refactor: run merger with non-root user by default

use multi-stage build given from scratch image doesn't have users Signed-off-by: Ahmed AbouZaid <[email protected]>
DevOpsHiveHQ · Sep 13, 2024 · 9ddad0e · 9ddad0e
1 parent 615c20d
commit 9ddad0e
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 22 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -11,4 +11,4 @@ The Merger plugin is tested with the following Kustomize versions (but should wo
 
 ## Reporting a Vulnerability
 
-If a vulnerability is found, please report it via [GitHub issues](https://github.com/aabouzaid/kustomize-plugin-merger/issues).
+If a vulnerability is found, please report it via [GitHub issues](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/issues).
diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
@@ -19,10 +19,11 @@ jobs:
         go-version-file: go.mod
         cache: false
     - name: Run GolangCI linter
-      uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3
+      uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
       with:
-        version: v1.54
         args: '--timeout=5m'
+        skip-cache: true
+        skip-save-cache: true
     - name: Run Go test coverage
       run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
     - name: Upload coverage to Codecov
@@ -41,6 +42,7 @@ jobs:
     uses: ./.github/workflows/tpl-packaging.yml
     secrets: inherit
     with:
+      goreleaser-version: 2
       goreleaser-args: "release --clean --snapshot"
       artifacts-cache: true
       artifacts-cache-key: "dist-${{ github.run_id }}"

diff --git a/.github/workflows/tpl-packaging.yml b/.github/workflows/tpl-packaging.yml
@@ -67,6 +67,15 @@ jobs:
         args: "${{ inputs.goreleaser-args }}"
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Publish Temporary Docker Image
+      run: |
+        GIT_SHORT_HASH=$(git rev-parse --short ${{ github.sha }})
+        for xarch in amd64 arm64; do
+          tmp_image_name="ttl.sh/kustomize-generator-merger-${xarch}-${GIT_SHORT_HASH}:1h"
+          echo "Tag and push image: ${tmp_image_name}"
+          docker tag ghcr.io/devopshivehq/kustomize-generator-merger:latest-${xarch} ${tmp_image_name}
+          docker push ${tmp_image_name}
+        done
     - name: Cache Artifacts
       uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
       if: ${{ inputs.artifacts-cache }}

diff --git a/.golangci.yml b/.golangci.yml
@@ -5,7 +5,7 @@ linters-settings:
   gocyclo:
     min-complexity: 15
   goimports:
-    local-prefixes: github.com/aabouzaid/kustomize-plugin-merger
+    local-prefixes: github.com/DevOpsHiveHQ/kustomize-plugin-merger
   govet:
     check-shadowing: true
   misspell:

diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,8 @@
+FROM ubuntu:latest as base
+RUN useradd -u 1001 merger
+
 FROM scratch
-ENTRYPOINT ["/kustomize-plugin-merger"]
+COPY --from=base /etc/passwd /etc/passwd
 COPY kustomize-plugin-merger /
+USER 1001
+ENTRYPOINT ["/kustomize-plugin-merger"]
diff --git a/README.md b/README.md
@@ -13,28 +13,24 @@ A Kustomize generator plugin to merge YAML files seamlessly for real-world use c
 
