feat: pin container image digest in compose (#5)

miracum · Jul 4, 2022 · 02f966c · 02f966c
1 parent 9766900
commit 02f966c
Show file tree

Hide file tree

Showing 6 changed files with 260 additions and 12 deletions.
diff --git a/docker-compose/docker-compose.probe.yaml b/docker-compose/docker-compose.probe.yaml
@@ -1,6 +1,6 @@
 services:
   health-probes:
-    image: docker.io/curlimages/curl:7.83.1
+    image: docker.io/curlimages/curl:7.84.0@sha256:5a2a25d96aa941ea2fc47acc50122f7c3d007399a075df61a82d6d2c3a567a2b
     ipc: private
     security_opt:
       - "no-new-privileges:true"

diff --git a/docker-compose/docker-compose.staging.yaml b/docker-compose/docker-compose.staging.yaml
@@ -1,6 +1,6 @@
 services:
   traefik:
-    image: traefik:v2.8.0
+    image: docker.io/library/traefik:v2.8.0@sha256:e2ba68ab66797f6a89b49e389d9d77bfd7118bd07f17daa2042c03861d8d2ace
     restart: unless-stopped
     ipc: none
     security_opt:
@@ -22,7 +22,7 @@ services:
           memory: 128m
 
   omopdb:
-    image: ghcr.io/miracum/recruit/omop-cdm-test-db:v4.0.0
+    image: ghcr.io/miracum/recruit/omop-cdm-test-db:v4.0.0@sha256:00be4b12281795318fc5674e6007fd59500c86f443147132546a2b46a4d40f64
     restart: unless-stopped
     ipc: private
     security_opt:
@@ -35,7 +35,7 @@ services:
           memory: 2048m
 
   ohdsi-webapi:
-    image: docker.io/ohdsi/webapi:2.11.1
+    image: docker.io/ohdsi/webapi:2.11.1@sha256:9bcb5003e6504669b53c94f3e0b4aa6ad9b5c78741f772ca402579632ce64fb3
     restart: unless-stopped
     ipc: none
     security_opt:
@@ -76,7 +76,7 @@ services:
       - "traefik.http.routers.ohdsi-webapi.entrypoints=web"
 
   ohdsi-atlas:
-    image: docker.io/ohdsi/atlas:2.11.1
+    image: docker.io/ohdsi/atlas:2.11.1@sha256:36df31ecd1c92f2f2d66535ff759e7626545179696a3f291f35dc75c14017564
     restart: unless-stopped
     ipc: none
     security_opt:
@@ -99,7 +99,7 @@ services:
       - "traefik.http.routers.ohdsi-atlas.entrypoints=web"
 
   fhir:
-    image: docker.io/hapiproject/hapi:v6.0.1
+    image: docker.io/hapiproject/hapi:v6.0.1@sha256:63c98d8be3dadc77b47dca3115490f22bf99512f363f779f7bbcb42f569aeac3
     restart: unless-stopped
     cap_drop:
       - ALL
@@ -136,7 +136,7 @@ services:
       - "traefik.http.routers.fhir.entrypoints=web"
 
   fhir-db:
-    image: docker.io/library/postgres:14.4
+    image: docker.io/library/postgres:14.4@sha256:4ba3b78788bb284687376b9c1e0565b245375ddee0fe14cef25e315b6bd88b1a
     restart: unless-stopped
     deploy:
       resources:
@@ -151,7 +151,7 @@ services:
       POSTGRES_DB: fhir
 
   maildev:
-    image: docker.io/maildev/maildev:2.0.5
+    image: docker.io/maildev/maildev:2.0.5@sha256:082ec5ee92266c6e17493998ff1bf1c3eb70604b159fbeeaa435ee777f5cc953
     restart: unless-stopped
     ipc: none
     security_opt:
@@ -173,7 +173,7 @@ services:
       - "traefik.http.routers.maildev.entrypoints=web"
 
   keycloak:
-    image: quay.io/keycloak/keycloak:15.1.1
+    image: quay.io/keycloak/keycloak:15.1.1@sha256:abade9a9cf985b454b30a9119183e62a0018ec546c8fc4fbd8572457afb4a666
     restart: unless-stopped
     cap_drop:
       - ALL

