM summary (markdown)
+        id: sbom-summary
+        shell: bash
+        run: |
+          FILE="trivy-sbom-${{ matrix.component }}.cdx.json"
+          OUT="sbom-summary-${{ matrix.component }}.md"
+
+          echo "# SBOM Summary - ${{ matrix.component }}" > "$OUT"
+          echo "" >> "$OUT"
+          echo "- Image: ${{ steps.vars.outputs.image }}" >> "$OUT"
+          echo "- Components: $(jq -r '(.components // []) | length' "$FILE" 2>/dev/null || echo 0)" >> "$OUT"
+
+          echo "" >> "$OUT"
+          echo "## Counts by type" >> "$OUT"
+          echo "" >> "$OUT"
+          echo "| Type | Count |" >> "$OUT"
+          echo "|------|-------|" >> "$OUT"
+          jq -r '(.components // []) | sort_by(.type // "unknown") | group_by(.type) | map({k:(.[0].type // "unknown"), c:length}) | .[] | "| \(.k) | \(.c) |"' "$FILE" 2>/dev/null >> "$OUT" || true
+
+          echo "" >> "$OUT"
+          echo "## Sample components (first 20)" >> "$OUT"
+          echo "" >> "$OUT"
+          echo "| Name | Version | Type | License |" >> "$OUT"
+          echo "|------|---------|------|---------|" >> "$OUT"
+          jq -r '(.components // []) | sort_by(.name) | .[0:20] | .[] | "| \(.name // "-") | \(.version // "-") | \(.type // "-") | \(((.licenses[0].license.id // .licenses[0].license.name) // "-")) |"' "$FILE" 2>/dev/null >> "$OUT" || true
+
+          {
+            echo "## SBOM Summary - ${{ matrix.component }}";
+            echo "";
+            cat "$OUT";
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          echo "summary-file=$OUT" >> $GITHUB_OUTPUT
+
+      - name: Upload SBOM summary and JSON
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sbom-${{ matrix.component }}
+          path: |
+            trivy-sbom-${{ matrix.component }}.cdx.json
+            sbom-summary-${{ matrix.component }}.md
+          retention-days: 14
+
+      - name: Comment SBOM summary on PR
+        if: github.event_name == 'pull_request'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body-file: ${{ steps.sbom-summary.outputs.summary-file }}
+          edit-mode: replace
+
   # Notification Job
   notify:
     runs-on: ubuntu-latest

README.md

@@ -243,3 +243,32 @@ PR checklist: include relevant documentation updates when changing endpoints, da
 [1]: .assets/logos/agenix-logo-large.png "Agenix"
 
 [2]: .assets/icons/icon-64.png "Agenix"
+
+
+Run with published images (GHCR)
+--------------------------------
+If you don't want to build locally, you can run the stack against images published to GitHub Container Registry.
+
+Prereqs
+- If images are private: docker login ghcr.io
+
+Environment variables (can also be placed in a .env file at repo root)
+- GHCR_OWNER = your GitHub org or username (required)
+- GHCR_REPO  = agenix-playwright-grid (defaults to this repo name if not set)
+- IMAGE_TAG  = latest, or a specific version produced by CI (e.g., 1.2.3)
+
+Start the stack using the images override file
+
+    export GHCR_OWNER=<your-gh-username-or-org>
+    # optional overrides
+    export IMAGE_TAG=latest
+    # export GHCR_REPO=agenix-playwright-grid
+
+    docker compose -f docker-compose.yml -f docker-compose.images.yml pull
+    docker compose -f docker-compose.yml -f docker-compose.images.yml up -d
+
+Notes
+- The override file disables local builds and points hub/worker/dashboard to ghcr.io/${GHCR_OWNER}/${GHCR_REPO}-<service>:${IMAGE_TAG}.
+- Available services: -hub, -worker, -dashboard. Redis/Prometheus/Grafana already use public images.
+- CI pushes multi-arch images (linux/amd64, linux/arm64) and tags both ${IMAGE_TAG} (e.g., 1.2.3) and latest.
+- To scale workers, either duplicate worker sections/ports in docker-compose.yml or use: docker compose up -d --scale worker1=2 (when using a generalized worker service). In this repo workers are declared as worker1/2/3; adjust POOL_CONFIG and ports accordingly.

