From aabb14093f04fda988de3f4322cc3e9722237e05 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sun, 8 Sep 2024 23:04:10 -0700
Subject: [PATCH] Reorganize repository

---
 .github/workflows/build-slim.yml              | 12 ++++++------
 .github/workflows/build-unprivileged-slim.yml | 16 ++++++++--------
 .github/workflows/build-unprivileged.yml      | 16 ++++++++--------
 .github/workflows/build.yml                   |  8 ++++----
 mainline-slim/Dockerfile                      | 10 ++++++++++
 mainline-unprivileged-slim/Dockerfile         | 14 ++++++++++++++
 mainline-unprivileged/Dockerfile              | 10 ++++++++++
 Dockerfile => mainline/Dockerfile             |  0
 8 files changed, 60 insertions(+), 26 deletions(-)
 create mode 100644 mainline-slim/Dockerfile
 create mode 100644 mainline-unprivileged-slim/Dockerfile
 create mode 100644 mainline-unprivileged/Dockerfile
 rename Dockerfile => mainline/Dockerfile (100%)

diff --git a/.github/workflows/build-slim.yml b/.github/workflows/build-slim.yml
index e8b0bab..e652d48 100644
--- a/.github/workflows/build-slim.yml
+++ b/.github/workflows/build-slim.yml
@@ -5,9 +5,9 @@ on:
   push:
     branches:
       - slim
-    # Ignore Markdown files
-    paths-ignore:
-      - '**.md'
+    paths:
+      - '.github/workflows/build-slim.yml'
+      - 'mainline-slim/**'
   schedule:
     # Build the image daily
     - cron: '15 0 * * *'
@@ -57,7 +57,7 @@ jobs:
         id: build-and-push
         uses: docker/build-push-action@v6
         with:
-          context: .
+          context: mainline-slim
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -85,7 +85,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: trivy-results.sarif
-          category: trivy
+          category: trivy-slim
 
   grype:
     name: Scan current image with Grype
@@ -106,4 +106,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
-          category: grype
+          category: grype-slim
\ No newline at end of file
diff --git a/.github/workflows/build-unprivileged-slim.yml b/.github/workflows/build-unprivileged-slim.yml
index 3fb8e39..bb9bf5b 100644
--- a/.github/workflows/build-unprivileged-slim.yml
+++ b/.github/workflows/build-unprivileged-slim.yml
@@ -4,10 +4,10 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - unprivileged-slim
-    # Ignore Markdown files
-    paths-ignore:
-      - '**.md'
+      - main
+    paths:
+      - '.github/workflows/build-unprivileged-slim.yml'
+      - 'mainline-unprivileged-slim/**'
   schedule:
     # Build the image daily
     - cron: '15 0 * * *'
@@ -57,7 +57,7 @@ jobs:
         id: build-and-push
         uses: docker/build-push-action@v6
         with:
-          context: .
+          context: mainline-unprivileged-slim
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -85,7 +85,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: trivy-results.sarif
-          category: trivy
+          category: trivy-unprivileged-slim
 
   grype:
     name: Scan current image with Grype
@@ -97,7 +97,7 @@ jobs:
     steps:
       - name: Run Grype vulnerability scanner
         uses: anchore/scan-action@v4
-        id: grype
+        id: grype-unprivileged-slim
         with:
           image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
           fail-build: false
@@ -106,4 +106,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
-          category: grype
+          category: grype-unprivileged-slim
diff --git a/.github/workflows/build-unprivileged.yml b/.github/workflows/build-unprivileged.yml
index bf1570f..4d8734f 100644
--- a/.github/workflows/build-unprivileged.yml
+++ b/.github/workflows/build-unprivileged.yml
@@ -4,10 +4,10 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - unprivileged
-    # Ignore Markdown files
-    paths-ignore:
-      - '**.md'
+      - main
+    paths:
+      - '.github/workflows/build-unprivileged.yml'
+      - 'mainline-unprivileged/**'
   schedule:
     # Build the image daily
     - cron: '15 0 * * *'
@@ -57,7 +57,7 @@ jobs:
         id: build-and-push
         uses: docker/build-push-action@v6
         with:
-          context: .
+          context: mainline-unprivileged
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -85,7 +85,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: trivy-results.sarif
-          category: trivy
+          category: trivy-unprivileged
 
   grype:
     name: Scan current image with Grype
@@ -97,7 +97,7 @@ jobs:
     steps:
       - name: Run Grype vulnerability scanner
         uses: anchore/scan-action@v4
-        id: grype
+        id: grype-unprivileged
         with:
           image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
           fail-build: false
@@ -106,4 +106,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
-          category: grype
+          category: grype-unprivileged
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 75cc995..09a3d0b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,9 +5,9 @@ on:
   push:
     branches:
       - main
-    # Ignore Markdown files
-    paths-ignore:
-      - '**.md'
+    paths:
+      - '.github/workflows/build.yml'
+      - 'mainline/**'
   schedule:
     # Build the image daily
     - cron: '15 0 * * *'
@@ -57,7 +57,7 @@ jobs:
         id: build-and-push
         uses: docker/build-push-action@v6
         with:
-          context: .
+          context: mainline
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
diff --git a/mainline-slim/Dockerfile b/mainline-slim/Dockerfile
new file mode 100644
index 0000000..10907f6
--- /dev/null
+++ b/mainline-slim/Dockerfile
@@ -0,0 +1,10 @@
+FROM nginx:mainline-alpine-slim
+
+LABEL maintainer="Thien Tran contact@tommytran.io"
+
+RUN apk -U upgrade \
+    && apk add libstdc++ \
+    && rm -rf /var/cache/apk/*
+
+COPY --from=ghcr.io/polarix-containers/hardened_malloc:latest /install /usr/local/lib/
+ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
\ No newline at end of file
diff --git a/mainline-unprivileged-slim/Dockerfile b/mainline-unprivileged-slim/Dockerfile
new file mode 100644
index 0000000..5f84ff8
--- /dev/null
+++ b/mainline-unprivileged-slim/Dockerfile
@@ -0,0 +1,14 @@
+FROM ghcr.io/nginxinc/nginx-unprivileged:mainline-alpine-slim
+
+LABEL maintainer="Thien Tran contact@tommytran.io"
+
+USER root
+
+RUN apk -U upgrade \
+    && apk add libstdc++ \
+    && rm -rf /var/cache/apk/*
+
+COPY --from=ghcr.io/polarix-containers/hardened_malloc:latest /install /usr/local/lib/
+ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
+
+USER $UID
\ No newline at end of file
diff --git a/mainline-unprivileged/Dockerfile b/mainline-unprivileged/Dockerfile
new file mode 100644
index 0000000..01b27ae
--- /dev/null
+++ b/mainline-unprivileged/Dockerfile
@@ -0,0 +1,10 @@
+FROM nginx:mainline-alpine
+
+LABEL maintainer="Thien Tran contact@tommytran.io"
+
+RUN apk -U upgrade \
+    && apk add libstdc++ \
+    && rm -rf /var/cache/apk/*
+
+COPY --from=ghcr.io/polarix-containers/hardened_malloc:latest /install /usr/local/lib/
+ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
\ No newline at end of file
diff --git a/Dockerfile b/mainline/Dockerfile
similarity index 100%
rename from Dockerfile
rename to mainline/Dockerfile