diff --git a/docker-compose/docker-compose.yaml b/docker-compose/docker-compose.yaml
@@ -1,6 +1,6 @@
 services:
   list:
-    image: ghcr.io/miracum/recruit/list:v2.15.4
+    image: ghcr.io/miracum/recruit/list:v2.15.4@sha256:c63f67666869b1cba9d5b7f958f0ef3c4797499407c2d0e0684ecfa976bb90f0
     restart: unless-stopped
     ipc: none
     security_opt:
@@ -29,7 +29,7 @@ services:
       - ${NOTIFY_RULES_CONFIG_PATH:?}:/etc/rules.yaml:ro
 
   query:
-    image: ghcr.io/miracum/recruit/query:v3.16.2
+    image: ghcr.io/miracum/recruit/query:v3.16.2@sha256:121f13d9df05791024b5e4659570bbe0a2a9fbcfc2cf066d29325d240b4b4dcd
     restart: unless-stopped
     ipc: none
     security_opt:
@@ -65,7 +65,7 @@ services:
       QUERY_COHORTSIZETHRESHOLD: ${QUERY_COHORTSIZETHRESHOLD:-100}
 
   notify:
-    image: ghcr.io/miracum/recruit/notify:v3.2.4
+    image: ghcr.io/miracum/recruit/notify:v3.2.4@sha256:0a3a2fffec7bca9a41ce1c762a2180bfa03bd64bae3f741515ead4fc48156050
     restart: unless-stopped
     ipc: none
     security_opt:

