-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bundle CyberChef into a container and publish to GCHR #1699
Conversation
1390c8a
to
6b222d9
Compare
Fixed some merge conflicts from another PR that updated |
Thanks! |
5e1686f
to
73144c5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one minor change!
When building this container locally, I notice it comes with a lot of context. Could we add a
|
This is relevant as well for this issue: #1582 |
@SebastianThorn A fair point. I'm inclined to merge this PR in even if it does require internet to compile, then accept other PRs to improve the process? A single PR doesn't necessarily need to be perfect, and I'm happy that a future improvement to allow offline building wouldn't impact existing users of this feature. |
As you've reference my closed PR, I thought I would drop a comment and say this will be a great addition. Feel free to copy anything from my PR into this branch e.g. dockerignore. I think for me as a user the main thing that is missing is an update to the README that demonstrates how to build with docker/podman and how an end-user might deploy this. tyvm |
README.md
Outdated
docker run -it -p 8080:80 ghcr.io/gchq/cyberchef:latest | ||
``` | ||
|
||
This image is built and published through our [GitHub Workflows](.github/workflows/docker.yml) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to update the workflow file reference ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, good catch!
with: | ||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
tags: | | ||
type=semver,pattern={{major}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason for the omission of:
type=raw,value=latest
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its added automatically when using a type=semver
pattern! See https://github.com/docker/metadata-action?tab=readme-ov-file#latest-tag
The switch to Nginx is good. |
704ff8f
to
879fd1f
Compare
879fd1f
to
62dfa8f
Compare
@@ -33,6 +33,20 @@ jobs: | |||
if: success() | |||
run: npx grunt prod | |||
|
|||
- name: Production Image Build | |||
if: success() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this still required?
I'm going to merge this as is, because this conversation already has over three dozen comments. Happy to accept other PRs for improvements! 👍 Thanks so much for this @AshCorr. I love how you saw the other 7 PRs and decided to make an 8th 😛, persistence is the key! |
@AshCorr Seems to be erroring on permissions, see: https://github.com/gchq/CyberChef/actions/runs/7879757258/job/21500616862 |
Odd, I didn't touch that action thats erroring. I wonder if something wonky has happened where defining an explicit By the looks of it you should be able to add an explicit |
Ah yes, that does appear to be the case as per https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
My apologies for missing that! I believe I commented out this action on my fork as I couldn't get it working, I assumed it was due to it being run on a fork, not due to lack of permissions. |
No worries, super not clear. Removing all permissions and just using the defaults appear to have worked well! Package now available here! https://github.com/gchq/CyberChef/pkgs/container/cyberchef |
Looks to be working! Thanks! |
Bundle CyberChef into a container and publish to GCHR
Yet another attempt at bundling CyberChef into a container! There have been various attempts made before this one but they all seem to have been abandoned:
But as the famous saying goes "8th time's the charm" and maybe this PR will be the one that finally does it.
This PR adds a:
Containerfile
which usessimple-web-server
a lightweight HTTP server built in rust for serving static files built in rust to serve CyberChef.release.yml
workflowdocker-metadata-action
which generates tags to be applied to the image from the release version (1
,1.0
,1.0.0
andlatest
)buildah
to build an OCI compliant container image. It builds a both an ARM64 image and a AMD64 image.pull-requests.yml
workflow to verify that the Containerfile builds correctlyand a couple of flyby fixes that can be dropped if needs be:
ubuntu-latest
runner. It looks like another user has also attempted this in Update chromedriver to v119 so that it is compatible with the chrome … #1656npm ci
instead ofnpm install
.npm ci
respects thepackage-lock.json
file whereasnpm install
will try and bump dependencies which is not ideal in a CI workflow as it adds uncertainty into which dependencies are being used in your production bundle.Related to #1280
Why?
Theres various un-official images floating around of CyberChef, although I'm sure most of them are probably fine, but for a tool such as CyberChef where I'm inputting potential sensitive data I'd rather not take any chances.
Testing
I've published a version built on my own fork to
ghcr.io/ashcorr/cyberchef:latest
which may be used for testing.podman run -p 8080:80 -it ghcr.io/ashcorr/cyberchef:latest
ordocker run -p 8080:80 -it ghcr.io/ashcorr/cyberchef:latest