chore: build and publish container image to ghcr.io (#263)

* chore: build and publish container image to ghcr.io

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>

* chore: add provenance and trigger on tag

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>

---------

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>

Author: ruromero

.github/workflows/push-to-registry.yml

@@ -0,0 +1,95 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
+name: Push to registry
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/*'
+    tags:
+      - '*'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Install node 18
+        uses: actions/setup-node@v6
+        with:
+          node-version: 18
+          cache: npm
+
+      - name: Install project modules
+        run: npm ci
+
+      - name: Compile project
+        run: npm run compile
+
+      - name: Get package version
+        id: package-version
+        run: |
+          # Use git tag if available (for tag-triggered builds), otherwise use package.json
+          if [ -n "${{ github.ref_type }}" ] && [ "${{ github.ref_type }}" = "tag" ]; then
+            # Remove 'v' prefix if present (e.g., v1.0.0 -> 1.0.0)
+            VERSION="${{ github.ref_name }}"
+            VERSION="${VERSION#v}"
+          else
+            VERSION=$(node -p "require('./package.json').version")
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Package version: $VERSION"
+
+      - name: Get image metadata
+        id: image-meta
+        run: |
+          echo "revision=${{ github.sha }}" >> $GITHUB_OUTPUT
+          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=${{ steps.package-version.outputs.version }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./docker-image/Dockerfiles/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            IMAGE_VERSION=${{ steps.package-version.outputs.version }}
+            IMAGE_REVISION=${{ steps.image-meta.outputs.revision }}
+            IMAGE_CREATED=${{ steps.image-meta.outputs.created }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: true
+          sbom: true

docker-image/Dockerfiles/Dockerfile

@@ -4,8 +4,6 @@ FROM registry.access.redhat.com/ubi9/nodejs-20 AS builder
 # use privilaged user
 USER root
 
-ARG TRUSTIFY_DA_JAVASCRIPT_API_VERSION='0.2.4-ea.12'
-
 # install Java
 RUN curl -kL https://download.oracle.com/java/21/archive/jdk-21.0.1_linux-x64_bin.tar.gz -o /tmp/java-package.tar.gz \
     && tar xvzf /tmp/java-package.tar.gz -C /usr/
@@ -19,20 +17,27 @@ RUN curl -kL https://go.dev/dl/go1.21.5.linux-amd64.tar.gz -o /tmp/golang-packag
     && tar xvzf /tmp/golang-package.tar.gz -C /usr/
 
 # install jq JSON formating tool
-RUN curl -kL https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 -o /usr/bin/jq
+RUN curl -kL https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-linux64 -o /usr/bin/jq
 
-# install Exhort javascript API
-RUN npm install --global @trustify-da/trustify-da-javascript-client@${TRUSTIFY_DA_JAVASCRIPT_API_VERSION}
+# Copy RHDA script (before changing WORKDIR)
+COPY docker-image/scripts/rhda.sh /rhda.sh
 
-# add RHDA script
-COPY scripts/rhda.sh /rhda.sh
+# Copy project files and install Exhort javascript API locally
+WORKDIR /app
+COPY package.json package-lock.json ./
+COPY dist ./dist
+COPY config ./config
+RUN npm install --production \
+    && mkdir -p /app/node_modules/.bin \
+    && ln -s /app/dist/src/cli.js /app/node_modules/.bin/trustify-da-javascript-client
 
 # assign executable permissions to all installed binaries
 RUN chmod +x /usr/jdk-21.0.1/bin/java \
     && chmod +x /usr/apache-maven-3.9.6/bin/mvn \
     && chmod +x /usr/go/bin/go \
     && chmod +x /usr/bin/jq \
-    && chmod +x /opt/app-root/src/.npm-global/bin/trustify-da-javascript-client \
+    && chmod +x /app/dist/src/cli.js \
+    && chmod +x /app/node_modules/.bin/trustify-da-javascript-client \
     && chmod +x /rhda.sh
 
 # use default user
@@ -41,10 +46,23 @@ USER default
 # second stage
 FROM registry.access.redhat.com/ubi9/nodejs-20-minimal
 
+# Build arguments for metadata
+ARG IMAGE_VERSION
+ARG IMAGE_REVISION
+ARG IMAGE_CREATED
+
+# Open Container Initiative (OCI) metadata labels
 LABEL org.opencontainers.image.source=https://github.com/guacsec/trustify-da-javascript-client
+LABEL org.opencontainers.image.description="Trustify Dependency Analytics JavaScript Client - Container image for dependency analysis and vulnerability scanning supporting Maven, NPM, Golang, and Python ecosystems"
+LABEL org.opencontainers.image.licenses=Apache-2.0
+LABEL org.opencontainers.image.title="Trustify Dependency Analytics JavaScript Client"
+LABEL org.opencontainers.image.vendor="guacsec"
+LABEL org.opencontainers.image.url=https://github.com/guacsec/trustify-da-javascript-client
+LABEL org.opencontainers.image.documentation=https://github.com/guacsec/trustify-da-javascript-client#README.md
+LABEL org.opencontainers.image.version="${IMAGE_VERSION}"
+LABEL org.opencontainers.image.revision="${IMAGE_REVISION}"
+LABEL org.opencontainers.image.created="${IMAGE_CREATED}"
 
