suii2210 commented on issue #59625: URL: https://github.com/apache/airflow/issues/59625#issuecomment-3703794524
> > Hi! I’m interested in working on this. For hardened images, should we aim for XYZ base image? Are there specific guidelines we must follow? > > Thank you for your will to help in this area! I assigned you to this task. Basically, it should be simple as switching the base image in the Docker file to the [hardened version](https://hub.docker.com/hardened-images/catalog/dhi/debian-base) - see instructions in the link. Building this image requires logging it to Dockerhub using a Personal Access Token (PAT) before the build step. In the GitHub Actions, the step should be: > > - name: Login to Docker Hub > uses: docker/login-action@v3 > with: > registry: dhi.io > username: ${{ vars.DOCKERHUB_USERNAME }} > password: ${{ secrets.DOCKERHUB_PAT }} > I tested the above in another repository and it works - but it will be problematic for now to configure it in Airflow's CI/CD, because I cannot use my personal user for the credentials (and AFAIK, we currently don't have a user dedicated for ASF organization). Therefore, you could start by testing locally and see that nothing breaks in their image, and if it all works - create a documentation for instructing others how to make it work. In parallel I could try to get in touch with Airflow's infra. team to see if we could maybe arrange a Dockerhub user for using it in Airflow's CI/CD. Got it - I’ll start by testing the hardened base image locally (with Docker Hub PAT login) and validate that Airflow builds and runs correctly without regressions. Once that’s confirmed, I’ll prepare clear documentation covering local usage, authentication requirements, and any caveats. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
