[Draft]

.github/workflows/secrets-scan.yml

@@ -0,0 +1,33 @@
+name: Security Scan
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+
+jobs:
+  Gitleaks:
+    runs-on: [self-hosted, Linux, X64]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Scan With Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} 
+          GITLEAKS_CONFIG: '.github/gitleaks.toml'
+
+  Truffle:
+    runs-on: [self-hosted, Linux, X64]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0              
+      - name: Secret Scanning With Truffle
+        uses: trufflesecurity/trufflehog@main
+        with:
+          extra_args: --only-verified

Makefile

@@ -1,56 +1,33 @@
 .PHONY: help
 
-VERSION ?= `cat VERSION | grep elixir | cut -d' ' -f2`
-MAJ_VERSION := $(shell echo $(VERSION) | sed 's/\([0-9][0-9]*\)\.\([0-9][0-9]*\)\(\.[0-9][0-9]*\)*/\1/')
-MIN_VERSION := $(shell echo $(VERSION) | sed 's/\([0-9][0-9]*\)\.\([0-9][0-9]*\)\(\.[0-9][0-9]*\)*/\1.\2/')
-IMAGE_NAME ?= bitwalker/alpine-elixir-phoenix
+USER := 295819810554.dkr.ecr.ap-southeast-1.amazonaws.com/onpointvn
+ALPINE_VERSION := 3.11
+ELIXIR_VERSION := 1.15.4
+ERLANG_VERSION := 25.3.2.4
+ALPINE_MIN_VERSION := $(shell echo $(ALPINE_VERSION) | sed 's/\([0-9][0-9]*\)\.\([0-9][0-9]*\)\(\.[0-9][0-9]*\)*/\1.\2/')
 XDG_CACHE_HOME ?= /tmp
 BUILDX_CACHE_DIR ?= $(XDG_CACHE_HOME)/buildx
 
 help:
 	@echo "$(IMAGE_NAME):$(VERSION)"
 	@perl -nle'print $& if m{^[a-zA-Z_-]+:.*?## .*$$}' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
-test: ## Test the Docker image
-	docker run --rm -it $(IMAGE_NAME):$(VERSION) elixir --version
-
-shell: ## Run an Elixir shell in the image
-	docker run --rm -it $(IMAGE_NAME):$(VERSION) iex
-
-sh: ## Boot to a shell prompt
-	docker run --rm -it $(IMAGE_NAME):$(VERSION) /bin/bash
-
-setup-buildx: ## Setup a Buildx builder
-	@mkdir -p "$(BUILDX_CACHE_DIR)"
-	@if ! docker buildx ls | grep buildx-builder >/dev/null; then \
-		docker buildx create --append --name buildx-builder --driver docker-container --use && \
-		docker buildx inspect --bootstrap --builder buildx-builder; \
-	fi
-
-build: setup-buildx ## Build the Docker image
-	docker buildx build --output "type=image,push=false" \
-		--build-arg ELIXIR_VERSION=$(VERSION) \
-		--platform linux/amd64,linux/arm64 \
-		--cache-from "type=local,src=$(BUILDX_CACHE_DIR)" \
-		--cache-to "type=local,dest=$(BUILDX_CACHE_DIR)" \
-		-t $(IMAGE_NAME):$(VERSION) \
-		-t $(IMAGE_NAME):$(MIN_VERSION) \
-		-t $(IMAGE_NAME):$(MAJ_VERSION) \
-		-t $(IMAGE_NAME):latest .
-
-
-clean: ## Clean up generated images
-	@docker rmi --force $(IMAGE_NAME):$(VERSION) $(IMAGE_NAME):$(MIN_VERSION) $(IMAGE_NAME):$(MAJ_VERSION) $(IMAGE_NAME):latest
-
-rebuild: clean build ## Rebuild the Docker image
-
-release: setup-buildx ## Build and release the Docker image to Docker Hub
-	docker buildx build --push \
-		--build-arg ELIXIR_VERSION=$(VERSION) \
-		--platform linux/amd64,linux/arm64 \
-		--cache-from "type=local,src=$(BUILDX_CACHE_DIR)" \
-		--cache-to "type=local,dest=$(BUILDX_CACHE_DIR)" \
-		-t $(IMAGE_NAME):$(VERSION) \
-		-t $(IMAGE_NAME):$(MIN_VERSION) \
-		-t $(IMAGE_NAME):$(MAJ_VERSION) \
-		-t $(IMAGE_NAME):latest .
+build-erlang:
+	docker build --build-arg ERLANG_VERSION=$(ERLANG_VERSION) \
+		--build-arg ALPINE_VERSION=$(ALPINE_VERSION) \
+		--build-arg ALPINE_MIN_VERSION=$(ALPINE_MIN_VERSION) \
+		-f erlang/Dockerfile \
+		-t ${USER}/alpine-erlang:${ERLANG_VERSION} .
+
+build-elixir:
+	docker build --build-arg ERLANG_VERSION=$(ERLANG_VERSION) \
+		--build-arg ELIXIR_VERSION=$(ELIXIR_VERSION) \
+		--build-arg USER=$(USER) \
+		-f elixir/Dockerfile \
+		-t ${USER}/alpine-elixir:${ELIXIR_VERSION} .
+
+build-phoenix:
+	docker build --build-arg ELIXIR_VERSION=$(ELIXIR_VERSION) \
+		--build-arg USER=$(USER) \
+		-f phoenix/Dockerfile \
+		-t ${USER}/alpine-elixir-phoenix:${ELIXIR_VERSION} .

