[SYSE-363 release-5.3] May template application

[alephnull]

User description

• Do not maintain release-4-lts anymore
• Build faster
• Distroless based images
• upgrade tests have incorrect conditional

---

PR Type

enhancement, tests

---

Description

• Updated GitHub Actions workflow to improve CI/CD pipeline by adjusting metadata step IDs and modifying Docker commands.
• Added a new job for building distroless Docker images, enhancing the deployment options for tyk-gateway.
• Introduced a new Dockerfile specifically for creating distroless images, following best practices for secure and minimalistic containers.

---

Changes walkthrough 📝

Relevant files

Enhancement

release.yml Enhancements and Fixes in GitHub Actions Workflow                .github/workflows/release.yml Updated Docker metadata step IDs and output tags to use 'ci_metadata' instead of 'metadata'. Changed the Docker run command to skip signing instead of snapshot signing. Updated the container version used in the test-controller-api job from v1.7 to v1.8. Added handling for a new output 'api_cache_db' in test-controller-api and included it in the Docker compose setup. Introduced a new job 'distroless' to build distroless images of the tyk-gateway. +66/-8    Dockerfile.distroless New Distroless Dockerfile for Tyk Gateway                                ci/Dockerfile.distroless Created a new Dockerfile for building distroless images of tyk-gateway. Uses multi-stage builds starting from 'debian:bookworm-slim' and moving to 'gcr.io/distroless/base-debian12:nonroot'. Copies installed gateway from the Debian stage to the distroless stage. +20/-0

---

💡 PR-Agent usage:
Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

[github-actions]

API Changes

no api changes detected

[github-actions]

PR Description updated to latest commit (170944a)

[github-actions]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	4, due to the complexity and breadth of changes across multiple files and configurations, including GitHub Actions workflows and Dockerfiles. The reviewer needs to understand CI/CD pipelines, Docker, and possibly the specifics of the application being deployed.
🧪 Relevant tests	No
⚡ Possible issues	Possible Bug: The docker compose commands in the release.yml file now include a new file ${{ matrix.cache_db }}.yml which is expected to be present. If this file is not properly set up or missing, it could cause the Docker compose process to fail.
🔒 Security concerns	No

Code feedback:

---

relevant file	.github/workflows/release.yml
suggestion	Consider adding error handling or checks to ensure that the ${{ matrix.cache_db }}.yml file exists before attempting to use it in docker compose commands. This can prevent runtime errors during the CI/CD process. [important]
relevant line	docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml -f ${{ matrix.cache_db }}.yml --env-file versions.env --profile master-datacenter up --quiet-pull -d

---

relevant file	.github/workflows/release.yml
suggestion	Ensure that the Docker login actions for DockerHub and Cloudsmith are securely handled, especially in public repositories, to prevent unauthorized access. Using GitHub secrets is recommended, but additional security audits could be beneficial. [important]
relevant line	uses: docker/login-action@v3

---

relevant file	ci/Dockerfile.distroless
suggestion	Optimize the Dockerfile by cleaning up unnecessary packages and files after installation to reduce the image size. This can be done by adding apt-get clean and removing the /var/lib/apt/lists/* after package installation. [medium]
relevant line	RUN dpkg -i /tyk-gateway*${TARGETARCH}.deb && rm /*.deb

---

relevant file	ci/Dockerfile.distroless
suggestion	To enhance security, consider using a more specific base image that only includes the necessary dependencies for tyk-gateway, or further minimize the current base image. [medium]
relevant line	FROM debian:bookworm-slim as DEB

---

[github-actions]

PR Code Suggestions ✨

Category	Suggestion	Score
Possible bug	Correct the syntax error in the goreleaser command The goreleaser command in the workflow might fail due to a misplaced quote and a typo in the flag --skip=sign. It should be --skip-sign for the correct syntax. .github/workflows/release.yml [86] -goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign' || '' }}' | tee /tmp/build.sh +goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip-sign' || '' }} | tee /tmp/build.sh Suggestion importance[1-10]: 10 Why: The suggestion correctly identifies and fixes a critical syntax error in the goreleaser command, which is essential for the correct operation of the deployment pipeline.	10
	Remove the extraneous quote from the docker compose command The docker compose command includes an extra quote at the end of the command which might cause a syntax error when executing the pipeline. .github/workflows/release.yml [319] +docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml -f ${{ matrix.cache_db }}.yml --env-file versions.env --profile all logs | sort > ${{ github.workspace }}/docker-compose.log - Suggestion importance[1-10]: 10 Why: The suggestion accurately points out and corrects an extraneous quote in the docker compose command, which could potentially cause a syntax error during execution.	10
Best practice	Ensure the cache_db configuration file exists before using it in docker compose commands The docker compose commands for setting up environments do not check if the cache_db configuration file exists before attempting to use it, which could cause the command to fail. .github/workflows/release.yml [258] -docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml -f ${{ matrix.cache_db }}.yml --env-file versions.env --profile master-datacenter up --quiet-pull -d +if [ -f ${{ matrix.cache_db }}.yml ]; then + docker compose -p auto -f pro-ha.yml -f deps_pro-ha.yml -f ${{ matrix.db }}.yml -f ${{ matrix.cache_db }}.yml --env-file versions.env --profile master-datacenter up --quiet-pull -d +else + echo "Cache DB configuration file missing." +fi Suggestion importance[1-10]: 8 Why: This suggestion improves the reliability of the deployment process by ensuring that necessary configuration files are present before attempting to use them, which is a best practice in deployment scripts.	8
Enhancement	Add a conditional check to ensure cache_db is populated before use The new cache_db output is added to the workflow but there's no validation to ensure it's populated correctly before it's used, which could lead to runtime errors if it's empty or incorrect. .github/workflows/release.yml [171] cache_db: ${{ steps.params.outputs.api_cache_db }} +if: ${{ steps.params.outputs.api_cache_db != '' }} Suggestion importance[1-10]: 7 Why: Adding a conditional check is a good enhancement for robustness, ensuring that the cache_db is populated before it's used, thus preventing potential runtime errors.	7

[github-actions]

💥 CI tests failed 🙈

git-state

all ok

Please look at the run or in the Checks tab.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud