Add Github workflows for httpd-tools container image

[danpawlik]

With that image, we don't need to create container image each time when crc-cloud is deployed.

Summary by CodeRabbit

• New Features
  • New httpd-tools container image providing the htpasswd utility for password management.
  • Image is automatically built and published from the main branch with both a "latest" and a commit-specific tag, ensuring up-to-date tooling.

[coderabbitai]

Walkthrough

Adds two new files: a GitHub Actions workflow that builds and pushes an httpd-tools container image to ghcr.io on pushes to main, and a Containerfile that builds a CentOS Stream 9 minimal image with httpd-tools and an htpasswd entrypoint.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow ​.github/workflows/httpd-tools-container-image.yml	New workflow "Build and push container image" triggered on pushes to main; checks out repo, logs into ghcr.io using actor/GITHUB_TOKEN, and builds/pushes an image from ./oci/Containerfile-httpd-tools with tags latest and the commit SHA.
Container definition oci/Containerfile-httpd-tools	New Containerfile based on CentOS Stream 9 Minimal; installs httpd-tools via microdnf (nodocs, no-weak-deps) and sets htpasswd as the container ENTRYPOINT in non-interactive bcrypt batch mode.

Sequence Diagram(s)

sequenceDiagram
    actor Dev as Developer
    participant Repo as GitHub Repo
    participant GA as GitHub Actions
    participant Reg as ghcr.io

    Dev->>Repo: Push to main
    Repo->>GA: trigger workflow
    GA->>GA: actions/checkout
    GA->>Reg: docker/login-action (actor + GITHUB_TOKEN)
    GA->>GA: docker/build-push-action (context: ., file: ./oci/Containerfile-httpd-tools)
    alt push on main
        GA->>Reg: push image tags (latest, commit SHA)
        Reg-->>GA: push confirmation
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• cfergeau

Poem

🐰 I hopped into code and brewed a small stew,
A tiny container, neat and true.
Tags tied with SHA, pushed up with a cheer,
htpasswd waits, bcrypt sincere. 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Add Github workflows for httpd-tools container image" directly and accurately describes the main change in the changeset. The PR adds a new GitHub Actions workflow file that automates building and pushing a Docker container image for httpd-tools, which aligns perfectly with what the title conveys. The title is concise, clear, and avoids vague terminology, making it easy for a teammate to understand the purpose when scanning the commit history. It appropriately summarizes the primary objective of enabling automated container image deployment without recreating the image on each crc-cloud deployment.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[danpawlik]

I was able to get the image:

~/RH/upstream/crc-cloud ❯ podman pull ghcr.io/danpawlik/crc-cloud/httpd-tools:latest                                             
Trying to pull ghcr.io/danpawlik/crc-cloud/httpd-tools:latest...
Getting image source signatures
Copying blob 1553b090a562 done   |
Copying blob 13f69b2f8eb4 done   |
Copying config 1201261503 done   |
Writing manifest to image destination
12012615037da062e1eb2c076000369b36a8e8096208213683d243e7d657c0be

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/httpd-tools-container-image.yml (1)

26-30: Consider using a dedicated Containerfile for improved maintainability.

Embedding the Dockerfile as an inline shell string (lines 27–30) is fragile and difficult to maintain. A dedicated Containerfile.httpd-tools (or Dockerfile.httpd-tools) would be clearer and allow for future enhancements.

Option 1: Create Containerfile.httpd-tools in the repository

FROM quay.io/centos/centos:stream9-minimal@sha256:<PINNED_DIGEST>
RUN microdnf --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install -y httpd-tools
ENTRYPOINT ["htpasswd", "-Bbn"]

Option 2: Update the workflow to reference this file

-      - name: Build and push Docker image
-        run: |
-          echo -e 'FROM quay.io/centos/centos:stream9-minimal\nRUN microdnf --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install -y httpd-tools\nENTRYPOINT ["htpasswd", "-Bbn"]' | docker build -t ghcr.io/${{ github.repository }}/httpd-tools:latest -t ghcr.io/${{ github.repository }}/httpd-tools:${{ github.sha }} -
-          docker push ghcr.io/${{ github.repository }}/httpd-tools:latest
-          docker push ghcr.io/${{ github.repository }}/httpd-tools:${{ github.sha }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Containerfile.httpd-tools
+          tags: |
+            ghcr.io/${{ github.repository }}/httpd-tools:latest
+            ghcr.io/${{ github.repository }}/httpd-tools:${{ github.sha }}
+          push: true

This approach uses the docker/build-push-action action (which is commonly used and well-maintained) and eliminates the need for separate push commands.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f6ed2f2 and 4e0d610.