-# assign rhda source for exhort tracking purposes
-ENV RHDA_SOURCE=''
 # contains pip feeze --all data, base64 encoded
 ENV TRUSTIFY_DA_PIP_FREEZE=''
 # contains pip show data for all packages, base64 encoded
@@ -65,13 +83,13 @@ COPY --from=builder /usr/go/ /usr/go/
 ENV GOLANG_HOME=/usr/go
 
 # Update PATH
-ENV PATH=$PATH:$JAVA_HOME/bin:$MAVEN_HOME/bin:$GOLANG_HOME/bin
+ENV PATH=$PATH:$JAVA_HOME/bin:$MAVEN_HOME/bin:$GOLANG_HOME/bin:/app/node_modules/.bin
 
 # Copy jq executable from the builder stage
 COPY --from=builder /usr/bin/jq /usr/bin/jq
 
-# Copy trustify-da-javascript-client executable from the builder stage
-COPY --from=builder /opt/app-root/src/.npm-global/ /opt/app-root/src/.npm-global/
+# Copy trustify-da-javascript-client from the builder stage
+COPY --from=builder /app /app
 
 # Copy RHDA executable script from the builder stage
 COPY --from=builder /rhda.sh /rhda.sh

docker-image/README.md

@@ -1,21 +1,21 @@
-# Exhort Javascript API Docker Images
+# Trustify Dependency Analytics Javascript Client Container Images
 
-These dockerfiles provides all nessesary components to generate images for Red Hat Dependency Analytics (RHDA).
-These images can be used as base images to set up the necessary environment and dependencies for running the Red Hat Dependency Analytics.
+These dockerfiles provides all nessesary components to generate images for Trustify Dependency Analytics.
+These images can be used as base images to set up the necessary environment and dependencies for running the Trustify Dependency Analytics.
 
 ## Prerequisites
 Before getting started, ensure that you have one of the following prerequisites installed on your system:
 
 - Docker: [Installation Guide](https://docs.docker.com/get-docker/)
 - Podman: [Installation Guide](https://podman.io/docs/installation)
 
-Both Docker and Podman are container runtimes that can be used to build and run the Red Hat Dependency Analytics images. You can choose either Docker or Podman based on your preference and the compatibility with your operating system.
+Both Docker and Podman are container runtimes that can be used to build and run the Trustify Dependency Analytics images. You can choose either Docker or Podman based on your preference and the compatibility with your operating system.
 
-## Images generated for Exhort Javascript API
+## Images generated for Trustify Dependency Analytics Javascript Client
 
 Ecosystem                     | Version                                                            | IMAGE                                           | TAG               |
 ------------------------------| ------------------------------------------------------------------ | ----------------------------------------------- |-------------------|
-Maven, NPM, Golang   | mvn 3.9.6, <br>npm 10.2.4, <br>go 1.21.5, <br>python \<any\>                                                                                                  |  quay.io/ecosystem-appeng/trustify-da-javascript-client | 0.1.1-ea.26      |
+Maven, NPM, Golang   | mvn 3.9.6, <br>npm 10.2.4, <br>go 1.21.5, <br>python \<any\>                                                                                                  |  ghcr.io/guacsec/trustify-da-javascript-client | 0.2.4-ea.12      |
 
 
 ## Usage Notes

docker-image/scripts/rhda.sh

@@ -19,11 +19,11 @@ then
 
   # Print stderr message to console
   error_message=$(sed -n '/^Error:/p' error.log)
-  printf "\n[ERROR] Red Hat Dependency Analytics failed with exit code $exit_code.\n$error_message"
+  printf "\n[ERROR] Trustify Dependency Analytics failed with exit code $exit_code.\n$error_message"
   exit 1
 else
 # In case of success print report summary into console
-printf "\nRed Hat Dependency Analytics Report\n"
+printf "\nTrustify Dependency Analytics Report\n"
 printf "=%.0s" {1..50}
 printf "\n"
 printf "Dependencies\n"

integration/scenarios/maven/expected_stack_html

@@ -196,7 +196,7 @@
             <th scope="col"># Transitive</th>
             <th scope="col">Highest CVSS</th>
             <th scope="col">Highest Severity</th>
-            <th scope="col">Red Hat remediation available</th>
+            <th scope="col">Remediation available</th>
         </tr>
         </thead>
         <tbody>
@@ -563,7 +563,7 @@
                 </button>
             </div>
             <div class="modal-body">
-                Click either VEX or SBOM to download the corresponding file type. You can also click the package name to view more information in Red Hat's Maven repository.
+                Click either VEX or SBOM to download the corresponding file type. You can also click the package name to view more information in Trusted Content's Maven repository.
             </div>
             <div class="modal-footer" style="justify-content: space-around">
                 <span id="vex"><a href="" target="_blank">VEX</a></span>