From df715d4fdcaf00ad0ffae52691d16b59cf79a4de Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 9 Jan 2024 20:55:35 -0500 Subject: [PATCH 1/5] Add Security Insights, Security, and Dependency files Signed-off-by: John Kjell --- DEPENDENCY.md | 42 ++++++++++++++++++++++ SECURITY-INSIGHTS.yml | 81 +++++++++++++++++++++++++++++++++++++++++++ SECURITY.md | 34 ++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 DEPENDENCY.md create mode 100644 SECURITY-INSIGHTS.yml create mode 100644 SECURITY.md diff --git a/DEPENDENCY.md b/DEPENDENCY.md new file mode 100644 index 00000000..015a05f0 --- /dev/null +++ b/DEPENDENCY.md @@ -0,0 +1,42 @@ +# Environment Dependencies Policy + +## Purpose + +This policy describes how Archivista maintainers consume third-party packages. + +## Scope + +This policy applies to all Archivista maintainers and all third-party packages used in the Archivista project. + +## Policy + +Archivista maintainers must follow these guidelines when consuming third-party packages: + +- Only use third-party packages that are necessary for the functionality of Archivista. +- Use the latest version of all third-party packages whenever possible. +- Avoid using third-party packages that are known to have security vulnerabilities. +- Pin all third-party packages to specific versions in the Archivista codebase. +- Use a dependency management tool, such as Go modules, to manage third-party dependencies. + +## Procedure + +When adding a new third-party package to Archivista, maintainers must follow these steps: + +1. Evaluate the need for the package. Is it necessary for the functionality of Archivista? +2. Research the package. Is it well-maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the Archivista codebase. +5. Update the Archivista documentation to reflect the new dependency. + +## Enforcement + +This policy is enforced by the Archivista maintainers. +Maintainers are expected to review each other's code changes to ensure that they comply with this policy. + +## Exceptions + +Exceptions to this policy may be granted by the Archivista project lead on a case-by-case basis. + +## Credits + +This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md) diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml new file mode 100644 index 00000000..f93f2e6d --- /dev/null +++ b/SECURITY-INSIGHTS.yml @@ -0,0 +1,81 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +header: + schema-version: 1.0.0 + expiration-date: '2024-08-31T10:10:09.000Z' + last-updated: '2023-12-20' + last-reviewed: '2023-12-20' + commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41 + project-url: https://github.com/in-toto/archivista + project-release: 'v0.2.0' + changelog: https://github.com/in-toto/archivista/releases/tag/v0.2.0 + license: https://github.com/in-toto/archivista/blob/main/LICENSE + +project-lifecycle: + status: active + roadmap: https://github.com/orgs/in-toto/projects/4/views/3 + bug-fixes-only: false + core-maintainers: + - https://github.com/in-toto/archivista/MAINTAINERS.md + release-cycle: https://github.com/in-toto/archivista/releases + +contribution-policy: + accepts-pull-requests: true + accepts-automated-pull-requests: true + contributing-policy: https://github.com/in-toto/archivista/blob/main/CONTRIBUTING.md + code-of-conduct: https://github.com/in-toto/archivista/blob/main/CODE_OF_CONDUCT.md + +documentation: + - https://in-toto.io + +distribution-points: + - https://github.com/in-toto/archivista/releases + +security-testing: +- tool-type: sca + tool-name: Dependabot + tool-version: 2 + tool-url: https://github.com/dependabot + integration: + ad-hoc: false + ci: true + before-release: false + +security-contacts: +- type: email + value: security@testifysec.com + primary: true + +vulnerability-reporting: + accepts-vulnerability-reports: true + email-contact: security@testifysec.com + security-policy: https://github.com/in-toto/archivista/SECURITY.md + +dependencies: + third-party-packages: true + dependencies-lists: + - https://github.com/in-toto/archivista/go.mod + sbom: + - sbom-file: https://foo.bar/sbom + sbom-format: CycloneDX + sbom-url: https://foo.bar + dependencies-lifecycle: + policy-url: https://github.com/in-toto/archivista/SECURITY.md + comment: | + All dependencies are subject to the Archivista Security Policy. + env-dependencies-policy: + policy-url: https://github.com/in-toto/archivista/DEPENDENCY.md + comment: | + All dependencies are subject to the Archivista Dependency Policy. