✨ Upgrades (#69)

jacobwoffenden · web-flow · commit 1e62d8940820 · 2025-06-03T12:01:08.000+01:00
Signed-off-by: Jacob Woffenden &lt;jacob.woffenden@justice.gov.uk&gt;
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
@@ -1,9 +1,9 @@
 {
   "features": {
     "ghcr.io/devcontainers/features/docker-in-docker:2": {
-      "version": "2.12.0",
-      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:5f3e2005aad161ce3ff7700b2603f11935348c039f9166960efd050d69cd3014",
-      "integrity": "sha256:5f3e2005aad161ce3ff7700b2603f11935348c039f9166960efd050d69cd3014"
+      "version": "2.12.2",
+      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:842d2ed40827dc91b95ef727771e170b0e52272404f00dba063cee94eafac4bb",
+      "integrity": "sha256:842d2ed40827dc91b95ef727771e170b0e52272404f00dba063cee94eafac4bb"
     },
     "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:1": {
       "version": "1.0.0",
diff --git a/.github/workflows/container-release.yml b/.github/workflows/container-release.yml
@@ -0,0 +1,20 @@
+---
+name: 🔖 Container Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+permissions: {}
+
+jobs:
+  container-release:
+    name: Container Release
+    permissions:
+      actions: read
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
+    uses: ministryofjustice/analytical-platform-github-actions/.github/workflows/reusable-container-release.yml@8382cff2a4582e7ac6906fb4d4213b40108e2ea5 # v2.8.0
diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml
@@ -0,0 +1,16 @@
+---
+name: 🩻 Container Scan
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  container-scan:
+    name: Container Scan
+    permissions:
+      contents: read
+    uses: ministryofjustice/analytical-platform-github-actions/.github/workflows/reusable-container-scan.yml@8382cff2a4582e7ac6906fb4d4213b40108e2ea5 # v2.8.0
diff --git a/.github/workflows/container-test.yml b/.github/workflows/container-test.yml
@@ -0,0 +1,16 @@
+---
+name: 🧪 Container Test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  container-test:
+    name: Container Test
+    permissions:
+      contents: read
+    uses: ministryofjustice/analytical-platform-github-actions/.github/workflows/reusable-container-test.yml@8382cff2a4582e7ac6906fb4d4213b40108e2ea5 # v2.8.0
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -5,27 +5,12 @@ on:
   pull_request:
     branches:
       - main
-    types:
-      - edited
-      - opened
-      - reopened
-      - synchronize
 
 permissions: {}
 
 jobs:
   dependency-review:
     name: Dependency Review
-    runs-on: ubuntu-latest
     permissions:
       contents: read
-    steps:
-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Dependency Review
-        id: dependency_review
-        uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0
-        with:
-          fail-on-severity: critical
+    uses: ministryofjustice/analytical-platform-github-actions/.github/workflows/reusable-dependency-review.yml@8382cff2a4582e7ac6906fb4d4213b40108e2ea5 # v2.8.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
diff --git a/.github/workflows/scheduled-container-scan.yml b/.github/workflows/scheduled-container-scan.yml
@@ -0,0 +1,18 @@
+---
+name: ⏰ Scheduled Container Scan
+
+on:
+  schedule:
+    - cron: "0 9 * * 1-5" # Every weekday at 9AM UTC
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  scheduled-container-scan:
+    name: Scheduled Container Scan
+    permissions:
+      contents: read
+    uses: ministryofjustice/analytical-platform-github-actions/.github/workflows/reusable-scheduled-container-scan.yml@8382cff2a4582e7ac6906fb4d4213b40108e2ea5 # v2.8.0
+    secrets:
+      cve-scan-slack-webhook-url: ${{ secrets.ANALYTICAL_PLATFORM_CVE_SCAN_SLACK_WEBHOOK_URL }}
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -1,35 +1,23 @@
 ---
-name: 🦝 Super-Linter
+name: 🦝 Super Linter
 
 on:
   pull_request:
     branches:
       - main
-    types:
-      - edited
-      - opened
-      - reopened
-      - synchronize
 
