build(docker): Switch to non-root runner [DEV-1737] (cheqd#50)

* build(docker): Switch to non-root runner
* Update docker-compose.yml

* Squashed commit of the following:

commit e28d62e
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Wed Oct 12 23:25:48 2022 +0100

    chore(deps): Bump google.golang.org/grpc from 1.49.0 to 1.50.0 (cheqd#52)

    Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.49.0 to 1.50.0.
    - [Release notes](https://github.com/grpc/grpc-go/releases)
    - [Commits](grpc/grpc-go@v1.49.0...v1.50.0)

    ---
    updated-dependencies:
    - dependency-name: google.golang.org/grpc
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

    Signed-off-by: dependabot[bot] <[email protected]>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

commit d2bc574
Author: Ankur Banerjee <[email protected]>
Date:   Tue Oct 4 15:02:56 2022 +0100

    ci: Add production tag for Docker image

commit c4c6f77
Author: filipdjokic <[email protected]>
Date:   Tue Oct 4 12:15:15 2022 +0200

    ci: Automate DID-resolver deployments [DEV-1263] (cheqd#51)

    * Push images to DOCR and automate deployments for both environments
    * Fix super linter issues
    * Fix typos
    * Updated production deploy text
    * Update triggers
    * ci: change staging deployment logic [DEV-1263]
    * ci: fix buildx issues
    * ci: fix tag issues
    * Drop tags named after branches
    * Change build-push action
    * Update image name in tests folder
    * Rename to deploy
    * Update dispatch guard
    * Remove release guard
    * Add docker metadata to avoid tag errors
    * Fix superlinter errors
    * Switch to relative paths to fix permissions errors
    * Set build tags
    * Add deploy staging
    * Check push to both GCHR and DOCR
    * Remove GHCR from build stage
    * Remove GHCR from deploy
    * Update URL with protocol scheme
    * Update README.md

    Co-authored-by: Ankur Banerjee <[email protected]>

* Change ref protection for release
* Turn off verbose link checking
* Split test workflow out
* Update dispatch for new image
* Fix workflow titles
* Save build and staging images separately
* Change Docker image in test workflow

.github/workflows/build.yml

@@ -7,20 +7,6 @@ defaults:
 
 jobs:
 
-  unit-tests:
-    name: "Unit Tests"
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version-file: ./go.mod
-
-      - name: Run Golang unit tests
-        run: go test -v ./...
-
   build-docker:
     name: "Build Docker image"
     runs-on: ubuntu-latest
@@ -57,28 +43,22 @@ jobs:
           platforms: linux/amd64
           load: true
           tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Set up Docker container for test
-        run: docker-compose -f tests/docker/docker-compose.yml --env-file tests/docker/docker-compose.env up -d --no-build
-
-      - name: Setup Python environment
-        working-directory: ./tests/pytest
-        run: |
-          set -euo pipefail
-          pip3 install -r requirements.txt >> /dev/null
-          sudo chmod -R 775 /home/runner/
-
-      - name: Run tests
-        working-directory: ./tests/pytest
+      - name: Save Docker images
         run: |
-          set -euo pipefail
-          pytest -v -rP ./*.py
-
-      - name: Save staging Docker image
-        run: docker save registry.digitalocean.com/${{ env.IMAGE_NAME }} > did-resolver-staging.tar
+          docker save ${{ env.IMAGE_NAME }} > /tmp/did-resolver-build.tar
+          docker save registry.digitalocean.com/${{ env.IMAGE_NAME }} > /tmp/did-resolver-staging.tar
 
       - name: Upload build image as an artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: did-resolver-build
+          path: /tmp/did-resolver-build.tar
+
+      - name: Upload staging image as an artifact
         uses: actions/upload-artifact@v3
         with:
           name: did-resolver-staging
-          path: did-resolver-staging.tar
+          path: /tmp/did-resolver-staging.tar

.github/workflows/deploy.yml

@@ -10,7 +10,6 @@ jobs:
   deploy-staging:
     name: "Staging Deploy"
     runs-on: ubuntu-latest
-    continue-on-error: true
     env: 
       IMAGE_NAME: ${{ github.repository }}
     environment: 

.github/workflows/dispatch.yml

@@ -12,11 +12,17 @@ jobs:
     uses: ./.github/workflows/lint.yml
 
   call-build:
-    name: "Build & Test"
+    name: "Build"
     needs: call-lint
     uses: ./.github/workflows/build.yml
     secrets: inherit
 
+  call-test:
+    name: "Test"
+    needs: call-build
+    uses: ./.github/workflows/test.yml
+    secrets: inherit
+
   call-deploy:
     name: "Deploy"
     needs: call-build
@@ -25,7 +31,7 @@ jobs:
 
   call-release:
     name: "Release"
-    needs: call-build
-    if: ${{ ( github.ref_name == 'main' ) }}
+    needs: call-test
+    if: ${{ github.ref_protected == true }}
     uses: ./.github/workflows/release.yml
     secrets: inherit

