diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml index c09e13ff..590e90cf 100644 --- a/.github/workflows/push-docker.yml +++ b/.github/workflows/push-docker.yml @@ -108,22 +108,29 @@ jobs: env: DIGEST: ${{ steps.build-push-regular.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | # Always sign images regardless of branch echo "$TAGS" | tr ',' '\n' | while read -r tag; do - cosign sign --yes "${tag}@${DIGEST}" + cosign sign --yes \ + --key env://COSIGN_PRIVATE_KEY \ + "${tag}@${DIGEST}" done - + # For alpha builds specifically, we want to ensure they're marked as development builds if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then echo "Signing alpha build with development attestation" echo "$TAGS" | tr ',' '\n' | while read -r tag; do if [[ $tag == *":alpha" ]]; then - cosign attest --predicate <(echo '{"type":"development"}') --yes "${tag}@${DIGEST}" + cosign attest --key env://COSIGN_PRIVATE_KEY \ + --predicate <(echo '{"type":"development"}') \ + --yes "${tag}@${DIGEST}" fi done fi + - name: Generate tags ultra-lite id: meta2 uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 @@ -144,7 +151,7 @@ jobs: if: github.ref != 'refs/heads/main' with: context: . - file: ./Dockerfile-ultra-lite + file: ./Dockerfile.ultra-lite push: true cache-from: type=gha cache-to: type=gha,mode=max @@ -160,9 +167,11 @@ jobs: env: DIGEST: ${{ steps.build-push-lite.outputs.digest }} TAGS: ${{ steps.meta2.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | echo "$TAGS" | tr ',' '\n' | while read -r tag; do - cosign sign --yes "${tag}@${DIGEST}" + cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}" done - name: Generate tags fat @@ -186,7 +195,7 @@ jobs: with: builder: ${{ steps.buildx.outputs.name }} context: . - file: ./Dockerfile-fat + file: ./Dockerfile.fat push: true cache-from: type=gha cache-to: type=gha,mode=max @@ -202,7 +211,9 @@ jobs: env: DIGEST: ${{ steps.build-push-fat.outputs.digest }} TAGS: ${{ steps.meta3.outputs.tags }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} run: | echo "$TAGS" | tr ',' '\n' | while read -r tag; do - cosign sign --yes "${tag}@${DIGEST}" + cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${tag}@${DIGEST}" done diff --git a/DeveloperGuide.md b/DeveloperGuide.md index d9668279..ac0004ff 100644 --- a/DeveloperGuide.md +++ b/DeveloperGuide.md @@ -86,8 +86,8 @@ Stirling-PDF/ │ └── SPDF/ ├── build.gradle # Gradle build configuration ├── Dockerfile # Main Dockerfile -├── Dockerfile-ultra-lite # Dockerfile for ultra-lite version -├── Dockerfile-fat # Dockerfile for fat version +├── Dockerfile.ultra-lite # Dockerfile for ultra-lite version +├── Dockerfile.fat # Dockerfile for fat version ├── docker-compose.yml # Docker Compose configuration └── test.sh # Test script to deploy all docker versions and run cuke tests ``` @@ -179,14 +179,14 @@ Stirling-PDF uses different Docker images for various configurations. The build For the ultra-lite version: ```bash - docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-ultra-lite -f ./Dockerfile-ultra-lite . + docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-ultra-lite -f ./Dockerfile.ultra-lite . ``` For the fat version (with security enabled): ```bash export DOCKER_ENABLE_SECURITY=true - docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-fat -f ./Dockerfile-fat . + docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-fat -f ./Dockerfile.fat . ``` Note: The `--no-cache` and `--pull` flags ensure that the build process uses the latest base images and doesn't use cached layers, which is useful for testing and ensuring reproducible builds. however to improve build times these can often be removed depending on your usecase diff --git a/Dockerfile b/Dockerfile index 63953434..900f4a40 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Main stage -FROM alpine:3.21.0@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45 +FROM alpine:3.20.3 # Copy necessary files COPY scripts /scripts @@ -70,8 +70,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et # User permissions addgroup -S stirlingpdfgroup && adduser -S stirlingpdfuser -G stirlingpdfgroup && \ chown -R stirlingpdfuser:stirlingpdfgroup $HOME /scripts /usr/share/fonts/opentype/noto /configs /customFiles /pipeline && \ - chown stirlingpdfuser:stirlingpdfgroup /app.jar && \ - tesseract --list-langs + chown stirlingpdfuser:stirlingpdfgroup /app.jar EXPOSE 8080/tcp diff --git a/Dockerfile-fat b/Dockerfile.fat similarity index 70% rename from Dockerfile-fat rename to Dockerfile.fat index 2d9cc944..1ee20176 100644 --- a/Dockerfile-fat +++ b/Dockerfile.fat @@ -1,5 +1,5 @@ # Build the application -FROM gradle:8.12-jdk17 AS build +FROM gradle:8.11-jdk17 AS build # Set the working directory WORKDIR /app @@ -12,7 +12,7 @@ RUN DOCKER_ENABLE_SECURITY=true \ ./gradlew clean build # Main stage -FROM alpine:3.21.0@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45 +FROM alpine:3.20.3 # Copy necessary files COPY scripts /scripts @@ -22,18 +22,6 @@ COPY --from=build /app/build/libs/*.jar app.jar ARG VERSION_TAG -LABEL org.opencontainers.image.title="Stirling-PDF" -LABEL org.opencontainers.image.description="A powerful locally hosted web-based PDF manipulation tool supporting 50+ operations including merging, splitting, conversion, OCR, watermarking, and more." -LABEL org.opencontainers.image.source="https://github.com/Stirling-Tools/Stirling-PDF" -LABEL org.opencontainers.image.licenses="MIT" -LABEL