From 61799ba532cf6ac58259de4cc9cc1a7fa21d2a2f Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Sat, 5 Oct 2024 21:59:14 +1000 Subject: [PATCH] Trivy Compliant, Action full SHA, cat file warnnings --- .github/workflows/docker-buildx-dev.yml | 10 +++++----- .github/workflows/docker-buildx-latest.yml | 10 +++++----- server-nginx.sh | 13 ++++++------- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/workflows/docker-buildx-dev.yml b/.github/workflows/docker-buildx-dev.yml index 9751df1..4fdac41 100644 --- a/.github/workflows/docker-buildx-dev.yml +++ b/.github/workflows/docker-buildx-dev.yml @@ -15,18 +15,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.ref }} - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: version: latest - @@ -34,13 +34,13 @@ jobs: run: echo ${{ steps.buildx.outputs.platforms }} - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push multi-arch dev - uses: docker/build-push-action@v2 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . file: ./Dockerfile diff --git a/.github/workflows/docker-buildx-latest.yml b/.github/workflows/docker-buildx-latest.yml index 06ac0af..5415b16 100644 --- a/.github/workflows/docker-buildx-latest.yml +++ b/.github/workflows/docker-buildx-latest.yml @@ -15,18 +15,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.ref }} - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: version: latest - @@ -34,13 +34,13 @@ jobs: run: echo ${{ steps.buildx.outputs.platforms }} - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push multi-arch latest - uses: docker/build-push-action@v2 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . file: ./Dockerfile diff --git a/server-nginx.sh b/server-nginx.sh index 51ed325..489beeb 100755 --- a/server-nginx.sh +++ b/server-nginx.sh @@ -180,13 +180,12 @@ do ESC_CERTFILE=$(printf '%s\n' "${fullchain}" | sed -e 's/[]\/$*.^[]/\\&/g') ESC_PRVKEYFILE=$(printf '%s\n' "${prvkey}" | sed -e 's/[]\/$*.^[]/\\&/g') - cat "${SITE_TPL}" \ - | sed "s/CERTFILE/${ESC_CERTFILE}/g" \ - | sed "s/PRVKEYFILE/${ESC_PRVKEYFILE}/g" \ - | sed "s/NGDOMAIN/${site_domain}/g" \ - | sed "s/NGPORT/${port}/g" \ - | sed "s/NGPROTOCOL/${NGPROTOCOL}/g" \ - >"${site_domain}.conf" + cp -a "${SITE_TPL}" "${site_domain}.conf" + sed -i "s/CERTFILE/${ESC_CERTFILE}/g" "${site_domain}.conf" + sed -i "s/PRVKEYFILE/${ESC_PRVKEYFILE}/g" "${site_domain}.conf" + sed -i "s/NGDOMAIN/${site_domain}/g" "${site_domain}.conf" + sed -i "s/NGPORT/${port}/g" "${site_domain}.conf" + sed -i "s/NGPROTOCOL/${NGPROTOCOL}/g" "${site_domain}.conf" # Applying proxy log format instead of main format when --ng-server proxy_pass was set if [ -n "${NGPROTOCOL}" ]; then sed -i '/access_log/s/main/proxy/' "${site_domain}.conf"