docker-compose.images.yml

@@ -0,0 +1,41 @@
+version: "3.8"
+
+# Override file to run the stack using published images on GHCR instead of local builds.
+# Usage:
+#   export GHCR_OWNER=<your-gh-org-or-username>
+#   # optional overrides
+#   export GHCR_REPO=agenix-playwright-grid   # defaults to repo name
+#   export IMAGE_TAG=latest                   # or a specific version like v1.2.3
+#   docker compose -f docker-compose.yml -f docker-compose.images.yml up -d
+#
+# Notes:
+# - This file nullifies `build:` on services that normally build locally and replaces them with `image:`.
+# - pull_policy: always ensures the latest tag is pulled when using :latest or mutable tags.
+# - Required env: GHCR_OWNER. You can also set via .env file in the project root.
+
+services:
+  hub:
+    # Remove local build and use published image
+    build: null
+    image: ghcr.io/${GHCR_OWNER:?GHCR_OWNER not set}/${GHCR_REPO:-agenix-playwright-grid}-hub:${IMAGE_TAG:-latest}
+    pull_policy: always
+
+  worker1:
+    build: null
+    image: ghcr.io/${GHCR_OWNER:?GHCR_OWNER not set}/${GHCR_REPO:-agenix-playwright-grid}-worker:${IMAGE_TAG:-latest}
+    pull_policy: always
+
+  worker2:
+    build: null
+    image: ghcr.io/${GHCR_OWNER:?GHCR_OWNER not set}/${GHCR_REPO:-agenix-playwright-grid}-worker:${IMAGE_TAG:-latest}
+    pull_policy: always
+
+  worker3:
+    build: null
+    image: ghcr.io/${GHCR_OWNER:?GHCR_OWNER not set}/${GHCR_REPO:-agenix-playwright-grid}-worker:${IMAGE_TAG:-latest}
+    pull_policy: always
+
+  dashboard:
+    build: null
+    image: ghcr.io/${GHCR_OWNER:?GHCR_OWNER not set}/${GHCR_REPO:-agenix-playwright-grid}-dashboard:${IMAGE_TAG:-latest}
+    pull_policy: always

docs/tasks.md

@@ -45,10 +45,10 @@ The following is an ordered, actionable checklist covering architectural and cod
 39. [ ] Provide Helm chart/Kubernetes manifests with sensible defaults, probes, and resource limits.
 40. [ ] Harden Docker images: run as non-root user, drop capabilities, read-only filesystem with writable temp for Playwright.
 41. [ ] Slim Docker images further: prune caches (npm, dotnet), multi-stage for Node assets, consolidate OS packages, consider distroless base.
-42. [ ] Add multi-arch builds (linux/amd64, linux/arm64) for Hub/Worker via buildx.
+42. [X] Add multi-arch builds (linux/amd64, linux/arm64) for Hub/Worker via buildx.
 43. [X] Add image vulnerability scanning (Trivy/GHCR) and SBOM generation during CI.
-44. [ ] Introduce GitHub Actions CI: build, unit tests, integration tests (with Testcontainers), publish artifacts, and optional Docker image publish.
-45. [ ] Add workflow caching for dotnet restore, npm playwright installs, and docker layers to speed up CI.
+44. [X] Introduce GitHub Actions CI: build, unit tests, integration tests (with Testcontainers), publish artifacts, and optional Docker image publish.
+45. [X] Add workflow caching for dotnet restore, npm playwright installs, and docker layers to speed up CI.
 46. [ ] Expand unit tests for label matching, options parsing (POOL_CONFIG), and secret handling edge cases.
 47. [ ] Add integration tests for: secret mismatch (401), capacity exhaustion (503), borrow queue timeout, and node eviction scenarios.
 48. [ ] Add flaky-test mitigations: deterministic time helpers, extended health timeouts via env, and richer test diagnostics.