Add Ubuntu-Slim image definition#13423
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a new Ubuntu-Slim image definition for GitHub Actions runners, providing a lightweight Docker-based alternative to the full Ubuntu images. The image is based on Ubuntu 24.04 and includes essential development tools, CLI utilities, and cloud provider SDKs while maintaining a minimal footprint suitable for containerized CI/CD workloads.
Key changes include:
- Complete image definition with Dockerfile, build scripts, helper utilities, and test suite
- Installation scripts for essential tools (Git, Node.js, Python, PowerShell, AWS/Azure/GCP CLIs)
- Documentation generation infrastructure and software report
- GitHub Actions workflow for automated testing
Reviewed changes
Copilot reviewed 42 out of 42 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| images/ubuntu-slim/ubuntu-slim-Readme.md | Software report documenting installed packages and versions |
| images/ubuntu-slim/toolsets/toolset.json | Configuration defining packages and tools to install |
| images/ubuntu-slim/test.sh | Test script to validate Docker image contents |
| images/ubuntu-slim/scripts/helpers/*.sh | Helper functions for OS detection, installation, environment management, and cleanup |
| images/ubuntu-slim/scripts/docs-gen/*.psm1 | PowerShell modules for generating software documentation |
| images/ubuntu-slim/scripts/build/*.sh | Installation scripts for individual software components |
| images/ubuntu-slim/Dockerfile | Docker image build definition |
| images/ubuntu-slim/generate-software-report.sh | Script to generate software report from built image |
| .github/workflows/docker-images.yml | CI workflow for testing Docker images |
| # ie MANPATH, INFOPATH, LD_*, etc. In the current implementation the values from /etc/evironments | ||
| # replace the values of the current environment | ||
| reload_etc_environment() { | ||
| # add `export ` to every variable of /etc/environemnt except PATH and eval the result shell script |
There was a problem hiding this comment.
The comment at line 84 refers to "/etc/environemnt" but contains a typo. It should be "/etc/environment" (missing 'n' in environment).
| ## Desc: Install Node.js LTS and related tooling (Gulp, Grunt) | ||
| ################################################################################ | ||
|
|
||
| # Source the helpers for use with the script | ||
| source $HELPER_SCRIPTS/install.sh | ||
|
|
||
| # Install default Node.js |
There was a problem hiding this comment.
The script installs Node.js version 24, but the README documents Node.js 24.12.0 as installed. Since this is marked as a slim image and Node 24 is still in active development (not LTS), consider documenting why Node 24 was chosen over the LTS version (Node 22), or update to use Node 22 for better stability in a production runner image.
| ## Desc: Install Node.js LTS and related tooling (Gulp, Grunt) | |
| ################################################################################ | |
| # Source the helpers for use with the script | |
| source $HELPER_SCRIPTS/install.sh | |
| # Install default Node.js | |
| ## Desc: Install Node.js LTS (currently Node.js 22) and related tooling (Gulp, Grunt) | |
| ################################################################################ | |
| # Source the helpers for use with the script | |
| source $HELPER_SCRIPTS/install.sh | |
| # Install Node.js LTS (Node.js 22) for better stability in production runner images. | |
| # If you need a different version, update the toolset file and document the reason. |
| local variable_name=$1 | ||
| local variable_value=$2 | ||
|
|
||
| # modify /etc/environemnt in place by replacing a string that begins with variable_name |
There was a problem hiding this comment.
The comment at line 29 refers to "modify /etc/environemnt" but contains a typo. It should be "modify /etc/environment" (missing 'n' in environment).
| echo "Creating the symlink for [now] command to vercel CLI" | ||
| ln -s /usr/local/bin/vercel /usr/local/bin/now |
There was a problem hiding this comment.
The symlink to vercel is always created even when vercel may not be installed. This command will fail if vercel wasn't installed in the node_modules step above, since the toolset.json shows an empty node_modules array.
| echo "Creating the symlink for [now] command to vercel CLI" | |
| ln -s /usr/local/bin/vercel /usr/local/bin/now | |
| if [ -f /usr/local/bin/vercel ]; then | |
| echo "Creating the symlink for [now] command to vercel CLI" | |
| ln -s /usr/local/bin/vercel /usr/local/bin/now | |
| else | |
| echo "vercel CLI not found, skipping symlink for [now] command" | |
| fi |
| default_version=$(get_toolset_value '.node.default') | ||
|
|
||
| curl -fsSL https://raw.githubusercontent.com/tj/n/master/bin/n -o ~/n | ||
| sudo bash ~/n $default_version |
There was a problem hiding this comment.
Missing "sudo" prefix before bash command. Based on the pattern used in other Ubuntu images, this should be "sudo bash ~/n $default_version" to ensure the installation has the necessary permissions.
| sudo bash ~/n $default_version | |
| sudo sudo bash ~/n $default_version |
| curl -fsSL https://raw.githubusercontent.com/tj/n/master/bin/n -o ~/n | ||
| sudo bash ~/n $default_version |
There was a problem hiding this comment.
This script downloads the n Node.js version manager directly from https://raw.githubusercontent.com/tj/n/master/bin/n and executes it with sudo bash without any integrity verification. If the tj/n repository or the transport to GitHub is ever compromised, an attacker can run arbitrary code as root during image build and permanently backdoor the resulting image. Use a safer installation path (for example, a vendor-packaged binary or a versioned artifact validated via checksum/signature) instead of executing an unverified remote script.
| export NVM_DIR="/etc/skel/.nvm" | ||
| mkdir ${NVM_DIR} | ||
| nvm_version=$(curl -fsSL https://api.github.com/repos/nvm-sh/nvm/releases/latest | jq -r '.tag_name') | ||
| curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/$nvm_version/install.sh | bash |
There was a problem hiding this comment.
This script uses curl ... | bash to run install.sh from the nvm-sh/nvm GitHub repository as part of the image build, but never verifies the downloaded content. If the nvm-sh/nvm repo, a tag, or the network path is compromised, an attacker can execute arbitrary code as root at build time and persist a backdoor in all images built from this Dockerfile. Prefer installing nvm from a trusted, versioned artifact whose integrity is checked (e.g., checksum or signature) rather than executing an unverified remote script.
| GIT_LFS_REPO="https://packagecloud.io/install/repositories/github/git-lfs" | ||
|
|
||
| # Install git-lfs | ||
| curl -fsSL $GIT_LFS_REPO/script.deb.sh | bash |
There was a problem hiding this comment.
The Git LFS installer is fetched from https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh and piped directly into bash without any integrity or authenticity verification. A compromise of the Packagecloud repository or a successful MITM attack would allow arbitrary code execution as root during image build, leading to a persistent supply chain backdoor in the published image. Replace this pattern with a safer flow (for example, using signed packages or a script whose content is pinned and verified via checksum or signature before execution).
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Add ubuntu-slim image definition
Add ubuntu-slim image definition
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
Description
Adding the new ubuntu-slim image.
Related issue:
#13340
Check list