VERSION

@@ -1 +1,3 @@
-elixir: 1.13.1
+elixir: 1.15.4
+erlang: 25.3.2.4
+alpine 3.11

elixir/Dockerfile

@@ -0,0 +1,30 @@
+ARG ERLANG_VERSION
+ARG USER
+FROM ${USER}/alpine-erlang:${ERLANG_VERSION}
+ARG ELIXIR_VERSION
+
+ENV ELIXIR_VERSION=v${ELIXIR_VERSION} \
+	MIX_HOME=/opt/mix \
+	HEX_HOME=/opt/hex
+
+WORKDIR /tmp/elixir-build
+
+RUN \
+	apk add --no-cache --update-cache \
+	git \
+	make && \
+	git clone https://github.com/elixir-lang/elixir --depth 1 --branch $ELIXIR_VERSION && \
+	cd elixir && \
+	make && make install && \
+	mkdir -p ${HEX_HOME} && \
+	mix local.hex --force && \
+	mix local.rebar --force && \
+	cd $HOME && \
+	rm -rf /tmp/elixir-build
+
+WORKDIR ${HOME}
+
+# Always install latest versions of Hex and Rebar
+ONBUILD RUN mix do local.hex --force, local.rebar --force
+
+CMD ["bash"]

erlang/Dockerfile

@@ -0,0 +1,147 @@
+ARG ALPINE_VERSION
+FROM alpine:${ALPINE_VERSION} AS build
+ARG ALPINE_MIN_VERSION
+ARG ERLANG_VERSION
+
+# Important!  Update this no-op ENV variable when this Dockerfile
+# is updated with the current date. It will force refresh of all
+# of the base images and things like `apt-get update` won't be using
+# old cached versions when the Dockerfile is built.
+ENV REFRESHED_AT=2021-12-10 \
+	LANG=C.UTF-8 \
+	HOME=/opt/app/ \
+	TERM=xterm \
+	ALPINE_MIN_VERSION=${ALPINE_MIN_VERSION} \
+	ERLANG_VERSION=${ERLANG_VERSION}
+
+# Add tagged repos as well as the edge repo so that we can selectively install edge packages
+RUN \
+	echo "@main http://dl-cdn.alpinelinux.org/alpine/v${ALPINE_MIN_VERSION}/main" >> /etc/apk/repositories && \
+	echo "@community http://dl-cdn.alpinelinux.org/alpine/v${ALPINE_MIN_VERSION}/community" >> /etc/apk/repositories && \
+	echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories
+
+# Upgrade Alpine and base packages
+RUN apk --no-cache --update-cache --available upgrade
+
+# Install bash and Erlang/OTP deps
+RUN \
+	apk add --no-cache --update-cache \
+	bash \
+	curl \
+	ca-certificates \
+	libgcc \
+	lksctp-tools \
+	pcre \
+	zlib-dev
+
+# Install Erlang/OTP build deps
+RUN \
+	apk add --no-cache --virtual .erlang-build \
+	dpkg-dev \
+	dpkg \
+	gcc \
+	g++ \
+	libc-dev \
+	linux-headers \
+	make \
+	autoconf \
+	ncurses-dev \
+	openssl-dev \
+	unixodbc-dev \
+	lksctp-tools-dev \
+	tar
+
+WORKDIR /tmp/erlang-build
+
+# Download OTP
+RUN \
+	curl -sSL "https://github.com/erlang/otp/releases/download/OTP-${ERLANG_VERSION}/otp_src_${ERLANG_VERSION}.tar.gz" | \
+	tar --strip-components=1 -xzf -
+
+# Configure & Build
+RUN \
+	export ERL_TOP=/tmp/erlang-build && \
+	export CPPFLAGS="-D_BSD_SOURCE $CPPFLAGS" && \
+	./otp_build autoconf && \
+	./configure \
+	--build="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)" \
+	--prefix=/usr/local \
+	--sysconfdir=/etc \
+	--mandir=/usr/share/man \
+	--infodir=/usr/share/info \
+	--without-javac \
+	--without-wx \
+	--without-debugger \
+	--without-observer \
+	--without-jinterface \
+	--without-et \
+	--without-megaco \
+	--enable-threads \
+	--enable-shared-zlib \
+	--enable-ssl=dynamic-ssl-lib && \
+	make -j$(getconf _NPROCESSORS_ONLN)
+
