diff --git a/.github/workflows/main_matrix.yml b/.github/workflows/main_matrix.yml index 9cf50130a..2440b2ed3 100644 --- a/.github/workflows/main_matrix.yml +++ b/.github/workflows/main_matrix.yml @@ -130,25 +130,27 @@ jobs: release/meshtasticd_linux_amd64 release/device-*.sh release/device-*.bat - retention-days: 30 - name: Docker login + if: ${{ github.event_name == 'workflow_dispatch' }} uses: docker/login-action@v2 with: username: meshtastic password: ${{ secrets.DOCKER_TOKEN }} - name: Docker setup + if: ${{ github.event_name == 'workflow_dispatch' }} uses: docker/setup-buildx-action@v2 - name: Docker build and push + if: ${{ github.event_name == 'workflow_dispatch' }} uses: docker/build-push-action@v3 with: context: . file: ./Dockerfile push: true - tags: meshtastic/device:simulator - + tags: meshtastic/device-simulator:latest + after-checks: runs-on: ubuntu-latest needs: [check] diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 000000000..6ae867e8b --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ +.github/workflows/main_matrix.yml diff --git a/Dockerfile b/Dockerfile index 0ce4e3326..8e3cd2154 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,41 @@ FROM debian:bullseye-slim AS builder -RUN apt-get update -RUN DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get -y install wget python3 g++ zip python3-venv git vim -RUN wget https://raw.githubusercontent.com/platformio/platformio-core-installer/master/get-platformio.py -O get-platformio.py; chmod +x get-platformio.py -RUN python3 get-platformio.py -RUN git clone https://github.com/meshtastic/firmware --recurse-submodules -RUN cd firmware -RUN chmod +x ./firmware/bin/build-native.sh -RUN . ~/.platformio/penv/bin/activate; cd firmware; sh ./bin/build-native.sh + +ENV DEBIAN_FRONTEND=noninteractive +ENV TZ=Etc/UTC + +# http://bugs.python.org/issue19846 +# > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. +ENV LANG C.UTF-8 + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# Install build deps +USER root +RUN apt-get update && \ + apt-get -y install wget python3 g++ zip python3-venv git vim ca-certificates + +# create a non-priveleged user & group +RUN groupadd -g 1000 mesh && useradd -ml -u 1000 -g 1000 mesh + +USER mesh +RUN wget https://raw.githubusercontent.com/platformio/platformio-core-installer/master/get-platformio.py -qO /tmp/get-platformio.py && \ + chmod +x /tmp/get-platformio.py && \ + python3 /tmp/get-platformio.py && \ + git clone https://github.com/meshtastic/firmware --recurse-submodules /tmp/firmware && \ + cd /tmp/firmware && \ + chmod +x /tmp/firmware/bin/build-native.sh && \ + source ~/.platformio/penv/bin/activate && \ + ./bin/build-native.sh FROM frolvlad/alpine-glibc -WORKDIR /root/ -COPY --from=builder /firmware/release/meshtasticd_linux_amd64 ./ -RUN apk --update add --no-cache g++ -CMD sh -cx "./meshtasticd_linux_amd64 --hwid '$RANDOM'" \ No newline at end of file + +RUN apk --update add --no-cache g++ shadow && \ + groupadd -g 1000 mesh && useradd -ml -u 1000 -g 1000 mesh + +COPY --from=builder /tmp/firmware/release/meshtasticd_linux_amd64 /home/mesh/ + +USER mesh +WORKDIR /home/mesh +CMD sh -cx "./meshtasticd_linux_amd64 --hwid '$RANDOM'" + +HEALTHCHECK NONE diff --git a/README.md b/README.md index 6432803e4..5bae2f345 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This repository contains the device firmware for the Meshtastic project. -**[Building Instructions](https://meshtastic.org/docs/developers/Firmware/build)** +**[Building Instructions](https://meshtastic.org/docs/development/firmware/build)** **[Flashing Instructions](https://meshtastic.org/docs/getting-started/flashing-firmware/)** ## Stats