.github/workflows/lint.yml

@@ -20,7 +20,6 @@ jobs:
         with:
           config-file: '.github/linters/mlc_config.json'
           use-quiet-mode: 'yes'
-          use-verbose-mode: 'yes'
 
   go-lint:
     # We can't use VALIDATE_GO from super linter because of this issue:

.github/workflows/release.yml

@@ -14,13 +14,14 @@ jobs:
   release-binary:
     name: "Release Binary"
     runs-on: ubuntu-latest
-    outputs:
-      VERSION: ${{ steps.set-version.outputs.VERSION }}
+    # outputs:
+    #   VERSION: ${{ steps.set-version.outputs.VERSION }}
 
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-go@v3
         with:
@@ -57,16 +58,17 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Set version number
-        id: set-version
-        run: |
-          VERSION=$( git describe --tags ${{ github.sha }})
-          echo ::set-output name=VERSION::"$VERSION"
+      # - name: Set version number
+      #   id: set-version
+      #   run: |
+      #     VERSION=$( git describe --tags ${{ github.sha }})
+      #     echo ::set-output name=VERSION::"$VERSION"
 
   release-docker:
     name: "Release Docker image"
     needs: release-binary
     runs-on: ubuntu-latest
+    if: ${{ github.ref_name == 'main' }}
     env:
       IMAGE_NAME: ${{ github.repository }}
     environment: 
@@ -110,7 +112,7 @@ jobs:
           flavor: |
             latest=auto
           tags: |
-            type=semver,pattern={{version}},value=${{ needs.release-binary.outputs.VERSION }}
+            type=semver,pattern={{version}}
             type=raw,value=production-latest
             type=sha,format=long
           labels: |
@@ -130,6 +132,8 @@ jobs:
           load: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Push image to GitHub Container Registry
         run: docker image push --all-tags ghcr.io/${{ github.repository}}

.github/workflows/test.yml

@@ -0,0 +1,56 @@
+name: "Build & Test"
+on:
+  workflow_call:
+defaults:
+  run:
+    shell: bash
+
+jobs:
+
+  unit-tests:
+    name: "Unit Tests"
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version-file: ./go.mod
+
+      - name: Run Golang unit tests
+        run: go test -v ./...
+
+  integration-tests:
+    name: "Integration Tests"
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME: ${{ github.repository }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Download Docker image
+        uses: actions/download-artifact@v3
+        with:
+          name: did-resolver-build
+
+      - name: Load Docker image
+        run: docker image load --input did-resolver-build.tar
+
+      - name: Set up Docker container for test
+        run: docker-compose -f tests/docker/docker-compose.yml --env-file tests/docker/docker-compose.env up -d --no-build
+
+      - name: Setup Python environment
+        working-directory: ./tests/pytest
+        run: |
+          set -euo pipefail
+          pip3 install -r requirements.txt >> /dev/null
+          sudo chmod -R 775 /home/runner/
+
+      - name: Run tests
+        working-directory: ./tests/pytest
+        run: |
+          set -euo pipefail
+          pytest -v -rP ./*.py
+

docker/Dockerfile

@@ -4,11 +4,11 @@
 
 FROM golang:1.17-alpine AS builder
 
-WORKDIR /resolver
+WORKDIR /builder
 COPY . ./
 
 # Build did-resolver binary
-RUN go mod download && go build -o cheqd-did-resolver main.go
+RUN go mod download && go build -o did-resolver main.go
 
 #####################################################################
 ###    STAGE 2: Build cheqd did-resolver container image          ###
@@ -19,14 +19,23 @@ FROM alpine:3.16 AS resolver
 # Install pre-requisites
 RUN apk update && apk add --no-cache bash ca-certificates
 
-# Set working directory & bash defaults
-WORKDIR /resolver
+# Copy did-resolver binary from Stage 1
+COPY --from=builder /builder/did-resolver /usr/local/bin/did-resolver
+
+# Set user directory and details
+ARG HOME_DIR="/resolver"
+ARG USER="resolver"
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
-# Copy compiled cheqd-did-resolver binary from Stage 1
-COPY --from=builder /resolver/cheqd-did-resolver /bin/cheqd-did-resolver
+# Add non-root user to use in the container
+RUN addgroup --system $USER \
+    && adduser $USER --system --home $HOME_DIR --shell /bin/bash
+
+# Set working directory & bash defaults
+WORKDIR $HOME_DIR
+USER $USER
 
 EXPOSE 8080
 
-ENTRYPOINT ["cheqd-did-resolver"]
+ENTRYPOINT ["did-resolver"]
 CMD ["serve"]