org.opencontainers.image.vendor="Stirling-Tools" -LABEL org.opencontainers.image.url="https://www.stirlingpdf.com" -LABEL org.opencontainers.image.documentation="https://docs.stirlingpdf.com" -LABEL maintainer="Stirling-Tools" -LABEL org.opencontainers.image.authors="Stirling-Tools" -LABEL org.opencontainers.image.version="${VERSION_TAG}" -LABEL org.opencontainers.image.keywords="PDF, manipulation, merge, split, convert, OCR, watermark" - # Set Environment Variables ENV DOCKER_ENABLE_SECURITY=false \ VERSION_TAG=$VERSION_TAG \ @@ -85,8 +73,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et # User permissions addgroup -S stirlingpdfgroup && adduser -S stirlingpdfuser -G stirlingpdfgroup && \ chown -R stirlingpdfuser:stirlingpdfgroup $HOME /scripts /usr/share/fonts/opentype/noto /configs /customFiles /pipeline && \ - chown stirlingpdfuser:stirlingpdfgroup /app.jar && \ - tesseract --list-langs + chown stirlingpdfuser:stirlingpdfgroup /app.jar EXPOSE 8080/tcp diff --git a/Dockerfile-ultra-lite b/Dockerfile.ultra-lite similarity index 68% rename from Dockerfile-ultra-lite rename to Dockerfile.ultra-lite index 1d87253d..4953f338 100644 --- a/Dockerfile-ultra-lite +++ b/Dockerfile.ultra-lite @@ -3,18 +3,6 @@ FROM alpine:3.21.0@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f8 ARG VERSION_TAG -LABEL org.opencontainers.image.title="Stirling-PDF" -LABEL org.opencontainers.image.description="A powerful locally hosted web-based PDF manipulation tool supporting 50+ operations including merging, splitting, conversion, OCR, watermarking, and more." -LABEL org.opencontainers.image.source="https://github.com/Stirling-Tools/Stirling-PDF" -LABEL org.opencontainers.image.licenses="MIT" -LABEL org.opencontainers.image.vendor="Stirling-Tools" -LABEL org.opencontainers.image.url="https://www.stirlingpdf.com" -LABEL org.opencontainers.image.documentation="https://docs.stirlingpdf.com" -LABEL maintainer="Stirling-Tools" -LABEL org.opencontainers.image.authors="Stirling-Tools" -LABEL org.opencontainers.image.version="${VERSION_TAG}" -LABEL org.opencontainers.image.keywords="PDF, manipulation, merge, split, convert, OCR, watermark" - # Set Environment Variables ENV DOCKER_ENABLE_SECURITY=false \ HOME=/home/stirlingpdfuser \ diff --git a/src/main/java/stirling/software/SPDF/config/security/CustomLogoutSuccessHandler.java b/src/main/java/stirling/software/SPDF/config/security/CustomLogoutSuccessHandler.java index 8d5aa76d..2d022864 100644 --- a/src/main/java/stirling/software/SPDF/config/security/CustomLogoutSuccessHandler.java +++ b/src/main/java/stirling/software/SPDF/config/security/CustomLogoutSuccessHandler.java @@ -219,9 +219,9 @@ public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler { // "https://accounts.google.com/Logout?continue=https://appengine.google.com/_ah/logout?continue=" // + response.encodeRedirectURL(redirect_url); log.info("Google does not have a specific logout URL"); - // log.info("Redirecting to Google logout URL: " + googleLogoutUrl); - // response.sendRedirect(googleLogoutUrl); - // break; + // log.info("Redirecting to Google logout URL: " + googleLogoutUrl); + // response.sendRedirect(googleLogoutUrl); + // break; default: String defaultRedirectUrl = request.getContextPath() + "/login?" + param; log.info("Redirecting to default logout URL: " + defaultRedirectUrl); diff --git a/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java b/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java index b4629020..3e478af2 100644 --- a/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java +++ b/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java @@ -167,8 +167,8 @@ public class AccountWebController { case "invalid_destination": erroroauth = "login.invalid_destination"; break; - // Valid InResponseTo was not available from the validation context, unable to - // evaluate + // Valid InResponseTo was not available from the validation context, unable to + // evaluate case "invalid_in_response_to": erroroauth = "login.invalid_in_response_to"; break; diff --git a/test.sh b/test.sh index 2ad25905..d789c6be 100644 --- a/test.sh +++ b/test.sh @@ -74,7 +74,7 @@ main() { # Building Docker images # docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest -f ./Dockerfile . - # docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-ultra-lite -f ./Dockerfile-ultra-lite . + # docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-ultra-lite -f ./Dockerfile.ultra-lite . # Test each configuration #run_tests "Stirling-PDF-Ultra-Lite" "./exampleYmlFiles/docker-compose-latest-ultra-lite.yml" @@ -94,8 +94,8 @@ main() { # Building Docker images with security enabled # docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest -f ./Dockerfile . - # docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-ultra-lite -f ./Dockerfile-ultra-lite . - docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-fat -f ./Dockerfile-fat . + # docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-ultra-lite -f ./Dockerfile.ultra-lite . + docker build --no-cache --pull --build-arg VERSION_TAG=alpha -t stirlingtools/stirling-pdf:latest-fat -f ./Dockerfile.fat . # Test each configuration with security diff --git a/test2.sh b/test2.sh index 61db7993..b33d2df8 100644 --- a/test2.sh +++ b/test2.sh @@ -65,7 +65,7 @@ build_and_test() { dockerfile_name="./Dockerfile" ;; ultra-lite) - dockerfile_name="./Dockerfile-ultra-lite" + dockerfile_name="./Dockerfile.ultra-lite" ;; esac