✨ Initial image (#3)

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>

.devcontainer/devcontainer-lock.json

@@ -0,0 +1,22 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "2.11.0",
+      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:503f23cd692325b3cbb8c20a0ecfabb3444b0c786b363e0c82572bd7d71dc099",
+      "integrity": "sha256:503f23cd692325b3cbb8c20a0ecfabb3444b0c786b363e0c82572bd7d71dc099"
+    },
+    "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:1": {
+      "version": "1.0.0",
+      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test@sha256:19eb30f9eb327b667be2002757d55381de87cdb5a79a6e37d293369fe8ad01ad",
+      "integrity": "sha256:19eb30f9eb327b667be2002757d55381de87cdb5a79a6e37d293369fe8ad01ad",
+      "dependsOn": [
+        "ghcr.io/devcontainers/features/docker-in-docker:2"
+      ]
+    },
+    "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis:1": {
+      "version": "1.0.0",
+      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis@sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16",
+      "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16"
+    }
+  }
+}

.devcontainer/devcontainer.json

@@ -0,0 +1,18 @@
+{
+  "name": "analytical-platform-mlflow",
+  "image": "ghcr.io/ministryofjustice/devcontainer-base:latest",
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:1": {},
+    "ghcr.io/ministryofjustice/devcontainer-feature/static-analysis:1": {}
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "EditorConfig.EditorConfig",
+        "GitHub.vscode-github-actions",
+        "GitHub.vscode-pull-request-github"
+      ]
+    }
+  }
+}

.editorconfig

@@ -0,0 +1,23 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.json]
+indent_style = space
+indent_size = 2
+
+[*.sh]
+indent_style = space
+indent_size = 2
+
+[{*.yml,*.yaml}]
+indent_style = space
+indent_size = 2
+
+# This file is autogenerated
+[.devcontainer/devcontainer-lock.json]
+end_of_line = unset
+insert_final_newline = unset

.github/CODEOWNERS

@@ -1,3 +1 @@
-# Add a team or username to this file
-# Example:
-# *   @ministryofjustice/operations-engineering
+* @ministryofjustice/analytical-platform

.github/dependabot.yml

@@ -1,33 +1,12 @@
 ---
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 
 updates:
-  - package-ecosystem: "bundler"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "terraform"
-    directory: "/terraform"
-    schedule:
-      interval: "daily"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "gomod"
+  - package-ecosystem: "devcontainers"
     directory: "/"
     schedule:
       interval: "daily"

.github/workflows/build-and-test.yml

@@ -0,0 +1,30 @@
+---
+name: Build and Test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  build-and-test:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: Set Up Container Structure Test
+        id: setup_container_structure_test
+        uses: ministryofjustice/github-actions/setup-container-structure-test@c9cb317b93b19d1c28b7a42b0c982bdff8106bbb # v18.0.1
+
+      - name: Build and Test
+        id: build_and_test
+        shell: bash
+        run: |
+          make test

.github/workflows/dependency-review.yml

@@ -3,6 +3,8 @@ name: Dependency Review
 
 on:
   pull_request:
+    branches:
+      - main
     types:
       - edited
       - opened
@@ -22,7 +24,8 @@ jobs:
         id: checkout
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
-      - name: Dependency Review
+      - name: Dependency review
+        id: dependency_review
         uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
         with:
           fail-on-severity: critical

.github/workflows/release.yml

@@ -0,0 +1,55 @@
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+permissions: {}
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: Install cosign
+        id: install_cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
+      - name: Log in to GitHub Container Registry
+        id: login_ghcr
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push
+        id: build_and_push
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        with:
+          push: true
+          tags: ghcr.io/ministryofjustice/analytical-platform-mlflow:${{ github.ref_name }}
+
+      - name: Sign
+        id: sign
+        shell: bash
+        run: |
+          cosign sign --yes ghcr.io/ministryofjustice/analytical-platform-mlflow@${{ steps.build_and_push.outputs.digest }}
+
+      - name: Verify
+        id: verify
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity=https://github.com/ministryofjustice/analytical-platform-mlflow/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} \
+            ghcr.io/ministryofjustice/analytical-platform-mlflow@${{ steps.build_and_push.outputs.digest }}

.github/workflows/scan-image.yml

@@ -0,0 +1,57 @@
+---
+name: Scan Image
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  scan-image:
+    name: Scan Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+
+      - name: Build Image
+        id: build_image
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        with:
+          push: false
+          load: true
+          tags: mlflow
+
+      - name: Scan Image
+        id: scan_image
+        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
+        with:
+          image-ref: mlflow
+          exit-code: 1
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+          limit-severities-for-sarif: true
+
+      - name: Scan Image (On SARIF Scan Failure)
+        if: failure() && steps.scan_image.outcome == 'failure'
+        id: scan_image_on_failure
+        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
+        with:
+          image-ref: mlflow
+          exit-code: 1
+          format: table
+          severity: CRITICAL
+
+      - name: Upload SARIF
+        if: always()
+        id: upload_sarif
+        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
+        with:
+          sarif_file: trivy-results.sarif

