ci: add security scanning and SBOM to release pipeline

- ci.yml: add security job (gitleaks, cargo-audit, cargo-deny, trivy fs) - release.yml: restructure into build-binary + build-docker matrix + release - build binary once on self-hosted, reuse across all Docker builds - trivy image scan per matrix variant, results to GitHub Security tab - SBOM generation in SPDX and CycloneDX formats attached to release - deny.toml: cargo-deny policy (allowed licenses, banned openssl, crates.io only) - Dockerfile: remove Rust build stage, use pre-built binary - Dockerfile.astra, Dockerfile.redos: FROM scratch for Russian certified OS support
2026-04-12 06:50:31 +00:00 · 2026-02-23 11:37:27 +00:00
parent 037204a3eb
commit 6ad710ff32
6 changed files with 197 additions and 141 deletions
--- a/55
+++ b/55
@@ -1,58 +1,11 @@
 # syntax=docker/dockerfile:1.4
-
-# Build stage
-FROM rust:1.83-alpine AS builder
-
-RUN apk add --no-cache musl-dev curl
-
-WORKDIR /app
-
-# Copy manifests
-COPY Cargo.toml Cargo.lock ./
-COPY nora-registry/Cargo.toml nora-registry/
-COPY nora-storage/Cargo.toml nora-storage/
-COPY nora-cli/Cargo.toml nora-cli/
-
-# Create dummy sources for dependency caching
-RUN mkdir -p nora-registry/src nora-storage/src nora-cli/src && \
-    echo "fn main() {}" > nora-registry/src/main.rs && \
-    echo "fn main() {}" > nora-storage/src/main.rs && \
-    echo "fn main() {}" > nora-cli/src/main.rs
-
-# Build dependencies only (with cache)
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=/usr/local/cargo/git \
-    --mount=type=cache,target=/app/target \
-    cargo build --release --package nora-registry && \
-    rm -rf nora-registry/src nora-storage/src nora-cli/src
-
-# Copy real sources
-COPY nora-registry/src nora-registry/src
-COPY nora-storage/src nora-storage/src
-COPY nora-cli/src nora-cli/src
-
-# Build release binary (with cache)
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=/usr/local/cargo/git \
-    --mount=type=cache,target=/app/target \
-    touch nora-registry/src/main.rs && \
-    cargo build --release --package nora-registry && \
-    cp /app/target/release/nora /usr/local/bin/nora
-
-# Runtime stage
+# Binary is pre-built by CI (cargo build --release) and passed via context
 FROM alpine:3.20

-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates && mkdir -p /data

-WORKDIR /app
+COPY nora /usr/local/bin/nora

-# Copy binary
-COPY --from=builder /usr/local/bin/nora /usr/local/bin/nora
-
-# Create data directory
-RUN mkdir -p /data
-
-# Default environment
 ENV RUST_LOG=info
 ENV NORA_HOST=0.0.0.0
 ENV NORA_PORT=4000
@@ -64,5 +17,5 @@ EXPOSE 4000

 VOLUME ["/data"]

-ENTRYPOINT ["nora"]
+ENTRYPOINT ["/usr/local/bin/nora"]
 CMD ["serve"]