📒 Files selected for processing (2)

• .github/workflows/httpd-tools-container-image.yml (1 hunks)
• oci/Containerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build (macOS-latest, 1.20)

🔇 Additional comments (3)

oci/Containerfile (1)

15-15: Good: base image digest is pinned for reproducibility and security.

The base image digest update ensures consistent builds across environments.

.github/workflows/httpd-tools-container-image.yml (2)

11-13: Permissions are configured correctly.

The workflow declares minimal necessary permissions: contents: read for checkout and packages: write for pushing to the container registry.

---

19-24: Authentication approach is secure.

Using docker/login-action@v3 with ${{ github.actor }} and ${{ secrets.GITHUB_TOKEN }} follows GitHub's recommended practice for registry authentication with minimal privilege.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/httpd-tools-container-image.yml (1)

26-34: Previous review concern has been addressed.

The past review comment about pinning the base image digest has been resolved. The oci/Containerfile-httpd-tools now properly pins the CentOS Stream 9 Minimal base image to a specific digest (sha256:3f9a84c10a4a3fb9fac56ba11c3119759e78abe596e270a1c4e0203547ee80d9), ensuring build reproducibility and supply chain security.

🧹 Nitpick comments (1)

oci/Containerfile-httpd-tools (1)

1-3: LGTM! Well-structured utility container.

The containerfile follows best practices:

• Base image digest is properly pinned for reproducibility
• Minimal base image reduces attack surface
• Installation flags optimize image size (nodocs, install_weak_deps=0)
• Entrypoint uses bcrypt encryption (-B) for secure password hashing

Consider adding a LABEL for maintainer and description to align with the main Containerfile:

FROM quay.io/centos/centos:stream9-minimal@sha256:3f9a84c10a4a3fb9fac56ba11c3119759e78abe596e270a1c4e0203547ee80d9
LABEL MAINTAINER "CRC <[email protected]>"
RUN microdnf --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install -y httpd-tools
ENTRYPOINT ["htpasswd", "-Bbn"]

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4e0d610 and eb33a49.

📒 Files selected for processing (3)

• .github/workflows/httpd-tools-container-image.yml (1 hunks)
• oci/Containerfile (1 hunks)
• oci/Containerfile-httpd-tools (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/httpd-tools-container-image.yml

35-35: property "meta" is not defined in object type {}

(expression)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build (macOS-latest, 1.20)
• GitHub Check: build (ubuntu-latest, 1.20)
• GitHub Check: build-and-push-image

🔇 Additional comments (1)

oci/Containerfile (1)

15-15: I'll search for security information about CentOS Stream 9 to verify the status of the base image.

Verify that the CentOS Stream 9 image digest corresponds to a valid, current image.

CentOS Stream 8, 9, and 10 do not have separate CVE advisories published, so security issues will be updated in CentOS Stream after they are solved in the current RHEL release. The specified digest cannot be directly verified in this environment due to missing container tools. However, CentOS Stream 9 container images are available at quay.io/centos/centos:stream9, confirming the repository is valid and officially maintained.

To verify the digest is current:

• Manually pull the image: podman pull quay.io/centos/centos:stream9@sha256:0299bfb0830ad5ca40ae7406ea51666c7e74d1a007b5511907b9f950a121040f
• Compare against the latest stream9 tag to confirm it's the intended version
• Monitor RHEL 9 security advisories for applicable CVE updates

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/httpd-tools-container-image.yml (1)

26-34: Critical issue from previous review has been resolved.

The undefined steps.meta.outputs.labels reference flagged in the previous review has been removed. The workflow no longer references undefined step outputs, so the workflow will execute without that error.

🧹 Nitpick comments (1)

.github/workflows/httpd-tools-container-image.yml (1)

29-30: Consider reducing build context size.

The build context is set to . (repository root), but the Containerfile is at ./oci/Containerfile-httpd-tools. Changing the context to ./oci would exclude unnecessary files from the build context, reducing transfer time and improving build performance.

         with:
-          context: .
+          context: ./oci
           file: ./oci/Containerfile-httpd-tools

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eb33a49 and 68c4170.

📒 Files selected for processing (3)

• .github/workflows/httpd-tools-container-image.yml (1 hunks)
• oci/Containerfile (1 hunks)
• oci/Containerfile-httpd-tools (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• oci/Containerfile-httpd-tools
• oci/Containerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-and-push-image
• GitHub Check: build (ubuntu-latest, 1.20)
• GitHub Check: build (macOS-latest, 1.20)

🔇 Additional comments (1)

.github/workflows/httpd-tools-container-image.yml (1)

26-34: Base image digest is correctly pinned.

Verified: oci/Containerfile-httpd-tools pins the base image to a specific digest (quay.io/centos/centos:stream9-minimal@sha256:3f9a84c10a4a3fb9fac56ba11c3119759e78abe596e270a1c4e0203547ee80d9). The reproducibility and supply-chain risk has been mitigated.

