Tweak build process, fix CVEs, add Makefile (PR #5)

.github/workflows/docker-publish.yml

@@ -7,7 +7,8 @@ on:
   pull_request:
 
 env:
-  azul_docker_pycharm_version: 4  # increment this to update the OS packages
+  azul_docker_pycharm_version: 5  # increment this to update the OS packages
+  PYCHARM_VERSION: 2023.2.3
 
 jobs:
   build:
@@ -18,31 +19,30 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Log into registry
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        if: >
+          github.event_name != 'pull_request'
+          && vars.DOCKERHUB_USERNAME
+        uses: docker/login-action@v3
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-      - name: Get the current branch name
-        run: echo "::set-output name=branch::${GITHUB_REF#refs/heads/}"
-        id: vars
-
       - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           build-args: |
             azul_docker_pycharm_version=${{ env.azul_docker_pycharm_version }}
+            PYCHARM_VERSION=${{ env.PYCHARM_VERSION }}
           context: .
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ vars.DOCKERHUB_REPOSITORY }}:${{ steps.vars.outputs.branch }}-${{ env.azul_docker_pycharm_version }}
+          tags: ${{ vars.DOCKERHUB_REPOSITORY }}:${{ env.PYCHARM_VERSION }}-${{ env.azul_docker_pycharm_version }}

Dockerfile

@@ -1,43 +1,51 @@
-FROM --platform=${TARGETPLATFORM} debian:bullseye-20230502
+FROM --platform=${TARGETPLATFORM} debian:bullseye-20231030
 
 ARG TARGETARCH
 
-LABEL maintainer "Viktor Adam <[email protected]>"
-LABEL maintainer "Azul Group <[email protected]>"
+LABEL maintainer="Azul Group <[email protected]>"
 
 ARG azul_docker_pycharm_version
 
 RUN \
   apt-get update \
   && apt-get upgrade -y \
   && apt-get install --no-install-recommends -y \
-    python3 python3-dev python3-setuptools python3-pip \
-    gcc git openssh-client less curl \
+    python3 python3-dev \
+    gcc git openssh-client less curl ca-certificates \
     libxtst-dev libxext-dev libxrender-dev libfreetype6-dev \
     libfontconfig1 libgtk2.0-0 libxslt1.1 libxxf86vm1 \
-  && rm -rf /var/lib/apt/lists/* \
-  && useradd -ms /bin/bash developer
-
-ARG PYCHARM_VERSION=2022.3.3
-ARG PYCHARM_BUILD=2022.3.3
-
-ARG pycharm_local_dir=.PyCharmCE${PYCHARM_VERSION}
+  && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /opt/pycharm
 
 SHELL ["/bin/bash", "-c"]
 
+ARG PYCHARM_VERSION
+
 RUN set -o pipefail \
   && export pycharm_arch=$(python3 -c "print(dict(amd64='',arm64='-aarch64')['${TARGETARCH}'])") \
-  && export pycharm_source="https://download.jetbrains.com/python/pycharm-community-${PYCHARM_BUILD}${pycharm_arch}.tar.gz" \
+  && export pycharm_source="https://download.jetbrains.com/python/pycharm-community-${PYCHARM_VERSION}${pycharm_arch}.tar.gz" \
   && echo "Downloading ${pycharm_source}" \
   && curl -fsSL "${pycharm_source}" -o installer.tgz \
   && tar --strip-components=1 -xzf installer.tgz \
   && rm installer.tgz
 
+# CVE-2021-23383 CVE-2021-23369 CVE-2019-19919 GHSA-q42p-pg8m-cqh6
+# GHSA-q2c6-c6pm-g3gh GHSA-g9r4-xpmj-mj65 GHSA-2cf5-4w76-r9qv CVE-2019-20920
+# GHSA-h6ch-v84p-w6p9⁠ CVE-2020-7712⁠
+RUN rm -rf /opt/pycharm/plugins/textmate
+
+# CVE-2023-24539 CVE-2023-24540 CVE-2023-29400 CVE-2023-29403 CVE-2023-39325
+# CVE-2023-44487 CVE-2021-21353⁠
+RUN rm /opt/pycharm/bin/repair
+
+RUN useradd -ms /bin/bash developer
+
 USER developer
 ENV HOME /home/developer
 
+ARG pycharm_local_dir=.PyCharmCE${PYCHARM_VERSION}
+
 RUN mkdir /home/developer/.PyCharm \
   && ln -sf /home/developer/.PyCharm "/home/developer/$pycharm_local_dir"
 

Makefile

@@ -0,0 +1,24 @@
+SHELL=/bin/bash
+registry_port=5000
+
+all:
+
+start_registry:
+	 docker run \
+ 		--rm \
+ 		--detach \
+ 		--publish $(registry_port):5000 \
+ 		--name registry registry:2.7
+
+check_registry:
+	@curl --fail http://localhost:$(registry_port)/ \
+		|| { echo "Run 'make start_registry' first" ; false ; }
+
+images: check_registry
+	DOCKER_HOST=$$(docker context inspect --format '{{.Endpoints.docker.Host}}') \
+	act \
+		--var DOCKERHUB_REPOSITORY="localhost:$(registry_port)/docker.io/ucscgi/azul-pycharm" \
+		push
+
+stop_registry:
+	 docker stop registry

README.md

@@ -24,3 +24,22 @@ Project folders need to be mounted like `-v ~/Project:/home/developer/Project`.
 The actual name can be anything - I used something random to be able to start multiple instances if needed.
 
 To use `pip`, either use the terminal in PyCharm or install from the terminal from inside the container like `docker exec -it pycharm-running bash` then install using **pip**.
+
+### Azul Notes
+
+Changes can be tested locally. You would need `make`, `curl`, Docker Desktop and 
+[act](https://github.com/nektos/act). For example:
+
+```
+brew install act
+act # the first invocation is to interactively configure `act`
+make start_registry
+make images
+# scroll up in terminal output, note image name
+# |   "image.name": "localhost:5000/docker.io/ucscgi/azul-pycharm:2023.2.3-5"
+docker pull localhost:5000/docker.io/ucscgi/azul-pycharm:2023.2.3-5
+# You could now examine the image for vulnerabilities in Docker Desktop and/or
+# test the image in Azul:
+cd ../azul; azul_docker_pycharm_version=2023.2.3-5 azul_docker_registry=localhost:5000/ make format
+make stop_registry
+```