Merge pull request #1 from aphp/dev

Init with documentation and source images

Author: kzgrzendek

.github/workflows/ci-redcap-fastcgi-client.yaml

@@ -0,0 +1,95 @@
+name: build
+
+on:
+  push:
+    branches:
+      - "dev"
+    tags:
+      - "v*.*.*"
+
+jobs:
+  lint-redcap-fastcgi-client:
+    name: lint-redcap-fastcgi-client
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Lint Dockerfile with Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ./fastcgi-client/Dockerfile
+          override-info: DL3008,DL3018,DL3041,SC2046
+          failure-threshold: warning
+
+  scan-redcap-fastcgi-client:
+    name: scan-redcap-fastcgi-client
+    needs: lint-redcap-fastcgi-client
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Build container from Dockerfile
+        run: docker build -t ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }} ./fastcgi-client
+      - name: Run Dockle
+        uses: erzz/dockle-action@v1.4.0
+        with:
+          image: ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }}
+          report-format: json
+          failure-threshold: fatal
+          exit-code: 1
+      - name: Scan container for vulnerabilities with Trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'ghcr.io/aphp/redcap-fastcgi-client:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          scanners: 'vuln,secret,license'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'
+
+  push-redcap-fastcgi-client:
+    name: push-redcap-fastcgi-client
+    needs: scan-redcap-fastcgi-client
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ghcr.io/aphp/redcap-fastcgi-client            
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha  
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+          
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to GitHub Container Registry'
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: "{{defaultContext}}:fastcgi-client"
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/ci-redcap-httpd-shibd.yaml

@@ -0,0 +1,94 @@
+name: build
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+
+jobs:
+  lint-redcap-httpd-shibd:
+    name: lint-redcap-httpd-shibd
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Lint Dockerfile with Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ./httpd-shibd/Dockerfile
+          override-info: DL3008,DL3018,DL3041,SC2046
+          failure-threshold: warning
+
+  scan-redcap-httpd-shibd:
+    name: scan-redcap-httpd-shibd
+    needs: lint-redcap-httpd-shibd
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Build container from Dockerfile
+        run: docker build -t ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }} ./httpd-shibd
+      - name: Run Dockle
+        uses: erzz/dockle-action@v1.4.0
+        with:
+          image: ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }}
+          report-format: json
+          failure-threshold: fatal
+          exit-code: 1
+      - name: Scan container for vulnerabilities with Trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'ghcr.io/aphp/redcap-httpd-shibd:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          scanners: 'vuln,secret,license'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'
+
+  push-redcap-httpd-shibd:
+    name: push-redcap-httpd-shibd
+    needs: scan-redcap-httpd-shibd
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ghcr.io/aphp/redcap-httpd-shibd           
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha  
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+          
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to GitHub Container Registry'
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: "{{defaultContext}}:httpd-shibd"
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/ci-redcap-php-fpm.yaml

@@ -0,0 +1,94 @@
+name: build
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+
+jobs:
+  lint-redcap-php-fpm:
+    name: lint-redcap-php-fpm
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Lint Dockerfile with Hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ./php-fpm/Dockerfile
+          override-info: DL3008,DL3018,DL3041,SC2046
+          failure-threshold: warning
+
+  scan-redcap-php-fpm:
+    name: scan-redcap-php-fpm
+    needs: lint-redcap-php-fpm
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Build container from Dockerfile
+        run: docker build -t ghcr.io/aphp/redcap-php-fpm:${{ github.sha }} ./php-fpm
+      - name: Run Dockle
+        uses: erzz/dockle-action@v1.4.0
+        with:
+          image: ghcr.io/aphp/redcap-php-fpm:${{ github.sha }}
+          report-format: json
+          failure-threshold: fatal
+          exit-code: 1
+      - name: Scan container for vulnerabilities with Trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'ghcr.io/aphp/redcap-php-fpm:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          scanners: 'vuln,secret,license'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'
+
+  push-redcap-php-fpm:
+    name: push-redcap-php-fpm
+    needs: scan-redcap-php-fpm
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ghcr.io/aphp/redcap-php-fpm           
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha  
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+          
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: 'Login to GitHub Container Registry'
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: "{{defaultContext}}:php-fpm"
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