[cfergeau]

I assume a follow up commit will be needed to make use of this image?
Fwiw, snc also needs a trusted htpassword image, it currently uses docker.io/xmartlabs/htpasswd. This was discussed in a PR, but I haven’t been able to find it.

[cfergeau]

Build failed with

ERROR: failed to build: failed to solve: quay.io/centos/centos:stream9@sha256:5bd57c6d9d1da7c41f772b1663ca342a66fd2131ff0895bc929d828b8aa16a30: failed to resolve source metadata for quay.io/centos/centos:stream9@sha256:5bd57c6d9d1da7c41f772b1663ca342a66fd2131ff0895bc929d828b8aa16a30: quay.io/centos/centos:stream9@sha256:5bd57c6d9d1da7c41f772b1663ca342a66fd2131ff0895bc929d828b8aa16a30: not found

[danpawlik]

@cfergeau rebase was needed

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/httpd-tools-container-image.yml (1)

26-34: LGTM! Build and push configuration is correct.

The build step properly:

• References the Containerfile at the correct path
• Conditionally disables push for pull requests
• Tags images with both latest and the commit SHA for version tracking

The context . (repo root) works fine since the Containerfile doesn't copy any local files.

Optional: Consider pinning GitHub Actions to commit SHAs for enhanced security.

For supply-chain security, you could pin the action versions to immutable commit SHAs instead of mutable tags:

       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0

       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75  # v5.4.0

This prevents potential tampering if a tag is moved to a malicious commit. Dependabot can be configured to keep these SHA pins up-to-date.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 38bee3f and 14e1263.

📒 Files selected for processing (2)

• .github/workflows/httpd-tools-container-image.yml (1 hunks)
• oci/Containerfile-httpd-tools (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build (ubuntu-latest, 1.20)
• GitHub Check: build (macOS-latest, 1.20)
• GitHub Check: build-and-push-image

🔇 Additional comments (3)

oci/Containerfile-httpd-tools (1)

1-3: LGTM! Clean and minimal Containerfile.

The implementation is correct and follows best practices for a minimal utility image:

• Uses CentOS Stream 9 minimal base (appropriate for the use case)
• Installs only httpd-tools with flags to minimize image size
• Sets appropriate entrypoint for htpasswd batch operations

The unpinned base image reference aligns with the maintainer decision to always pull the latest version rather than pinning to a specific SHA256.

.github/workflows/httpd-tools-container-image.yml (2)

1-17: LGTM! Well-structured workflow with appropriate permissions.

The workflow correctly:

• Triggers only on pushes to main (appropriate for image publishing)
• Sets minimal required permissions (read contents, write packages)
• Uses standard actions for checkout

---

19-24: LGTM! Correct GHCR authentication.

The login configuration properly uses github.actor and GITHUB_TOKEN for authenticating to GitHub Container Registry.

[cfergeau]

Looks good to me, just had one question.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

oci/Containerfile-httpd-tools (1)

2-2: Consider cleaning up package manager cache to reduce image size.

The microdnf command correctly uses nodocs and no weak dependencies flags. Adding a cleanup step would further reduce the final image size.

Apply this diff to clean up the cache:

-RUN microdnf --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install -y httpd-tools
+RUN microdnf --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install -y httpd-tools && \
+    microdnf clean all

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14e1263 and 92cae01.

📒 Files selected for processing (2)

• .github/workflows/httpd-tools-container-image.yml (1 hunks)
• oci/Containerfile-httpd-tools (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build (ubuntu-latest, 1.20)
• GitHub Check: build (macOS-latest, 1.20)

🔇 Additional comments (5)

oci/Containerfile-httpd-tools (2)

1-1: Base image choice looks good.

Using the unpinned tag aligns with the decision from previous review discussions to always get the latest version rather than pinning to a specific digest that may become unavailable.

---

3-3: Entrypoint configuration is correct.

The htpasswd flags are appropriate: -B for bcrypt encryption, -b for batch mode, and -n to output to stdout. This matches the intended use case.

.github/workflows/httpd-tools-container-image.yml (3)

1-17: Workflow structure and checkout configuration look good.

The workflow correctly triggers only on main branch pushes, has appropriate permissions (read contents, write packages), and uses the standard checkout action.

---

19-24: GitHub Container Registry login is properly configured.

The login step uses the correct registry, authentication method, and credentials for publishing to ghcr.io.

---

26-34: Build and push configuration is correct.

The build step properly references the Containerfile, uses appropriate context, and tags the image with both latest and the commit SHA. Setting push: true unconditionally is fine since this workflow only runs on main branch pushes.