feat: use the pre-built docker image in place of a pip install (#41)

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

.github/workflows/find-vulnerabilities.yml

@@ -28,7 +28,6 @@ jobs:
       - uses: ./
         with:
           pipelines: "scan_codebase,find_vulnerabilities"
-          scancodeio-repo-branch: "main"
           check-compliance: true
           compliance-fail-on-vulnerabilities: true
         env:

.github/workflows/multi-runs.yml

@@ -35,11 +35,10 @@ jobs:
           project-name: "scan-2"
           pipelines: "scan_codebase"
 
-      - name: Verify scanpipe and scancode commands availability
+      - name: Verify scanpipe command availability
         shell: bash
         run: |
-          echo "Checking ScanCode CLI availability..."
+          echo "Checking scanpipe CLI availability..."
           which scanpipe || { echo "scanpipe not found in PATH"; exit 1; }
-          which scancode || { echo "scancode not found in PATH"; exit 1; }
           echo "Versions:"
-          scanpipe shell -c "import scancodeio; from scancode_config import __version__ as scancode_version;print(f'ScanCode.io version: {scancodeio.__version__}');print(f'ScanCode-toolkit version: v{scancode_version}')"
+          scanpipe --version

.github/workflows/run-android-deploy-to-develop.yml

@@ -20,11 +20,11 @@ jobs:
           sparse-checkout-cone-mode: false
           persist-credentials: false
 
-      - uses: ./
-        with:
-          scancodeio-repo-branch: "main"
-          scancodeio-extras: "android_analysis"
-          pipelines: "android_d2d"
-          input-urls:
-            https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/from-flume-ng-node-1.9.0.zip#from
-            https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/to-flume-ng-node-1.9.0.zip#to
+# scancodeio-extras: "android_analysis" not available with the Docker image for now
+#      - uses: ./
+#        with:
+#          scancodeio-extras: "android_analysis"
+#          pipelines: "android_d2d"
+#          input-urls:
+#            https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/from-flume-ng-node-1.9.0.zip#from
+#            https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/to-flume-ng-node-1.9.0.zip#to

action.yml

@@ -37,88 +37,90 @@ inputs:
       packages and dependencies.
     required: false
     default: "false"
-  python-version:
-    description: "Python version."
-    default: "3.13"
-  scancodeio-repo-branch:
-    description: "Branch to install ScanCode.io from the GitHub repository (optional)"
-    required: false
-    default: ""
-  scancodeio-extras:
-    description: "ScanCode.io optional dependencies (comma-separated) (optional)."
-    required: false
-    default: ""
+  scancodeio-image:
+    description: "ScanCode.io Docker image to use."
+    default: "ghcr.io/aboutcode-org/scancode.io@sha256:6fc8023bc588602ef2ec2b699c2503d8771fe5ef16470475fe64b641f0955f5b"  # v37.1.0
 
 runs:
   using: "composite"
   steps:
-    - name: Set up Python
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
-      with:
-        python-version: ${{ inputs.python-version }}
-
-    - name: Set up environment
+    - name: Validate inputs
       shell: bash
       env:
+        INPUT_IMAGE: ${{ inputs.scancodeio-image }}
         INPUT_PROJECT_NAME: ${{ inputs.project-name }}
+        INPUT_FAIL_LEVEL: ${{ inputs.compliance-fail-level }}
+        INPUT_PIPELINES: ${{ inputs.pipelines }}
       run: |
-        echo "SECRET_KEY=$(openssl rand -base64 32)" >> "$GITHUB_ENV"
-        echo "SCANCODEIO_DB_NAME=scancodeio" >> "$GITHUB_ENV"
-        echo "SCANCODEIO_DB_USER=scancodeio" >> "$GITHUB_ENV"
-        echo "SCANCODEIO_DB_PASSWORD=scancodeio" >> "$GITHUB_ENV"
-        # Sanitize project name for artifact usage
-        SAFE_PROJECT_NAME="${INPUT_PROJECT_NAME//[^a-zA-Z0-9._-]/_}"
-        echo "SAFE_PROJECT_NAME=$SAFE_PROJECT_NAME" >> "$GITHUB_ENV"
+        # Docker image ref: registry/name:tag or registry/name@sha256:digest
+        if [[ ! "$INPUT_IMAGE" =~ ^[a-zA-Z0-9./_:@-]+$ ]]; then
+          echo "::error::Invalid image name: $INPUT_IMAGE"
+          exit 1
+        fi
 