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..6aaf873a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,34 @@ +# Security Policy + +## Security Bulletins + +See current security bullentins on GitHub: https://github.com/in-toto/archivista/security/advisories + +For information regarding the security of this project please join: + +* in-toto-archivista on CNCF Slack + +## Reporting a Vulnerability + +Please use the below process to report a vulnerability to the project: + +Web Form: + +1. Please visit https://github.com/in-toto/archivista/security/advisories/new + * You will receive a confirmation email upon submission +1. You may be contacted by a maintainer to further discuss the reported item + within 3 days. Please bear with us as we seek to understand the breadth + and scope of the reported problem, recreate it, and confirm if there is an + vulnerability present. + +This project follows a 30 day disclosure timeline. + +## Supported Versions + +Information regarding supported versions of this project can be found on +in the below table: + +| Version | Supported | +| --- | --- | +| Latest | :white_check_mark: | +| <= Latest - 2 | :x: | From 9bda230e39ae2bfcf36011e543fe0e6588c76bb7 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 9 Jan 2024 21:22:35 -0500 Subject: [PATCH 2/5] Pin dependencies, update permissions in workflows, and add license scanning Signed-off-by: John Kjell --- .github/workflows/db-migrations.yml | 4 +-- .github/workflows/fossa.yml | 28 +++++++++++++++++++ .github/workflows/pipeline.yml | 12 ++++++-- .github/workflows/update-pre-commit-hooks.yml | 4 ++- .github/workflows/verify-licence.yml | 2 +- .github/workflows/witness.yml | 6 ++++ Dockerfile | 4 +-- Dockerfile-dev | 4 +-- 8 files changed, 54 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/fossa.yml diff --git a/.github/workflows/db-migrations.yml b/.github/workflows/db-migrations.yml index c8fad422..080840ad 100644 --- a/.github/workflows/db-migrations.yml +++ b/.github/workflows/db-migrations.yml @@ -36,11 +36,11 @@ jobs: - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.19.x' + go-version: '1.21.x' - name: Check DB Migrations run: | - curl -sSf https://atlasgo.sh | sh + go get ariga.io/atlas/cmd/atlas@v0.17.0 before=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }') make db-migrations after=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }') diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 00000000..cdd0f88b --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,28 @@ +name: "Fossa Scan" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + fossa-scan: + env: + FOSSA_API_KEY: ${{ secrets.fossaApiKey }} + runs-on: ubuntu-latest + steps: + - if: ${{ env.FOSSA_API_KEY != '' }} + name: "Checkout Code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - if: ${{ env.FOSSA_API_KEY != '' }} + name: "Run FOSSA Scan" + uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 + with: + api-key: ${{ env.FOSSA_API_KEY }} diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index ce1d8d63..cb507260 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -13,7 +13,6 @@ # limitations under the License. permissions: - id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout name: pipeline on: @@ -26,6 +25,9 @@ on: jobs: fmt: uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout with: pull_request: ${{ github.event_name == 'pull_request' }} step: static-analysis @@ -34,6 +36,9 @@ jobs: static_analysis: uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout with: pull_request: ${{ github.event_name == 'pull_request' }} step: static-analysis @@ -43,6 +48,9 @@ jobs: tests: needs: [fmt, static_analysis] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout with: pull_request: ${{ github.event_name == 'pull_request' }} step: "tests" @@ -79,7 +87,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Download GoReleaser - run: go install github.com/goreleaser/goreleaser@latest + run: go install github.com/goreleaser/goreleaser@v1.23.0 - name: Run GoReleaser uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 diff --git a/.github/workflows/update-pre-commit-hooks.yml b/.github/workflows/update-pre-commit-hooks.yml index 4ea8361b..4f879646 100644 --- a/.github/workflows/update-pre-commit-hooks.yml +++ b/.github/workflows/update-pre-commit-hooks.yml @@ -22,6 +22,8 @@ on: schedule: # Run at 8:00 AM every day - cron: "0 8 * * *" +permissions: + contents: read jobs: update-pre-commit-hooks: runs-on: ubuntu-latest @@ -32,7 +34,7 @@ jobs: python-version: "3.11" - name: Install prerequisites run: | - pip install pre-commit + pip install pre-commit==3.6.0 - name: Update pre-commit hooks run: | pre-commit autoupdate diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml index bf1bdf09..bf4c97c3 100644 --- a/.github/workflows/verify-licence.yml +++ b/.github/workflows/verify-licence.yml @@ -36,7 +36,7 @@ jobs: with: go-version: '1.19.x' - name: Install addlicense - run: go install github.com/google/addlicense@latest + run: go install github.com/google/addlicense@v1.1.1 - name: Check license headers run: | set -e diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index b880b2ec..47d1a640 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -28,9 +28,15 @@ on: required: true type: string +permissions: + contents: read + jobs: witness: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 diff --git a/Dockerfile b/Dockerfile index 91cdf391..93b575c5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,13 +15,13 @@ FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build WORKDIR /src RUN apk update && apk add --no-cache file git curl -RUN curl -sSf https://atlasgo.sh | sh +RUN go get ariga.io/atlas/cmd/atlas@v0.17.0 ENV GOMODCACHE /root/.cache/gocache RUN --mount=target=. --mount=target=/root/.cache,type=cache \ CGO_ENABLED=0 go build -o /out/archivista -ldflags '-s -d -w' ./cmd/archivista; \ file /out/archivista | grep "statically linked" -FROM alpine +FROM alpine:3.19.0@sha256:13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd COPY --from=build /out/archivista /bin/archivista COPY --from=build /usr/local/bin/atlas /bin/atlas ADD entrypoint.sh /bin/entrypoint.sh diff --git a/Dockerfile-dev b/Dockerfile-dev index bff839eb..8492f018 100644 --- a/Dockerfile-dev +++ b/Dockerfile-dev @@ -15,7 +15,7 @@ FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build WORKDIR /src RUN apk update && apk add --no-cache file git curl -RUN curl -sSf https://atlasgo.sh | sh +RUN go get ariga.io/atlas/cmd/atlas@v0.17.0 ENV GOMODCACHE /root/.cache/gocache -RUN go install github.com/githubnemo/CompileDaemon@latest +RUN go install github.com/githubnemo/CompileDaemon@v1.4.0 ENTRYPOINT ["sh", "entrypoint-dev.sh"] From 9370fb446548a7f0fa9accfb20b11795f73d25bd Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 9 Jan 2024 21:56:14 -0500 Subject: [PATCH 3/5] Add badges to README, add license to fossa scan, update atlas install Signed-off-by: John Kjell --- .github/workflows/db-migrations.yml | 2 +- .github/workflows/fossa.yml | 14 ++++++++++++++ Dockerfile | 2 +- Dockerfile-dev | 2 +- README.md | 4 ++++ 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/.github/workflows/db-migrations.yml b/.github/workflows/db-migrations.yml index 080840ad..efdc1dd3 100644 --- a/.github/workflows/db-migrations.yml +++ b/.github/workflows/db-migrations.yml @@ -40,7 +40,7 @@ jobs: - name: Check DB Migrations run: | - go get ariga.io/atlas/cmd/atlas@v0.17.0 + go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 before=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }') make db-migrations after=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }') diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index cdd0f88b..d08c52c1 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -1,3 +1,17 @@ +# Copyright 2023 The Archivista Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: "Fossa Scan" on: diff --git a/Dockerfile b/Dockerfile index 93b575c5..d0fd86e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build WORKDIR /src RUN apk update && apk add --no-cache file git curl -RUN go get ariga.io/atlas/cmd/atlas@v0.17.0 +RUN go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 ENV GOMODCACHE /root/.cache/gocache RUN --mount=target=. --mount=target=/root/.cache,type=cache \ CGO_ENABLED=0 go build -o /out/archivista -ldflags '-s -d -w' ./cmd/archivista; \ diff --git a/Dockerfile-dev b/Dockerfile-dev index 8492f018..b5666ca0 100644 --- a/Dockerfile-dev +++ b/Dockerfile-dev @@ -15,7 +15,7 @@ FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build WORKDIR /src RUN apk update && apk add --no-cache file git curl -RUN go get ariga.io/atlas/cmd/atlas@v0.17.0 +RUN go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 ENV GOMODCACHE /root/.cache/gocache RUN go install github.com/githubnemo/CompileDaemon@v1.4.0 ENTRYPOINT ["sh", "entrypoint-dev.sh"] diff --git a/README.md b/README.md index 783b1b92..012711a7 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,10 @@

