build: include semgrep in final docker image (#1079)

art1f1c3R · web-flow · commit 979b05bc6d45 · 2025-05-15T15:54:23.000+10:00
add support for Semgrep in the final macaron docker build using multistage docker builds.

Signed-off-by: Carl Flottmann &lt;carl.flottmann@oracle.com&gt;
diff --git a/.github/workflows/_build_docker.yaml b/.github/workflows/_build_docker.yaml
@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # This is a reuseable workflow to build and test the Docker image. Note that this workflow does not
@@ -53,6 +53,10 @@ jobs:
         echo "Hash of package should be $ARTIFACT_HASH."
         echo "$ARTIFACT_HASH" | base64 --decode | sha256sum --strict --check --status || exit 1
 
+    # Login so the docker build has access to the internal dependencies image
+    - name: Log in to GitHub Container Registry
+      run: docker login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
+
     # Build the Docker image without pushing it.
     - name: Build the Docker image
       env:
diff --git a/.github/workflows/build_semgrep_wheel.yaml b/.github/workflows/build_semgrep_wheel.yaml
@@ -1,6 +1,9 @@
 # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
+# This is a manually-triggered workflow to build the minimal macaron dependencies image that stores the built-from-source
+# Semgrep wheel file. Note that this workflow DOES push the built image.
+
 name: Build Semgrep Wheel Artifact
 
 on: workflow_dispatch
@@ -48,6 +51,6 @@ jobs:
         cd wheels
         WHEEL=$(find . -type f -name 'semgrep-*manylinux*.whl')
         echo "FROM scratch
-        COPY ${WHEEL} /semgrep_wheel.whl" >> Dockerfile.semgrep
+        COPY ${WHEEL} /" >> Dockerfile.semgrep
         docker build -t ghcr.io/oracle/macaron-deps:latest -f Dockerfile.semgrep .
         docker push ghcr.io/oracle/macaron-deps:latest
diff --git a/docker/Dockerfile.final b/docker/Dockerfile.final
@@ -1,15 +1,18 @@
 # Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
-# This Dockerfile is for building the final production image. It's based on ghcr.io/oracle/macaron-base.
-# For the build, two files will be copied into the image:
+# This Dockerfile is for building the final production image. It's based on ghcr.io/oracle/macaron-base and ghcr.io/oracle/maracon-deps.
+# For the build, three files will be copied into the image:
 #   - Macaron wheel file (its path must be provided to the build argument WHEEL_PATH)
+#   - Macaron dependency files, copied from the macaron-deps image.
 #   - user.sh for the entrypoint of the final image.
 # For example, using Docker, we could build the image using:
 #   docker build --build-arg WHEEL_PATH=<path_to_wheel> -t ghcr.io/oracle/macaron -f docker/Dockerfile.final ./
 # Note that the local machine must login to ghcr.io so that Docker could pull the ghcr.io/oracle/macaron-base
 # image for this build.
 
+FROM ghcr.io/oracle/macaron-deps:latest@sha256:99526baf6596c4c3f24e4caa2b59afaf7f7c26d633ad3113ca24ba43dfad3f0f as deps_stage
+
 FROM ghcr.io/oracle/macaron-base:latest@sha256:79b3b8b03cb9b6a124c6450f4baa58f96f83ee9e37f572c88a97597b35c7bc51
 
 ENV HOME="/home/macaron"
@@ -34,11 +37,17 @@ ARG WHEEL_PATH
 # the warning of not having correct ownership of /home/macaron is not raised.
 USER macaron:macaron
 COPY --chown=macaron:macaron $WHEEL_PATH $HOME/dist/
+# Currently, the only dependency stored in the minimal image is the wheel for Semgrep, which we copy here. Since the
+# Macaron project dependencies lists Semgrep as a python dependency, we uninstall it first before using our wheel here
+# to install a trusted built-from-source version.
+COPY --chown=macaron:macaron --from=deps_stage /semgrep-*manylinux*.whl $HOME/dist/
 RUN : \
     && python3 -m venv $HOME/.venv \
     && . .venv/bin/activate \
     && pip install --no-compile --no-cache-dir --upgrade pip setuptools \
     && find $HOME/dist -depth \( -type f \( -name "macaron-*.whl" \) \) -exec pip install --no-compile --no-cache-dir '{}' \; \
+    && pip uninstall semgrep \
+    && find $HOME/dist -depth \( -type f \( -name "semgrep-*.whl" \) \) -exec pip install --no-compile --no-cache-dir '{}' \; \
     && rm -rf $HOME/dist \
     && deactivate
 