 </b></p>
 
-[![CI](https://img.shields.io/github/actions/workflow/status/aabouzaid/kustomize-plugin-merger/.github%2Fworkflows%2Fgo-ci.yml?logo=github&label=CI&color=31c653)](https://github.com/aabouzaid/kustomize-plugin-merger/actions/workflows/go-ci.yml?query=branch%3Amain)
-[![CodeQL](https://img.shields.io/github/actions/workflow/status/aabouzaid/kustomize-plugin-merger/.github%2Fworkflows%2Fgo-ci.yml?logo=github&label=CodeQL&color=31c653)](https://github.com/aabouzaid/kustomize-plugin-merger/actions/workflows/sec-codeql.yml?query=branch%3Amain)
+[![CI](https://img.shields.io/github/actions/workflow/status/aabouzaid/kustomize-plugin-merger/.github%2Fworkflows%2Fgo-ci.yml?logo=github&label=CI&color=31c653)](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/actions/workflows/go-ci.yml?query=branch%3Amain)
+[![CodeQL](https://img.shields.io/github/actions/workflow/status/aabouzaid/kustomize-plugin-merger/.github%2Fworkflows%2Fgo-ci.yml?logo=github&label=CodeQL&color=31c653)](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/actions/workflows/sec-codeql.yml?query=branch%3Amain)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/7815/badge)](https://www.bestpractices.dev/projects/7815)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/aabouzaid/kustomize-plugin-merger/badge)](https://securityscorecards.dev/viewer/?uri=github.com/aabouzaid/kustomize-plugin-merger)
-[![Go Report Card](https://goreportcard.com/badge/github.com/aabouzaid/kustomize-plugin-merger)](https://goreportcard.com/report/github.com/aabouzaid/kustomize-plugin-merger)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/DevOpsHiveHQ/kustomize-plugin-merger/badge)](https://securityscorecards.dev/viewer/?uri=github.com/DevOpsHiveHQ/kustomize-plugin-merger)
+[![Go Report Card](https://goreportcard.com/badge/github.com/DevOpsHiveHQ/kustomize-plugin-merger)](https://goreportcard.com/report/github.com/DevOpsHiveHQ/kustomize-plugin-merger)
 [![codecov](https://codecov.io/github/aabouzaid/kustomize-plugin-merger/graph/badge.svg?token=BUFRT7BO2I)](https://codecov.io/github/aabouzaid/kustomize-plugin-merger)
-[![GitHub Release](https://img.shields.io/github/v/release/aabouzaid/kustomize-plugin-merger?logo=github)](https://github.com/aabouzaid/kustomize-plugin-merger/releases)
-[![Docker](https://img.shields.io/badge/Docker-available-blue?logo=docker&logoColor=white)](https://github.com/aabouzaid/kustomize-plugin-merger/pkgs/container/kustomize-generator-merger)
-[![Go Reference](https://pkg.go.dev/badge/github.com/aabouzaid/kustomize-plugin-merger.svg)](https://pkg.go.dev/github.com/aabouzaid/kustomize-plugin-merger)
-[![Renovate](https://img.shields.io/badge/Renovate-enabled-blue?logo=renovatebot)](https://github.com/aabouzaid/kustomize-plugin-merger/issues/7)
-[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/aabouzaid/kustomize-plugin-merger/pulls)
+[![GitHub Release](https://img.shields.io/github/v/release/aabouzaid/kustomize-plugin-merger?logo=github)](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/releases)
+[![Docker](https://img.shields.io/badge/Docker-available-blue?logo=docker&logoColor=white)](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/pkgs/container/kustomize-generator-merger)
+[![Go Reference](https://pkg.go.dev/badge/github.com/DevOpsHiveHQ/kustomize-plugin-merger.svg)](https://pkg.go.dev/github.com/DevOpsHiveHQ/kustomize-plugin-merger)
+[![Renovate](https://img.shields.io/badge/Renovate-enabled-blue?logo=renovatebot)](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/issues/7)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/pulls)
 
 </div>
 
 - [Why](#why)
 - [Features](#features)
 - [Options](#options)
 - [Common use cases](#common-use-cases)
-  - [1. Generate multiple manifests from a single base](#1-generate-multiple-manifests-from-a-single-base)
-  - [2. Merge non-manifest files and store them into ConfigMap or Secret](#2-merge-non-manifest-files-and-store-them-into-configmap-or-secret)
-  - [3. Merge lists in manifests without schema or a unique identifier](#3-merge-lists-in-manifests-without-schema-or-a-unique-identifier)
-  - [4. Organize long manifests into smaller ones](#4-organize-long-manifests-into-smaller-ones)
 - [TO-DO](#to-do)
 - [Project status](#project-status)
 - [Contributing](#contributing)
@@ -165,8 +161,8 @@ but it will follow the SemVer convention.
 ## Contributing
 
 All feedback and contributions are welcome. If you find any issues or want to contribute,
-please feel free to [fill an issue](https://github.com/aabouzaid/kustomize-plugin-merger/issues)
-or [create a PR](https://github.com/aabouzaid/kustomize-plugin-merger/pulls).
+please feel free to [fill an issue](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/issues)
+or [create a PR](https://github.com/DevOpsHiveHQ/kustomize-plugin-merger/pulls).
 
 
 ## License

diff --git a/go.mod b/go.mod
@@ -1,4 +1,4 @@
-module github.com/aabouzaid/kustomize-plugin-merger
+module github.com/DevOpsHiveHQ/kustomize-plugin-merger
 
 go 1.22.0
 

diff --git a/main.go b/main.go
@@ -6,7 +6,7 @@ import (
 	"sigs.k8s.io/kustomize/kyaml/fn/framework"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 
-	"github.com/aabouzaid/kustomize-plugin-merger/pkg/merger"
+	"github.com/DevOpsHiveHQ/kustomize-plugin-merger/pkg/merger"
 )
 
 func main() {