diff --git a/fhir-ig/_gencontinuous.bat b/fhir-ig/_gencontinuous.bat
@@ -0,0 +1,2 @@
+@ECHO OFF
+CALL ./_genonce.bat -watch
diff --git a/fhir-ig/_genonce.bat b/fhir-ig/_genonce.bat
@@ -0,0 +1,27 @@
+@ECHO OFF
+SET publisher_jar=publisher.jar
+SET input_cache_path=%CD%\input-cache
+
+ECHO Checking internet connection...
+PING tx.fhir.org -4 -n 1 -w 1000 | FINDSTR TTL && GOTO isonline
+ECHO We're offline...
+SET txoption=-tx n/a
+GOTO igpublish
+
+:isonline
+ECHO We're online
+SET txoption=
+
+:igpublish
+
+SET JAVA_TOOL_OPTIONS=-Dfile.encoding=UTF-8
+
+IF EXIST "%input_cache_path%\%publisher_jar%" (
+	JAVA -jar "%input_cache_path%\%publisher_jar%" -ig . %txoption% %*
+) ELSE If exist "..\%publisher_jar%" (
+	JAVA -jar "..\%publisher_jar%" -ig . %txoption% %*
+) ELSE (
+	ECHO IG Publisher NOT FOUND in input-cache or parent folder.  Please run _updatePublisher.  Aborting...
+)
+
+PAUSE
diff --git a/fhir-ig/_updatePublisher.bat b/fhir-ig/_updatePublisher.bat
@@ -0,0 +1,219 @@
+@ECHO OFF
+
+SETLOCAL
+
+SET dlurl=https://github.com/HL7/fhir-ig-publisher/releases/latest/download/publisher.jar
+SET publisher_jar=publisher.jar
+SET input_cache_path=%CD%\input-cache\
+SET skipPrompts=false
+
+SET scriptdlroot=https://raw.githubusercontent.com/HL7/ig-publisher-scripts/main
+SET update_bat_url=%scriptdlroot%/_updatePublisher.bat
+SET gen_bat_url=%scriptdlroot%/_genonce.bat
+SET gencont_bat_url=%scriptdlroot%/_gencontinuous.bat
+SET gencont_sh_url=%scriptdlroot%/_gencontinuous.sh
+SET gen_sh_url=%scriptdlroot%/_genonce.sh
+SET update_sh_url=%scriptdlroot%/_updatePublisher.sh
+
+IF "%~1"=="/f" SET skipPrompts=y
+
+
+ECHO.
+ECHO Checking internet connection...
+PING tx.fhir.org -4 -n 1 -w 1000 | FINDSTR TTL && GOTO isonline
+ECHO We're offline, nothing to do...
+GOTO end
+
+:isonline
+ECHO We're online
+
+
+:processflags
+SET ARG=%1
+IF DEFINED ARG (
+	IF "%ARG%"=="-f" SET FORCE=true
+	IF "%ARG%"=="--force" SET FORCE=true
+	SHIFT
+	GOTO processflags
+)
+
+FOR %%x IN ("%CD%") DO SET upper_path=%%~dpx
+
+ECHO.
+IF NOT EXIST "%input_cache_path%%publisher_jar%" (
+	IF NOT EXIST "%upper_path%%publisher_jar%" (
+		SET jarlocation="%input_cache_path%%publisher_jar%"
+		SET jarlocationname=Input Cache
+		ECHO IG Publisher is not yet in input-cache or parent folder.
+		REM we don't use jarlocation below because it will be empty because we're in a bracketed if statement
+		GOTO create
+	) ELSE (
+		ECHO IG Publisher FOUND in parent folder
+		SET jarlocation="%upper_path%%publisher_jar%"
+		SET jarlocationname=Parent folder
+		GOTO upgrade
+	)
+) ELSE (
+	ECHO IG Publisher FOUND in input-cache
+	SET jarlocation="%input_cache_path%%publisher_jar%"
+	SET jarlocationname=Input Cache
+	GOTO upgrade
+)
+
+:create
+IF DEFINED FORCE (
+	MKDIR "%input_cache_path%" 2> NUL
+	GOTO download
+)
+
+IF "%skipPrompts%"=="y" (
+	SET create=Y
+) ELSE (
+	SET /p create="Ok? (Y/N) "
+)
+IF /I "%create%"=="Y" (
+	ECHO Will place publisher jar here: %input_cache_path%%publisher_jar%
+	MKDIR "%input_cache_path%" 2> NUL
+	GOTO download
+)
+GOTO done
+
+:upgrade
+IF "%skipPrompts%"=="y" (
+	SET overwrite=Y
+) ELSE (
+	SET /p overwrite="Overwrite %jarlocation%? (Y/N) "
+)
+
+IF /I "%overwrite%"=="Y" (
+	GOTO download
+)
+GOTO done
+
+:download
+ECHO Downloading most recent publisher to %jarlocationname% - it's ~100 MB, so this may take a bit
+
+FOR /f "tokens=4-5 delims=. " %%i IN ('ver') DO SET VERSION=%%i.%%j
+IF "%version%" == "10.0" GOTO win10
+IF "%version%" == "6.3" GOTO win8.1
+IF "%version%" == "6.2" GOTO win8
+IF "%version%" == "6.1" GOTO win7
+IF "%version%" == "6.0" GOTO vista
+
+ECHO Unrecognized version: %version%
+GOTO done
+
+:win10
+CALL POWERSHELL -command if ('System.Net.WebClient' -as [type]) {(new-object System.Net.WebClient).DownloadFile(\"%dlurl%\",\"%jarlocation%\") } else { Invoke-WebRequest -Uri "%dlurl%" -Outfile "%jarlocation%" }
+
+GOTO done
+
+:win7
