From 126a4ab3092b6a003d6fadea38f6b098830eff6f Mon Sep 17 00:00:00 2001
From: Lukas Spirig <lukas.spirig@sbb.ch>
Date: Wed, 20 Nov 2024 13:37:00 +0100
Subject: [PATCH] build: create slim variants of container images (#3218)

We want to test slim(med) images, for improved security and container
image size.
See https://github.com/slimtoolkit/slim for details.
---
 .../continuous-integration-secure.yml         | 23 ++++++++++++
 .github/workflows/continuous-integration.yml  | 11 ++++++
 .github/workflows/release-please.yml          | 35 +++++++++++++++++++
 3 files changed, 69 insertions(+)

diff --git a/.github/workflows/continuous-integration-secure.yml b/.github/workflows/continuous-integration-secure.yml
index 8a8501511a..0a5546f96d 100644
--- a/.github/workflows/continuous-integration-secure.yml
+++ b/.github/workflows/continuous-integration-secure.yml
@@ -69,6 +69,17 @@ jobs:
           docker push $IMAGE_REPO_PREVIEW:pr$PR_NUMBER
         env:
           DOCKER_BUILDKIT: 1
+      - name: Build slim image
+        uses: kitabisa/docker-slim-action@v1
+        with:
+          target: '${{ env.IMAGE_REPO_PREVIEW }}:pr${{ env.PR_NUMBER }}'
+          tag: '${{ env.IMAGE_REPO_PREVIEW }}:pr${{ env.PR_NUMBER }}-slim'
+        env:
+          DSLIM_PRESERVE_PATH: /usr/share/nginx/html
+      - name: Push slim image
+        run: |
+          docker push $IMAGE_REPO_PREVIEW:pr$PR_NUMBER-slim
+          docker image list
 
       - name: "Add 'preview-available' label"
         # This label is used for filtering deployments in ArgoCD
@@ -181,6 +192,18 @@ jobs:
           docker push $IMAGE_REPO_VISUAL_REGRESSION:pr$PR_NUMBER
         env:
           DOCKER_BUILDKIT: 1
+      - name: Build slim image
+        uses: kitabisa/docker-slim-action@v1
+        with:
+          target: '${{ env.IMAGE_REPO_VISUAL_REGRESSION }}:pr${{ env.PR_NUMBER }}'
+          tag: '${{ env.IMAGE_REPO_VISUAL_REGRESSION }}:pr${{ env.PR_NUMBER }}-slim'
+        env:
+          DSLIM_PRESERVE_PATH: /usr/share/nginx/html
+      - name: Push slim image
+        run: |
+          docker push $IMAGE_REPO_VISUAL_REGRESSION:pr{{ env.PR_NUMBER }}-slim
+          docker image list
+
       - name: Apply labels
         if: steps.screenshot-check.outputs.result == 'changed' || steps.screenshot-check.outputs.result == 'empty'
         run: |
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 9a914d9a37..9202cc187f 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -159,3 +159,14 @@ jobs:
           docker push $IMAGE_REPO_VISUAL_REGRESSION:baseline
         env:
           DOCKER_BUILDKIT: 1
+      - name: Build slim image
+        uses: kitabisa/docker-slim-action@v1
+        with:
+          target: '${{ env.IMAGE_REPO_VISUAL_REGRESSION }}:baseline'
+          tag: '${{ env.IMAGE_REPO_VISUAL_REGRESSION }}:baseline-slim'
+        env:
+          DSLIM_PRESERVE_PATH: /usr/share/nginx/html
+      - name: Push slim image
+        run: |
+          docker push $IMAGE_REPO_VISUAL_REGRESSION:baseline-slim
+          docker image list
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index d59a6bb33e..26b6c0c9e1 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -94,12 +94,47 @@ jobs:
         env:
           DOCKER_BUILDKIT: 1
           VERSION: ${{ steps.release.outputs.version }}
+      - name: Build slim image with version
+        if: ${{ steps.release.outputs.release_created }}
+        uses: kitabisa/docker-slim-action@v1
+        with:
+          target: '${{ env.IMAGE_REPO_STORYBOOK }}:${{ steps.release.outputs.version }}'
+          tag: '${{ env.IMAGE_REPO_STORYBOOK }}:${{ steps.release.outputs.version }}-slim'
+        env:
+          DSLIM_PRESERVE_PATH: /usr/share/nginx/html
+      - name: Build slim image with latest
+        if: ${{ steps.release.outputs.release_created }}
+        uses: kitabisa/docker-slim-action@v1
+        with:
+          target: '${{ env.IMAGE_REPO_STORYBOOK }}:latest'
+          tag: '${{ env.IMAGE_REPO_STORYBOOK }}:latest-slim'
+        env:
+          DSLIM_PRESERVE_PATH: /usr/share/nginx/html
+      - name: Push slim image
+        if: ${{ steps.release.outputs.release_created }}
+        run: |
+          docker push $IMAGE_REPO_STORYBOOK:$VERSION-slim
+          docker push $IMAGE_REPO_STORYBOOK:latest-slim
+          docker image list
+        env:
+          VERSION: ${{ steps.release.outputs.version }}
       - name: 'Container: Build and publish dev image'
         run: |
           docker build --tag $IMAGE_REPO_STORYBOOK:dev .
           docker push $IMAGE_REPO_STORYBOOK:dev
         env:
           DOCKER_BUILDKIT: 1
+      - name: Build slim image with dev
+        uses: kitabisa/docker-slim-action@v1
+        with:
+          target: '${{ env.IMAGE_REPO_STORYBOOK }}:dev'
+          tag: '${{ env.IMAGE_REPO_STORYBOOK }}:dev-slim'
+        env:
+          DSLIM_PRESERVE_PATH: /usr/share/nginx/html
+      - name: Push slim image
+        run: |
+          docker push $IMAGE_REPO_STORYBOOK:dev-slim
+          docker image list
 
       - name: Cherry-pick CHANGELOG.md into ${{ github.event.repository.default_branch }}
         if: ${{ steps.release.outputs.release_created && github.ref_name != 'main' }}