+# Install to temporary location
+RUN \
+	make DESTDIR=/tmp install && \
+	cd /tmp && rm -rf /tmp/erlang-build && \
+	find /tmp/usr/local -regex '/tmp/usr/local/lib/erlang/\(lib/\|erts-\).*/\(man\|doc\|obj\|c_src\|emacs\|info\|examples\)' | xargs rm -rf && \
+	find /tmp/usr/local -name src | xargs -r find | grep -v '\.hrl$' | xargs rm -v || true && \
+	find /tmp/usr/local -name src | xargs -r find | xargs rmdir -vp || true && \
+	# Strip install to reduce size
+	scanelf --nobanner -E ET_EXEC -BF '%F' --recursive /tmp/usr/local | xargs -r strip --strip-all && \
+	scanelf --nobanner -E ET_DYN -BF '%F' --recursive /tmp/usr/local | xargs -r strip --strip-unneeded && \
+	runDeps="$( \
+	scanelf --needed --nobanner --format '%n#p' --recursive /tmp/usr/local \
+	| tr ',' '\n' \
+	| sort -u \
+	| awk 'system("[ -e /tmp/usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+	)" && \
+	ln -s /tmp/usr/local/lib/erlang /usr/local/lib/erlang && \
+	/tmp/usr/local/bin/erl -eval "beam_lib:strip_release('/tmp/usr/local/lib/erlang/lib')" -s init stop > /dev/null && \
+	(/usr/bin/strip /tmp/usr/local/lib/erlang/erts-*/bin/* || true) && \
+	apk add --no-cache \
+	$runDeps \
+	lksctp-tools
+
+### Final Image
+
+ARG ALPINE_VERSION
+FROM alpine:${ALPINE_VERSION}
+ARG ALPINE_MIN_VERSION
+
+ENV LANG=C.UTF-8 \
+	HOME=/opt/app/ \
+	# Set this so that CTRL+G works properly
+	TERM=xterm \
+	ALPINE_MIN_VERSION=${ALPINE_MIN_VERSION}
+
+# Copy Erlang/OTP installation
+COPY --from=build /tmp/usr/local /usr/local
+
+WORKDIR ${HOME}
+
+RUN \
+	# Create default user and home directory, set owner to default
+	adduser -s /bin/sh -u 1001 -G root -h "${HOME}" -S -D default && \
+	chown -R 1001:0 "${HOME}" && \
+	# Add tagged repos as well as the edge repo so that we can selectively install edge packages
+	echo "@main http://dl-cdn.alpinelinux.org/alpine/v${ALPINE_MIN_VERSION}/main" >> /etc/apk/repositories && \
+	echo "@community http://dl-cdn.alpinelinux.org/alpine/v${ALPINE_MIN_VERSION}/community" >> /etc/apk/repositories && \
+	echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \
+	# Upgrade Alpine and base packages
+	apk --no-cache --update-cache --available upgrade && \
+	# Install bash and Erlang/OTP deps
+	apk add --no-cache --update-cache \
+	bash \
+	libstdc++ \
+	ca-certificates \
+	ncurses \
+	openssl \
+	pcre \
+	unixodbc \
+	zlib && \
+	# Update ca certificates
+	update-ca-certificates --fresh
+
+CMD ["bash"]

phoenix/Dockerfile

@@ -0,0 +1,26 @@
+ARG ELIXIR_VERSION
+ARG USER
+FROM ${USER}/alpine-elixir:${ELIXIR_VERSION}
+
+WORKDIR ${HOME}
+
+# Install NPM
+RUN apk update --allow-untrusted && apk add -U --no-cache --repository=http://dl-4.alpinelinux.org/alpine/edge/testing --allow-untrusted \
+  make \
+  g++ \
+  wget \
+  curl \
+  inotify-tools \
+  nodejs \
+  npm && \
+  npm install npm -g --no-progress && \
+  update-ca-certificates --fresh && \
+  rm -rf /var/cache/apk/*
+
+# Add local node module binaries to PATH
+ENV PATH=./node_modules/.bin:$PATH
+
+# Ensure latest versions of Hex/Rebar are installed on build
+ONBUILD RUN mix do local.hex --force, local.rebar --force
+
+CMD ["bash"]