CONTRIBUTING.md

@@ -0,0 +1,21 @@
+
+## How to contribute to the `aphp/redcap-containers` project
+
+#### **Did you find a bug?**
+
+* **Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/aphp/redcap-containers/issues).
+
+* If you're unable to find an open issue addressing the problem, [open a new one](https://github.com/aphp/redcap-containers/issues/new). Be sure to include a **title and clear description**, as much relevant information as possible, and a **code sample** or an **executable test case** demonstrating the expected behavior that is not occurring.
+
+#### **Did you write a patch that fixes a bug?**
+
+* Open a new GitHub pull request with the patch.
+
+* Ensure the PR description clearly describes the problem and solution. Include the relevant issue number if applicable.
+
+#### **Do you intend to add a new feature or change an existing one?**
+
+* Suggest your change in a dedicated issue.
+
+* Do not submit a PR on GitHub until you have collected positive feedback about the change.
+

LICENSE

@@ -199,3 +199,5 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+[2023 - 2024] [REDCap Helm Chart] © Assistance Publique – Hôpitaux de Paris. 

NOTICE

@@ -0,0 +1,14 @@
+This software contains the following dependencies developped by Broadcom :
+
+- Docker Images
+  - alpinelinux : https://github.com/alpinelinux/docker-alpine
+  - rockylinux : https://github.com/rocky-linux/sig-cloud-instance-images
+  - docker/php: https://github.com/docker-library/php
+
+Those dependecies are present as source f the images presents in this repository. 
+Indidual licence statements are presents in the following links : 
+  - alpinelinux : https://github.com/alpinelinux/docker-alpine/blob/master/LICENSE
+  - rockylinux : https://rockylinux.org/fr-FR/legal/licensing
+  - docker/php: https://github.com/docker-library/php/blob/master/LICENSE
+
+The build process of the images present in this repository includes a licence check - reports can be found in the Github Actions.

README.md

@@ -1 +1,36 @@
-# redcap-containers
+# APHP - REDCap Helm Chart containers
+
+## Presentation
+
+This repository is hosting the container images that are needed to run the REDCap Helm Chart provided by the Greater Paris University Hospitals.
+
+Those images are as follow : 
+- `httpd-shibd` : A custom container made to host an instance of Apache HTTPd and Shibboleth.
+   - [see the `httpd-shibd` folder](./httpd-shibd/)
+- `fastcgi-client` : A simple FastCGI client.
+   - [see the `fastcgi-client` folder](./fastcgi-client/)
+- `php-fpm` : A PHP 8.2 FPM server that contains all dependencies and configurations needed by REDCap.
+   - [see the `php-fpm` folder](./php-fpm/)
+
+Each subfolder contains its own README file.
+
+All those containers are `rootless`, and **none of them is containing, or distributing REDCap binairies**. 
+If you wish to use REDCap and are not sure where to start, you may visit the dedicated [REDCap Community Site](https://projectredcap.org/resources/community/).
+
+## Continous Integration / Continous Delivery
+
+This project uses 3 Github Workflows (presents under the .github/workflows directory), which will, for each image :
+- Lint the Dockerfile using `Hadolint`
+- Scan the container images using `Dockle`
+- Runs critical vulnerability, secrets and license checks on the container image using `Trivy`
+- Pushes the container images to this project's GHCR for it to be retrieved as a container image.
+
+## How can I contribute?
+
+You're welcome to read the [contribution guidelines](./CONTRIBUTING.md).
+
+## How is this project licensed?
+
+The informations about the licensing and the dependencies of this project can be found under : 
+- The [project's license file](./LICENSE)
+- The [legal notice](./NOTICE)

fastcgi-client/Dockerfile

@@ -0,0 +1,12 @@
+FROM alpine:3
+
+LABEL maintainer=APHP
+
+RUN apk update &&\
+    apk add --no-cache fcgi
+
+RUN adduser -S cgi
+
+USER cgi
+
+ENTRYPOINT ["cgi-fcgi"]