fix: switch to alpine base image and upgrade pip

Replace python:3.12-slim (Debian) with python:3.12-alpine to reduce image size and eliminate 68 Debian-inherited CVEs. Upgrade pip to resolve CVE-2025-8869. Build deps installed temporarily for native extensions (cryptography) and removed after pip install. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix: bake source into container image for production builds
2026-02-24 12:54:16 +01:00 · 2026-02-23 22:54:42 +01:00 · 2026-02-22 08:45:52 +01:00 · 2026-02-22 08:26:30 +01:00 · 2026-02-22 08:24:47 +01:00 · 2026-02-22 08:20:20 +01:00
4 changed files with 99 additions and 8 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,83 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  lint:
+    runs-on: linux
+    container:
+      image: python:3.12-alpine
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache -q git
+          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
+            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+      - name: Install ruff
+        run: pip install --no-cache-dir -q ruff
+      - name: Lint
+        run: ruff check src/ tests/
+
+  test:
+    runs-on: linux
+    needs: [lint]
+    container:
+      image: python:3.12-alpine
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache -q git
+          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
+            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+      - name: Install deps
+        run: |
+          pip install --no-cache-dir -q -r requirements.txt
+          pip install --no-cache-dir -q pytest pytest-asyncio
+      - name: Test
+        run: PYTHONPATH=src pytest tests/ -v
+
+  secrets:
+    runs-on: linux
+    container:
+      image: alpine:latest
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache -q git curl
+          git clone --branch "${GITHUB_REF_NAME}" \
+            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+      - name: Install gitleaks
+        run: |
+          ARCH=$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
+          VER=$(curl -sI https://github.com/gitleaks/gitleaks/releases/latest | grep -i location | grep -oE 'v[0-9.]+' | tr -d v)
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_${ARCH}.tar.gz" \
+            | tar xz -C /usr/local/bin/ gitleaks
+      - name: Scan for secrets
+        run: gitleaks detect --source . -v
+
+  build:
+    runs-on: linux
+    needs: [test, secrets]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    container:
+      image: docker:latest
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache -q git
+          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
+            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+      - name: Login to Harbor
+        run: echo "$HARBOR_PASS" | docker login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
+        env:
+          HARBOR_USER: ${{ secrets.HARBOR_USER }}
+          HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
+      - name: Build and push
+        run: |
+          TAG="harbor.mymx.me/library/bouncer:${GITHUB_SHA::8}"
+          LATEST="harbor.mymx.me/library/bouncer:latest"
+          docker build --push -t "$TAG" -t "$LATEST" -f Containerfile .
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -0,0 +1,3 @@
+[allowlist]
+description = "Test fixture false positives"
+paths = ["tests/test_captcha\\.py"]
--- a/16
+++ b/16
@@ -1,19 +1,19 @@
-FROM python:3.12-slim
+FROM python:3.12-alpine

 WORKDIR /app

-RUN pip install --no-cache-dir \
-    "python-socks[asyncio]>=2.4" \
-    "aiosqlite>=0.19" \
-    "aiohttp>=3.9" \
-    "aiohttp-socks>=0.8" \
-    "cryptography>=41.0"
+COPY requirements.txt .
+RUN apk add --no-cache --virtual .build gcc musl-dev libffi-dev openssl-dev && \
+    pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt && \
+    apk del .build
+
+COPY src/ /app/src/

 ENV PYTHONUNBUFFERED=1
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONPATH=/app/src