-    - name: Detect if ScanCode.io is already installed
-      shell: bash
-      run: |
-        if command -v scanpipe &> /dev/null; then
-          echo "ScanCode.io already installed."
-          echo "SCANCODEIO_IS_INSTALLED=true" >> "$GITHUB_ENV"
-        else
-          echo "ScanCode.io not found."
-          echo "SCANCODEIO_IS_INSTALLED=false" >> "$GITHUB_ENV"
+        # Project name: alphanumeric, spaces, hyphens, underscores, dots
+        if [[ ! "$INPUT_PROJECT_NAME" =~ ^[a-zA-Z0-9[:space:]._-]+$ ]]; then
+          echo "::error::Invalid project name: $INPUT_PROJECT_NAME"
+          exit 1
         fi
 
-    - name: Start and setup the PostgreSQL service
-      if: env.SCANCODEIO_IS_INSTALLED != 'true'
+        # Fail level: only known values
+        if [[ ! "$INPUT_FAIL_LEVEL" =~ ^(ERROR|WARNING|MISSING)$ ]]; then
+          echo "::error::Invalid compliance-fail-level: $INPUT_FAIL_LEVEL"
+          exit 1
+        fi
+
+        # Pipeline names: alphanumeric, underscores, commas, colons
+        if [[ ! "$INPUT_PIPELINES" =~ ^[a-zA-Z0-9_,:[:space:]]+$ ]]; then
+          echo "::error::Invalid pipelines value: $INPUT_PIPELINES"
+          exit 1
+        fi
+
+    - name: Set up environment
       shell: bash
+      env:
+        INPUT_PROJECT_NAME: ${{ inputs.project-name }}
+        INPUT_IMAGE: ${{ inputs.scancodeio-image }}
       run: |
-        sudo systemctl start postgresql.service
-        sudo -u postgres createuser --no-createrole --no-superuser --login --inherit --createdb "$SCANCODEIO_DB_USER"
-        sudo -u postgres psql -c "ALTER USER $SCANCODEIO_DB_USER WITH ENCRYPTED PASSWORD '$SCANCODEIO_DB_PASSWORD'"
-        sudo -u postgres createdb --owner=scancodeio --encoding=UTF-8 "$SCANCODEIO_DB_NAME"
+        echo "SECRET_KEY=$(openssl rand -base64 32)" >> "$GITHUB_ENV"
+        # Workspace location mounted into the container, so outputs are directly accessible
+        echo "SCANCODEIO_WORKSPACE_LOCATION=/workspace/.scancodeio" >> "$GITHUB_ENV"
+        echo "SCANCODEIO_IMAGE=$INPUT_IMAGE" >> "$GITHUB_ENV"
+        # Sanitize project name for artifact usage
+        echo "SAFE_PROJECT_NAME=${INPUT_PROJECT_NAME//[^a-zA-Z0-9._-]/_}" >> "$GITHUB_ENV"
 
