Bytter til distroless image og endrer til docker-build-push for å generere sbom ved bygging (#613)

* bytter til distroless image
* bytter til docker-build-push for å generere sbom

Author: mortenbyhring

.github/workflows/master.yml

@@ -12,11 +12,12 @@ env:
 
 jobs:
   # Label of the container job
-  build:
+  build_and_deploy:
     # You must use a Linux environment when using service containers or container jobs
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      contents: read
+      id-token: write
     # Service containers to run with `container-job`
     services:
       # Label used to access the service container
@@ -56,26 +57,18 @@ jobs:
         env:
           ORG_GRADLE_PROJECT_githubUser: x-access-token
           ORG_GRADLE_PROJECT_githubPassword: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to GitHub Packages Docker Registry
-        uses: docker/login-action@v3
+
+      - name: Push docker image to GAR
+        uses: nais/docker-build-push@v0
+        id: docker-build-push
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and publish Docker image
-        run: |
-          docker build --tag ${IMAGE} .
-          docker push ${IMAGE}
+          team: helsearbeidsgiver
+          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
+          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
 
-  deploy:
-    name: Deploy to DEV
-    needs: build
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: nais/deploy/actions/deploy@v2
+      - name: Deploy to DEV
+        uses: nais/deploy/actions/deploy@v2
         env:
           CLUSTER: dev-gcp
           RESOURCE: deploy/dev.yml
+          VAR: image=${{ steps.docker-build-push.outputs.image }}

.github/workflows/prod.yml

@@ -9,11 +9,12 @@ env:
 
 jobs:
   # Label of the container job
-  build:
+  build_and_deploy_to_prod:
     # You must use a Linux environment when using service containers or container jobs
     runs-on: ubuntu-latest
     permissions:
-      packages: write
+      contents: read
+      id-token: write
     # Service containers to run with `container-job`
     services:
       # Label used to access the service container
@@ -53,26 +54,17 @@ jobs:
         env:
           ORG_GRADLE_PROJECT_githubUser: x-access-token
           ORG_GRADLE_PROJECT_githubPassword: ${{ secrets.GITHUB_TOKEN }}
-      - name: Login to GitHub Packages Docker Registry
-        uses: docker/login-action@v3
+      - name: Push docker image to GAR
+        uses: nais/docker-build-push@v0
+        id: docker-build-push
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and publish Docker image
-        run: |
-          docker build --tag ${IMAGE} .
-          docker push ${IMAGE}
+          team: helsearbeidsgiver
+          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
+          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
 
-  deploy:
-    name: Deploy to PROD-GCP
-    needs: build
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: nais/deploy/actions/deploy@v2
+      - name: Deploy to PROD-GCP
+        uses: nais/deploy/actions/deploy@v2
         env:
           CLUSTER: prod-gcp
           RESOURCE: deploy/prod.yml
+          VAR: image=${{ steps.docker-build-push.outputs.image }}

Dockerfile

@@ -1,5 +1,6 @@
-FROM ghcr.io/navikt/baseimages/temurin:21
+FROM gcr.io/distroless/java21
 COPY build/libs/*.jar ./
-
-ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom \
-               -Dspring.profiles.active=remote"
+ENV JAVA_OPTS='-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp'
+ENV LANG='nb_NO.UTF-8' LANGUAGE='nb_NO:nb' LC_ALL='nb:NO.UTF-8' TZ="Europe/Oslo"
+ENTRYPOINT ["java", "-jar", "/app.jar"]
+EXPOSE 8080