-VOLUME /app/src
 VOLUME /data

 ENTRYPOINT ["python", "-m", "bouncer"]
--- a/requirements.txt
+++ b/requirements.txt
@@ -0,0 +1,5 @@
+python-socks[asyncio]>=2.4
+aiosqlite>=0.19
+aiohttp>=3.9
+aiohttp-socks>=0.8
+cryptography>=41.0
Author	SHA1	Message	Date
user	2b893969d2	fix: switch to alpine base image and upgrade pip All checks were successful CI / secrets (push) Successful in 8s Details CI / lint (push) Successful in 11s Details CI / test (push) Successful in 26s Details CI / build (push) Successful in 31s Details Replace python:3.12-slim (Debian) with python:3.12-alpine to reduce image size and eliminate 68 Debian-inherited CVEs. Upgrade pip to resolve CVE-2025-8869. Build deps installed temporarily for native extensions (cryptography) and removed after pip install. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-24 12:54:16 +01:00
user	f9f38adadc	fix: bake source into container image for production builds All checks were successful CI / secrets (push) Successful in 9s Details CI / lint (push) Successful in 13s Details CI / test (push) Successful in 24s Details CI / build (push) Successful in 21s Details Install deps from requirements.txt for better layer caching and COPY src/ into the image so pushed artifacts are self-contained. Remove VOLUME /app/src -- runtime config mount (/data) is sufficient. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 22:54:42 +01:00
user	f3eae9291b	fix: use docker build --push for buildx container driver All checks were successful CI / secrets (push) Successful in 9s Details CI / lint (push) Successful in 13s Details CI / test (push) Successful in 26s Details CI / build (push) Successful in 17s Details Docker buildx with docker-container driver doesn't load images into the local daemon. Use --push to push directly during build. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:45:52 +01:00
user	5eb64d034e	fix: gitleaks version resolution and allowlist test fixtures Some checks failed CI / secrets (push) Successful in 9s Details CI / lint (push) Successful in 13s Details CI / test (push) Successful in 26s Details CI / build (push) Failing after 28s Details Resolve gitleaks version dynamically via GitHub redirect. Add .gitleaks.toml to allowlist dummy hCaptcha sitekeys in test_captcha.py (false positives on test UUIDs). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:26:30 +01:00
user	18992c63e1	fix: resolve gitleaks version dynamically from GitHub API Some checks failed CI / secrets (push) Failing after 9s Details CI / lint (push) Successful in 13s Details CI / test (push) Successful in 26s Details CI / build (push) Has been skipped Details The /releases/latest/download/ URL doesn't expand version in the filename. Query the redirect to resolve actual version first. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:24:47 +01:00
user	ed513251db	fix: run all CI jobs in containers via container directive Some checks failed CI / secrets (push) Failing after 9s Details CI / lint (push) Successful in 12s Details CI / test (push) Successful in 25s Details CI / build (push) Has been skipped Details The linux runner has no git/node on host and rootless podman lacks namespace privileges. Use container: directive for every job: alpine for secrets (gitleaks binary), docker:latest for build (docker socket mounted by runner). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:20:20 +01:00
user	f14d067779	fix: use alpine/git container for checkout on host jobs Some checks failed CI / secrets (push) Failing after 0s Details CI / lint (push) Successful in 13s Details CI / test (push) Successful in 25s Details CI / build (push) Has been skipped Details The linux runner has podman but no git. Clone repos via alpine/git container for secrets and build host jobs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:15:42 +01:00
user	aae9b0f771	fix: replace all actions/checkout with git clone Some checks failed CI / secrets (push) Failing after 0s Details CI / lint (push) Successful in 11s Details CI / test (push) Successful in 26s Details CI / build (push) Has been skipped Details The linux runner (anvil) has no Node.js, so actions/checkout@v4 fails on every job. Use manual git clone consistently across all jobs — container and host alike. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:08:22 +01:00
user	e9c8290f9c	fix: run gitleaks via podman on host instead of container directive Some checks failed CI / secrets (push) Failing after 1s Details CI / lint (push) Successful in 13s Details CI / test (push) Successful in 26s Details CI / build (push) Has been skipped Details The gitleaks image lacks a shell compatible with the runner's script injection. Use podman run with volume mount on the host instead, matching the proven s5p pattern. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 07:43:36 +01:00
user	875997aa45	fix: single-line git clone for gitleaks container Some checks failed CI / secrets (push) Failing after 4s Details CI / lint (push) Successful in 13s Details CI / test (push) Successful in 30s Details CI / build (push) Has been skipped Details Multiline run with backslash continuation gets corrupted inside the gitleaks container. Collapse to single line. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 07:12:11 +01:00
user	900813fc20	fix: replace actions/checkout with git clone in container jobs Some checks failed CI / secrets (push) Failing after 3s Details CI / lint (push) Successful in 12s Details CI / test (push) Successful in 26s Details CI / build (push) Has been skipped Details The alpine and gitleaks container images lack Node.js, which actions/checkout@v4 requires. Use manual git clone instead. Build job stays on host where actions/checkout works natively. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 07:07:12 +01:00
user	28f78567df	refactor: use native container directive for CI jobs Some checks failed CI / secrets (push) Failing after 4s Details CI / lint (push) Failing after 6s Details CI / test (push) Has been skipped Details CI / build (push) Has been skipped Details Replace manual podman run invocations with the runner's container: directive for lint, test, and secrets jobs. Cleaner step definitions, no volume mounts needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 06:51:50 +01:00
user	2f7b82047d	feat: add Gitea CI pipeline with podman containers Some checks failed CI / lint (push) Failing after 2s Details CI / secrets (push) Failing after 2s Details CI / test (push) Has been skipped Details CI / build (push) Has been skipped Details Lint, test, secrets scan, and Harbor build/push jobs running on linux runner using ephemeral podman containers. Adds requirements.txt for container-based pip installs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 06:33:36 +01:00