.github/workflows/super-linter.yml

@@ -0,0 +1,34 @@
+---
+name: Super-Linter
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - edited
+      - opened
+      - reopened
+      - synchronize
+
+permissions: {}
+
+jobs:
+  super-linter:
+    name: Super-Linter
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      statuses: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: Run Super-Linter
+        id: super_linter
+        uses: super-linter/super-linter/slim@88ea3923a7e1f89dd485d079f6eb5f5e8f937589 # v6.6.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -0,0 +1,63 @@
+FROM public.ecr.aws/ubuntu/ubuntu@sha256:4f5ca1c8b7abe2bd1162e629cafbd824c303b98954b1a168526aca6021f8affe
+
+LABEL org.opencontainers.image.vendor="Ministry of Justice" \
+      org.opencontainers.image.authors="Analytical Platform (analytical-platform@digital.justice.gov.uk)" \
+      org.opencontainers.image.title="MLflow" \
+      org.opencontainers.image.description="MLflow image for Analytical Platform" \
+      org.opencontainers.image.url="https://github.com/ministryofjustice/analytical-platform-mlflow"
+
+ENV CONTAINER_USER="analyticalplatform" \
+    CONTAINER_UID="1001" \
+    CONTAINER_GROUP="analyticalplatform" \
+    CONTAINER_GID="1001" \
+    DEBIAN_FRONTEND="noninteractive" \
+    MLFLOW_ROOT="/mlflow" \
+    MLFLOW_VERSION="2.13.2" \
+    BOTO3_VERSION="1.34.123" \
+    PROMETHEUS_FLASK_EXPORTER_VERSION="0.23.0" \
+    PSYCOPG2_BINARY_VERSION="2.9.9"
+
+SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
+
+RUN <<EOF
+groupadd \
+  --gid ${CONTAINER_GID} \
+  ${CONTAINER_GROUP}
+
+useradd \
+  --uid ${CONTAINER_UID} \
+  --gid ${CONTAINER_GROUP} \
+  --create-home \
+  --shell /bin/bash \
+  ${CONTAINER_USER}
+
+apt-get update --yes
+
+apt-get install --no-install-recommends --yes \
+  "ca-certificates=20240203" \
+  "curl=8.5.0-2ubuntu10.1" \
+  "libpq-dev=16.3-0ubuntu0.24.04.1" \
+  "python3.12=3.12.3-1" \
+  "python3-pip=24.0+dfsg-1ubuntu1"
+
+apt-get clean --yes
+
+rm --force --recursive /var/lib/apt/lists/*
+
+pip install --break-system-packages --no-cache-dir \
+  "mlflow==${MLFLOW_VERSION}" \
+  "boto3==${BOTO3_VERSION}" \
+  "prometheus-flask-exporter==${PROMETHEUS_FLASK_EXPORTER_VERSION}" \
+  "psycopg2-binary==${PSYCOPG2_BINARY_VERSION}"
+
+install --directory --owner ${CONTAINER_USER} --group ${CONTAINER_GROUP} --mode 0755 ${MLFLOW_ROOT}
+EOF
+
+USER ${CONTAINER_USER}
+WORKDIR ${MLFLOW_ROOT}
+EXPOSE 5000
+COPY --chown=${CONTAINER_USER}:${CONTAINER_GROUP} src/mlflow/auth.ini /mlflow/auth.ini
+COPY --chown=nobody:nobody --chmod=0755 src/usr/local/bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY --chown=nobody:nobody --chmod=0755 src/usr/local/bin/healthcheck.sh /usr/local/bin/healthcheck.sh
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+HEALTHCHECK --interval=15s --timeout=10s --start-period=10s --retries=3 CMD ["/usr/local/bin/healthcheck.sh"]

Makefile

@@ -0,0 +1,15 @@
+IMAGE_NAME = ghcr.io/ministryofjustice/analytical-platform-mlflow:latest
+
+test: build
+	container-structure-test test --config test/container-structure-test.yml --image $(IMAGE_NAME)
+
+build:
+	@ARCH=`uname -m`; \
+	case $$ARCH in \
+	aarch64 | arm64) \
+		echo "Building on $$ARCH architecture"; \
+		docker build --platform linux/amd64 --file Dockerfile --tag $(IMAGE_NAME) . ;; \
+	*) \
+		echo "Building on $$ARCH architecture"; \
+		docker build --file Dockerfile --tag $(IMAGE_NAME) . ;; \
+	esac