+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8280/badge)](https://www.bestpractices.dev/projects/8280) +[![OpenSSF-Scorecard](https://api.securityscorecards.dev/projects/github.com/in-toto/archivista/badge)](https://api.securityscorecards.dev/projects/github.com/in-toto/archivista) +[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Farchivista.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Farchivista?ref=badge_shield&issueType=license) + # Archivista Archivista is a graph and storage service for [in-toto](https://in-toto.io) attestations. Archivista enables the discovery From 9230f80a076e6749a6b17d5c4c5166c7b2567ac1 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 9 Jan 2024 22:17:18 -0500 Subject: [PATCH 4/5] Update install directory of atlas Signed-off-by: John Kjell --- .github/workflows/db-migrations.yml | 2 +- Dockerfile | 2 +- Dockerfile-dev | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/db-migrations.yml b/.github/workflows/db-migrations.yml index efdc1dd3..70e3ba99 100644 --- a/.github/workflows/db-migrations.yml +++ b/.github/workflows/db-migrations.yml @@ -40,7 +40,7 @@ jobs: - name: Check DB Migrations run: | - go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 + GOBIN=/usr/local/bin go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 before=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }') make db-migrations after=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }') diff --git a/Dockerfile b/Dockerfile index d0fd86e4..a2f21a17 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build WORKDIR /src RUN apk update && apk add --no-cache file git curl -RUN go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 +RUN GOBIN=/usr/local/bin go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 ENV GOMODCACHE /root/.cache/gocache RUN --mount=target=. --mount=target=/root/.cache,type=cache \ CGO_ENABLED=0 go build -o /out/archivista -ldflags '-s -d -w' ./cmd/archivista; \ diff --git a/Dockerfile-dev b/Dockerfile-dev index b5666ca0..3736a80b 100644 --- a/Dockerfile-dev +++ b/Dockerfile-dev @@ -15,7 +15,7 @@ FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build WORKDIR /src RUN apk update && apk add --no-cache file git curl -RUN go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 +RUN GOBIN=/usr/local/bin go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 ENV GOMODCACHE /root/.cache/gocache RUN go install github.com/githubnemo/CompileDaemon@v1.4.0 ENTRYPOINT ["sh", "entrypoint-dev.sh"] From 17bb0728216d6a47598b35469576e81e8364744a Mon Sep 17 00:00:00 2001 From: John Kjell Date: Wed, 10 Jan 2024 08:14:12 -0500 Subject: [PATCH 5/5] Revert atlas install Signed-off-by: John Kjell --- .github/workflows/db-migrations.yml | 2 +- Dockerfile | 4 ++-- Dockerfile-dev | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/db-migrations.yml b/.github/workflows/db-migrations.yml index 70e3ba99..561cc170 100644 --- a/.github/workflows/db-migrations.yml +++ b/.github/workflows/db-migrations.yml @@ -40,7 +40,7 @@ jobs: - name: Check DB Migrations run: | - GOBIN=/usr/local/bin go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 + curl -sSf https://atlasgo.sh | sh before=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }') make db-migrations after=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }') diff --git a/Dockerfile b/Dockerfile index a2f21a17..12aa684f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,13 +15,13 @@ FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build WORKDIR /src RUN apk update && apk add --no-cache file git curl -RUN GOBIN=/usr/local/bin go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 +RUN curl -sSf https://atlasgo.sh | sh ENV GOMODCACHE /root/.cache/gocache RUN --mount=target=. --mount=target=/root/.cache,type=cache \ CGO_ENABLED=0 go build -o /out/archivista -ldflags '-s -d -w' ./cmd/archivista; \ file /out/archivista | grep "statically linked" -FROM alpine:3.19.0@sha256:13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd +FROM alpine:3.19.0@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 COPY --from=build /out/archivista /bin/archivista COPY --from=build /usr/local/bin/atlas /bin/atlas ADD entrypoint.sh /bin/entrypoint.sh diff --git a/Dockerfile-dev b/Dockerfile-dev index 3736a80b..16bc30e1 100644 --- a/Dockerfile-dev +++ b/Dockerfile-dev @@ -15,7 +15,7 @@ FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build WORKDIR /src RUN apk update && apk add --no-cache file git curl -RUN GOBIN=/usr/local/bin go install ariga.io/atlas/cmd/atlas@v0.12.2-0.20230806193313-117e03f96e45 +RUN curl -sSf https://atlasgo.sh | sh ENV GOMODCACHE /root/.cache/gocache RUN go install github.com/githubnemo/CompileDaemon@v1.4.0 ENTRYPOINT ["sh", "entrypoint-dev.sh"]