+rem this may be triggering the antivirus - bitsadmin.exe is a known threat
+rem CALL bitsadmin /transfer GetPublisher /download /priority normal "%dlurl%" "%jarlocation%"
+
+rem this didn't work in win 10
+rem CALL Start-BitsTransfer /priority normal "%dlurl%" "%jarlocation%"
+
+rem this should work - untested
+call (New-Object Net.WebClient).DownloadFile('%dlurl%', '%jarlocation%')
+GOTO done
+
+:win8.1
+:win8
+:vista
+GOTO done
+
+
+
+:done
+
+
+
+
+ECHO.
+ECHO Updating scripts
+IF "%skipPrompts%"=="y" (
+	SET updateScripts=Y
+) ELSE (
+	SET /p updateScripts="Update scripts? (Y/N) "
+)
+IF /I "%updateScripts%"=="Y" (
+	GOTO scripts
+)
+GOTO end
+
+
+:scripts
+
+REM Download all batch files (and this one with a new name)
+
+SETLOCAL DisableDelayedExpansion
+
+
+
+:dl_script_1
+ECHO Updating _updatePublisher.sh
+call POWERSHELL -command if ('System.Net.WebClient' -as [type]) {(new-object System.Net.WebClient).DownloadFile(\"%update_sh_url%\",\"_updatePublisher.new.sh\") } else { Invoke-WebRequest -Uri "%update_sh_url%" -Outfile "_updatePublisher.new.sh" }
+if %ERRORLEVEL% == 0 goto upd_script_1
+echo "Errors encountered during download: %errorlevel%"
+goto dl_script_2
+:upd_script_1
+start copy /y "_updatePublisher.new.sh" "_updatePublisher.sh" ^&^& del "_updatePublisher.new.sh" ^&^& exit
+
+
+:dl_script_2
+ECHO Updating _genonce.bat
+call POWERSHELL -command if ('System.Net.WebClient' -as [type]) {(new-object System.Net.WebClient).DownloadFile(\"%gen_bat_url%\",\"_genonce.new.bat\") } else { Invoke-WebRequest -Uri "%gen_bat_url%" -Outfile "_genonce.bat" }
+if %ERRORLEVEL% == 0 goto upd_script_2
+echo "Errors encountered during download: %errorlevel%"
+goto dl_script_3
+:upd_script_2
+start copy /y "_genonce.new.bat" "_genonce.bat" ^&^& del "_genonce.new.bat" ^&^& exit
+
+:dl_script_3
+ECHO Updating _gencontinuous.bat
+call POWERSHELL -command if ('System.Net.WebClient' -as [type]) {(new-object System.Net.WebClient).DownloadFile(\"%gencont_bat_url%\",\"_gencontinuous.new.bat\") } else { Invoke-WebRequest -Uri "%gencont_bat_url%" -Outfile "_gencontinuous.bat" }
+if %ERRORLEVEL% == 0 goto upd_script_3
+echo "Errors encountered during download: %errorlevel%"
+goto dl_script_4
+:upd_script_3
+start copy /y "_gencontinuous.new.bat" "_gencontinuous.bat" ^&^& del "_gencontinuous.new.bat" ^&^& exit
+
+
+:dl_script_4
+ECHO Updating _genonce.sh
+call POWERSHELL -command if ('System.Net.WebClient' -as [type]) {(new-object System.Net.WebClient).DownloadFile(\"%gen_sh_url%\",\"_genonce.new.sh\") } else { Invoke-WebRequest -Uri "%gen_sh_url%" -Outfile "_genonce.sh" }
+if %ERRORLEVEL% == 0 goto upd_script_4
+echo "Errors encountered during download: %errorlevel%"
+goto dl_script_5
+:upd_script_4
+start copy /y "_genonce.new.sh" "_genonce.sh" ^&^& del "_genonce.new.sh" ^&^& exit
+
+:dl_script_5
+ECHO Updating _gencontinuous.sh
+call POWERSHELL -command if ('System.Net.WebClient' -as [type]) {(new-object System.Net.WebClient).DownloadFile(\"%gencont_sh_url%\",\"_gencontinuous.new.sh\") } else { Invoke-WebRequest -Uri "%gencont_sh_url%" -Outfile "_gencontinuous.sh" }
+if %ERRORLEVEL% == 0 goto upd_script_5
+echo "Errors encountered during download: %errorlevel%"
+goto dl_script_6
+:upd_script_5
+start copy /y "_gencontinuous.new.sh" "_gencontinuous.sh" ^&^& del "_gencontinuous.new.sh" ^&^& exit
+
+
+
+:dl_script_6
+ECHO Updating _updatePublisher.bat
+call POWERSHELL -command if ('System.Net.WebClient' -as [type]) {(new-object System.Net.WebClient).DownloadFile(\"%update_bat_url%\",\"_updatePublisher.new.bat\") } else { Invoke-WebRequest -Uri "%update_bat_url%" -Outfile "_updatePublisher.new.bat" }
+if %ERRORLEVEL% == 0 goto upd_script_6
+echo "Errors encountered during download: %errorlevel%"
+goto end
+:upd_script_6
+start copy /y "_updatePublisher.new.bat" "_updatePublisher.bat" ^&^& del "_updatePublisher.new.bat" ^&^& exit
+
+
+:end
+
+
+IF "%skipPrompts%"=="true" (
+  PAUSE
+)