This GitHub Action helps you to minify your container image, making it smaller and more secure. With this Action, you can reduce the size of your container image by up to **30x**_(and even more for compiled languages)_ without compromising its functionality.
## What does this Action do?
This GitHub Action uses [slimtoolkit/slim](https://github.com/slimtoolkit/slim) to minimize your container image. `slim` is an open-source tool that removes unnecessary files and libraries from your image, resulting in a smaller and more secure container.
Slim uses static and dynamic analysis techniques to identify the components of your image that are not needed at runtime. It also removes debug symbols, unused files, and libraries that are not required by your application, reducing the size of your image.
See [their README](https://github.com/slimtoolkit/slim#overview) for more information about how Slim works.
## Setup
To use this GitHub Action, you will need to have the [docker/login-action](https://github.com/docker/login-action) or [docker/build-push-action](https://github.com/docker/build-push-action) set up in your workflow as well. These actions will allow you to execute Docker commands needed for this action to run successfully.
## Usage
### Example
Create a workflow file in your repository and add these steps to your job:
In this example, it will minify `${{ github.repository }}:latest` as target and will create a slimmed version of the target image with the **slim** tag from the input (`${{ github.repository }}:slim`) then push the images to the registry.
> Enabling the `overwrite` option will result in the replacement of the target image (original) with its slimmed version, regardless of the `tag` input.
| `DSLIM_REGISTRY_ACCOUNT` | Target registry account used when pulling images from private registries |
| `DSLIM_REGISTRY_SECRET` | Target registry secret used when pulling images from private registries |
| `DSLIM_PLOG` | Show image pull logs (default: false) |
| `DSLIM_COMPOSE_FILE` | Load container info from selected compose file(s) |
| `DSLIM_TARGET_COMPOSE_SVC` | Target service from compose file |
| `DSLIM_TARGET_COMPOSE_SVC_IMAGE` | Override the container image name and/or tag when targetting a compose service using the target-compose-svc parameter (format: tag_name or image_name:tag_name) |
| `DSLIM_COMPOSE_SVC_START_WAIT` | Number of seconds to wait before starting each compose service (default: 0) |
| `DSLIM_COMPOSE_SVC_NO_PORTS` | Do not publish ports for target service from compose file (default: false) |
| `DSLIM_DEP_INCLUDE_COMPOSE_SVC_ALL` | Do not start any compose services as target dependencies (default: false) |
| `DSLIM_DEP_INCLUDE_COMPOSE_SVC` | Include specific compose service as a target dependency (only selected services will be started) |
| `DSLIM_DEP_EXCLUDE_COMPOSE_SVC` | Exclude specific service from the compose services that will be started as target dependencies |
| `DSLIM_DEP_INCLUDE_COMPOSE_SVC_DEPS` | Include all dependencies for the selected compose service (excluding the service itself) as target dependencies |
| `DSLIM_DEP_INCLUDE_TARGET_COMPOSE_SVC_DEPS` | Include all dependencies for the target compose service (excluding the service itself) as target dependencies (default: false) |
| `DSLIM_COMPOSE_NET` | Attach target to the selected compose network(s) otherwise all networks will be attached |
| `DSLIM_COMPOSE_ENV_NOHOST` | Don't include the env vars from the host to compose (default: false) |
| `DSLIM_COMPOSE_ENV_FILE` | Load compose env vars from file (host env vars override the values loaded from this file) |
| `DSLIM_COMPOSE_PROJECT_NAME` | Use custom project name for compose |
| `DSLIM_COMPOSE_WORKDIR` | Set custom work directory for compose |
| `DSLIM_CONTAINER_PROBE_COMPOSE_SVC` | Container test/probe service from compose file |
| `DSLIM_HOST_EXEC_FILE` | Host commands to execute loaded from file (aka host commands probes) |
| `DSLIM_TARGET_KUBE_WORKLOAD` | [Experimental] Target Kubernetes workload from the manifests (if is provided) or in the default kubeconfig cluster (format: <resource>/<name>, e.g., deployments/foobar) |