 permissions: {}
 
 jobs:
   super-linter:
-    name: Super-Linter
-    runs-on: ubuntu-latest
+    name: Super Linter
     permissions:
       contents: read
+      packages: read
       statuses: write
-    steps:
-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Super-Linter
-        id: super_linter
-        uses: super-linter/super-linter/slim@4e8a7c2bf106c4c766c816b35ec612638dc9b6b2 # v7.3.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VALIDATE_LUA: false
+    uses: ministryofjustice/analytical-platform-github-actions/.github/workflows/reusable-super-linter.yml@8382cff2a4582e7ac6906fb4d4213b40108e2ea5 # v2.8.0
+    with:
+      super-linter-variables: |
+        {
+          "VALIDATE_LUA": "false"
+        }
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,18 @@
+---
+name: 🌈 Zizmor
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Zizmor
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: ministryofjustice/analytical-platform-github-actions/.github/workflows/reusable-zizmor.yml@8382cff2a4582e7ac6906fb4d4213b40108e2ea5 # v2.8.0
diff --git a/.trivyignore b/.trivyignore
@@ -1,18 +1 @@
-# I am skipping these CVEs because while they are fixed in APK, I do not want to run `apk update && apk upgrade` as the image won't be reproducible
-# We currently consume docker.io/openresty/openresty:1.25.3.2-alpine-fat but intend to refactor and switch to Ubuntu LTS for two reasons
-#  1. We can fully control the base image, so nonroot and package version
-#  2. OpenResty publish an APT distrobution we can use
-CVE-2024-5171
-CVE-2024-6197
-CVE-2024-8176
-CVE-2024-45490
-CVE-2024-45491
-CVE-2024-45492
-CVE-2024-55549
-CVE-2024-56171
-CVE-2025-0840
-CVE-2025-24855
-CVE-2025-24928
-CVE-2025-27113
-CVE-2024-56406
-CVE-2025-31115
+# As of 03/06/2025 there are no vulnerabilities to skip in docker.io/openresty/openresty:1.27.1.2-1-alpine-fat
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,22 @@
 #checkov:skip=CKV_DOCKER_3: Current implementation uses off-the-shelf image from OpenResty which doesn't offer a nonroot variant
 
-# docker.io/openresty/openresty:1.25.3.2-3-alpine-fat
-FROM docker.io/openresty/openresty:1.25.3.2-3-alpine-fat@sha256:fd7320b66849fd5c576c8213710fa19a1fcb3a2d153ef24b84de37287b12b60a
+# docker.io/openresty/openresty:1.27.1.2-1-alpine-fat
+FROM docker.io/openresty/openresty:1.27.1.2-1-alpine-fat@sha256:a82c4d8bceb80cffd0bb427959f959c8a733bcbeedcfd3d3a7d82268c4518339
 
 LABEL org.opencontainers.image.vendor="Ministry of Justice" \
       org.opencontainers.image.authors="Analytical Platform (analytical-platform@digital.justice.gov.uk)" \
       org.opencontainers.image.title="Cloud Development Environment NGINX Proxy" \
       org.opencontainers.image.description="Cloud Development Environment NGINX proxy image for Analytical Platform" \
       org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform-cloud-development-environment-nginx-proxy"
 
+ENV MOONROCK_MIRROR_COMMIT="daab2726276e3282dc347b89a42a5107c3500567" \
+    LUA_RESTY_OPENIDC_VERSION="1.8.0"
+
+# The installation of lua-resty-openidc is pinned to a specific commit of the moonrocks-mirror repository due to this issue https://github.com/luarocks/luarocks/issues/1797
+# See specific comment https://github.com/luarocks/luarocks/issues/1797#issuecomment-2930518193 for the fix below
+# At the time of next patch, test without `--only-server "https://raw.githubusercontent.com/rocks-moonscript-org/moonrocks-mirror/${MOONROCK_MIRROR_COMMIT}"` and see if it works
 RUN <<EOF
-luarocks install lua-resty-openidc 1.8.0
+luarocks install --only-server "https://raw.githubusercontent.com/rocks-moonscript-org/moonrocks-mirror/${MOONROCK_MIRROR_COMMIT}" lua-resty-openidc "${LUA_RESTY_OPENIDC_VERSION}"
 EOF
 
 COPY src/etc/nginx /etc/nginx
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 Crown Copyright (Ministry of Justice)
+Copyright (c) 2025 Crown Copyright (Ministry of Justice)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
diff --git a/test/container-structure-test.yml b/test/container-structure-test.yml