-    - name: Generate scancodeio pip install argument
-      if: env.SCANCODEIO_IS_INSTALLED != 'true'
+    - name: Start and setup the PostgreSQL service
       shell: bash
-      env:
-        INPUT_EXTRAS: ${{ inputs.scancodeio-extras }}
       run: |
-        SCANCODEIO_PIP_PACKAGE_ARG="scancodeio"
-        TRIMMED_EXTRAS="$(echo "$INPUT_EXTRAS" | tr -d '[:space:]')"
-        if [ -n "$TRIMMED_EXTRAS" ]; then
-          SCANCODEIO_PIP_PACKAGE_ARG+="[$TRIMMED_EXTRAS]"
+        if ! sudo systemctl is-active --quiet postgresql; then
+          sudo systemctl start postgresql.service
+          sudo -u postgres psql -c "CREATE USER scancodeio WITH CREATEDB ENCRYPTED PASSWORD 'scancodeio';"
+          sudo -u postgres createdb --owner=scancodeio --encoding=UTF-8 scancodeio
         fi
-        echo "SCANCODEIO_PIP_PACKAGE_ARG=${SCANCODEIO_PIP_PACKAGE_ARG}" >> "$GITHUB_ENV"
 
-    - name: Install ScanCode.io (only if not already installed)
-      if: env.SCANCODEIO_IS_INSTALLED != 'true'
+    - name: Write scanpipe wrapper script
       shell: bash
-      env:
-        INPUT_REPO_BRANCH: ${{ inputs.scancodeio-repo-branch }}
       run: |
-        if [ -z "$INPUT_REPO_BRANCH" ]; then
-          echo "Installing the latest ${SCANCODEIO_PIP_PACKAGE_ARG} release from PyPI"
-          pip install --upgrade "$SCANCODEIO_PIP_PACKAGE_ARG"
-        else
-          echo "Installing ${SCANCODEIO_PIP_PACKAGE_ARG} from the GitHub branch: $INPUT_REPO_BRANCH"
-          pip install "${SCANCODEIO_PIP_PACKAGE_ARG} @ git+https://github.com/aboutcode-org/scancode.io.git@${INPUT_REPO_BRANCH}"
-        fi
+        if [ -f "$RUNNER_TEMP/scanpipe" ]; then exit 0; fi
+        cat > "$RUNNER_TEMP/scanpipe" << 'EOF'
+        #!/usr/bin/env bash
+        set -euo pipefail
+        exec docker run --rm \
+          --network host \
+          --user "$(id -u):$(id -g)" \
+          --cap-drop ALL \
+          --security-opt no-new-privileges \
+          -e SECRET_KEY \
+          -e SCANCODEIO_WORKSPACE_LOCATION \
+          -e HOME=/workspace/.home \
+          -v "$GITHUB_WORKSPACE:/workspace" \
+          "$SCANCODEIO_IMAGE" \
+          scanpipe "$@"
+        EOF
+        chmod +x "$RUNNER_TEMP/scanpipe"
+        echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
 
     - name: Run migrations to prepare the database
-      if: env.SCANCODEIO_IS_INSTALLED != 'true'
       shell: bash
       run: scanpipe migrate --verbosity 0
 
@@ -130,6 +132,7 @@ runs:
         IFS=',' read -ra PIPELINES <<< "$INPUT_PIPELINES"
         PIPELINE_CLI_ARGS=""
         for pipeline in "${PIPELINES[@]}"; do
+          pipeline="$(echo "$pipeline" | tr -d '[:space:]')"
           PIPELINE_CLI_ARGS+=" --pipeline $pipeline"
         done
         echo "PIPELINE_CLI_ARGS=${PIPELINE_CLI_ARGS}" >> "$GITHUB_ENV"
@@ -164,8 +167,9 @@ runs:
         INPUT_PROJECT_NAME: ${{ inputs.project-name }}
       run: |
         project_status=$(scanpipe status --project "$INPUT_PROJECT_NAME")
-        work_directory=$(echo "$project_status" | grep -oP 'Work directory:\s*\K[^\n]+')
-        echo "PROJECT_WORK_DIRECTORY=$work_directory" >> "$GITHUB_ENV"
+        container_work_dir=$(echo "$project_status" | grep -oP 'Work directory:\s*\K[^\n]+')
+        host_work_dir="$GITHUB_WORKSPACE${container_work_dir#/workspace}"
+        echo "PROJECT_WORK_DIRECTORY=$host_work_dir" >> "$GITHUB_ENV"
 
     - name: Copy input files to project work directory
       if: ${{ !inputs.input-urls }}