Split image into an interactive and a CI variant

elopez · elopez · commit 226f151b84eb · 2024-12-16T23:17:00.000+01:00
Closes #42
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -31,7 +31,7 @@ jobs:
         with:
           install: true
 
-      - name: Set Docker metadata
+      - name: Set Docker metadata (interactive variant)
         id: metadata
         uses: docker/metadata-action@v5
         with:
@@ -45,6 +45,19 @@ jobs:
             type=ref,event=branch,prefix=testing-
             type=edge
 
+      - name: Set Docker metadata (CI variant)
+        id: metadata-ci
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}/ci
+          tags: |
+            type=schedule
+            type=schedule,pattern=nightly-{{date 'YYYYMMDD'}}
+            type=ref,event=tag
+            type=ref,event=branch,prefix=testing-
+            type=edge
+
       - name: GitHub Container Registry Login
         uses: docker/login-action@v3
         with:
@@ -59,7 +72,7 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
 
-      - name: Docker Build and Push
+      - name: Docker Build and Push (interactive variant)
         uses: docker/build-push-action@v6
         with:
           platforms: linux/amd64,linux/arm64/v8
@@ -71,3 +84,16 @@ jobs:
           labels: ${{ steps.metadata.outputs.labels }}
           cache-from: ${{ (github.event_name != 'schedule' && 'type=gha') || '' }}
           cache-to: type=gha,mode=max
+
+      - name: Docker Build and Push (CI variant)
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64
+          target: toolbox-ci
+          file: Dockerfile
+          pull: true
+          push: true
+          tags: ${{ steps.metadata-ci.outputs.tags }}
+          labels: ${{ steps.metadata-ci.outputs.labels }}
+          cache-from: ${{ (github.event_name != 'schedule' && 'type=gha') || '' }}
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
@@ -23,9 +23,9 @@ RUN chmod 755 /usr/local/bin/echidna
 
 
 ###
-### ETH Security Toolbox
+### ETH Security Toolbox - base
 ###
-FROM ubuntu:jammy AS toolbox
+FROM ubuntu:jammy AS toolbox-base
 
 # Add common tools
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
@@ -66,6 +66,14 @@ COPY --chown=root:root --from=echidna /usr/local/bin/echidna /usr/local/bin/echi
 COPY --chown=root:root --from=medusa /usr/local/bin/medusa /usr/local/bin/medusa
 RUN medusa completion bash > /etc/bash_completion.d/medusa
 
+CMD ["/bin/bash"]
+
+
+###
+### ETH Security Toolbox - interactive variant
+###
+FROM toolbox-base AS toolbox
+
 # Add a user with passwordless sudo
 RUN useradd -m ethsec && \
     usermod -aG sudo ethsec && \
@@ -114,4 +122,37 @@ RUN git clone --depth 1 https://github.com/crytic/building-secure-contracts.git
 COPY --link --chown=root:root motd /etc/motd
 RUN echo '\ncat /etc/motd\n' >> ~/.bashrc
 
-CMD ["/bin/bash"]
+
+###
+### ETH Security Toolbox - CI variant
+### Differences:
+###   * Runs as root
+###   * No Foundry autocompletions
+###   * No pyevmasm
+###   * No preinstalled solc binaries
+###   * No BSC copy
+###
+FROM toolbox-base AS toolbox-ci
+
+ENV HOME="/root"
+ENV PATH="${PATH}:${HOME}/.local/bin:${HOME}/.vyper/bin:${HOME}/.foundry/bin"
+
+# Install vyper compiler
+RUN python3 -m venv ${HOME}/.vyper && \
+    ${HOME}/.vyper/bin/pip3 install --no-cache-dir vyper && \
+    echo '\nexport PATH=${PATH}:${HOME}/.vyper/bin' >> ~/.bashrc
+
+# Install foundry
+RUN curl -fsSL https://raw.githubusercontent.com/foundry-rs/foundry/27cabbd6c905b1273a5ed3ba7c10acce90833d76/foundryup/install -o install && \
+    if [ ! "e4456a15d43054b537b329f6ca6d00962242050d24de4c59657a44bc17ad8a0c  install" = "$(sha256sum install)" ]; then \
+        echo "Foundry installer does not match expected checksum! exiting"; \
+        exit 1; \
+    fi && \
+    cat install | SHELL=/bin/bash bash && rm install && \
+    foundryup
+
+# Install python tools
+RUN pip3 install --no-cache-dir --user \
+    solc-select \
+    crytic-compile \
+    slither-analyzer
diff --git a/README.md b/README.md
@@ -91,6 +91,21 @@ $ node --version
 v14.21.3
 ```
 
+## Usage in CI
+
+A variant of the image is published on GitHub Container Registry as
+[`ghcr.io/trailofbits/eth-security-toolbox/ci`](https://github.com/trailofbits/eth-security-toolbox/pkgs/container/eth-security-toolbox%2Fci).
+This variant is meant to be slightly lighter, and better suited for its use in
+CI contexts such as [GitHub workflow jobs](https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container).
+
+The main differences are:
+ * The container does not have a dedicated non-root user. All tools are
+   installed under the root user.
+ * Most autocompletions are not installed.
+ * No solc binaries are preinstalled. You may continue to use `solc-select` to
+   install any binaries you may need.
+ * pyevmasm and the building secure contracts repository are not included.
+
 ## Getting Help
 
 Feel free to stop by our [Slack channel](https://slack.empirehacking.nyc/) for