| `DSLIM_TARGET_KUBE_WORKLOAD_NAMESPACE` | [Experimental] Target Kubernetes workload namespace (if not set, the value from the manifest is used if provided, otherwise - "default") |
| `DSLIM_TARGET_KUBE_WORKLOAD_CONTAINER` | [Experimental] Target container in the Kubernetes workload's pod template spec |
| `DSLIM_TARGET_KUBE_WORKLOAD_IMAGE` | [Experimental] Override the container image name and/or tag when targetting a Kubernetes workload (format: tag_name or image_name:tag_name) |
| `DSLIM_KUBE_MANIFEST_FILE` | [Experimental] Kubernetes manifest(s) to apply before run |
| `DSLIM_KUBE_KUBECONFIG_FILE, $KUBECONFIG` | [Experimental] Path to the kubeconfig file (default: "/home/dw1/.kube/config") |
| `DSLIM_PUBLISH_PORT` | Map container port to host port (format => port | hostPort:containerPort | hostIP:hostPort:containerPort | hostIP::containerPort ) |
| `DSLIM_PUBLISH_EXPOSED` | Map all exposed ports to the same host ports (default: false) |
| `DSLIM_RUN_TAS_USER` | Run target app as USER (default: true) |
| `DSLIM_SHOW_CLOGS` | Show container logs (default: false) |
| `DSLIM_SHOW_BLOGS` | Show image build logs (default: false) |
| `DSLIM_CP_META_ARTIFACTS` | copy metadata artifacts to the selected location when command is done |
| `DSLIM_RM_FILE_ARTIFACTS` | remove file artifacts when command is done (default: false) |
| `DSLIM_RC_EXE` | A shell script snippet to run via Docker exec |
| `DSLIM_RC_EXE_FILE` | A shell script file to run via Docker exec |
| `DSLIM_TARGET_TAG` | Custom tags for the generated image |
| `DSLIM_TARGET_OVERRIDES` | Save runtime overrides in generated image (values is 'all' or a comma delimited list of override types: 'entrypoint', 'cmd', 'workdir', 'env', 'expose', 'volume', 'label') |
| `DSLIM_CRO_RUNTIME` | Runtime to use with the created containers |
| `DSLIM_CRO_HOST_CONFIG_FILE` | Base Docker host configuration file (JSON format) to use when running the container |
| `DSLIM_CRO_SYSCTL` | Set namespaced kernel parameters in the created container |
| `DSLIM_CRO_SHM_SIZE` | Shared memory size for /dev/shm in the created container (default: -1) |
| `DSLIM_RC_USER` | Override USER analyzing image at runtime |
| `DSLIM_RC_ENTRYPOINT` | Override ENTRYPOINT analyzing image at runtime. To persist ENTRYPOINT changes in the output image, pass the --image-overrides=entrypoint or --image-overrides=all flag as well. |
| `DSLIM_RC_CMD` | Override CMD analyzing image at runtime. To persist CMD changes in the output image, pass the --image-overrides=cmd or --image-overrides=all flag as well. |
| `DSLIM_RC_WORKDIR` | Override WORKDIR analyzing image at runtime. To persist WORKDIR changes in the output image, pass the --image-overrides=workdir or --image-overrides=all flag as well. |
| `DSLIM_RC_ENV` | Override or add ENV only during runtime. To persist ENV additions or changes in the output image, pass the --image-overrides=env or --image-overrides=all flag as well. |
| `DSLIM_RC_LABEL` | Override or add LABEL analyzing image at runtime. To persist LABEL additions or changes in the output image, pass the --image-overrides=label or --image-overrides=all flag as well. |
| `DSLIM_RC_VOLUME` | Add VOLUME analyzing image at runtime. To persist VOLUME additions in the output image, pass the --image-overrides=volume or --image-overrides=all flag as well. |
| `DSLIM_RC_LINK` | Add link to another container analyzing image at runtime |
| `DSLIM_RC_ETC_HOSTS_MAP` | Add a host to IP mapping to /etc/hosts analyzing image at runtime |
| `DSLIM_RC_DNS` | Add a dns server analyzing image at runtime |
| `DSLIM_RC_DNS_SEARCH` | Add a dns search domain for unqualified hostnames analyzing image at runtime |
| `DSLIM_RC_EXPOSE` | Use additional EXPOSE instructions analyzing image at runtime. To persist EXPOSE additions in the output image, pass the --image-overrides=expose or --image-overrides=all flag as well. |
| `DSLIM_EXCLUDE_PATTERN` | Exclude path pattern (Glob/Match in Go and **) from image |
| `DSLIM_PRESERVE_PATH` | Keep path from orignal image in its initial state (changes to the selected container image files when it runs will be discarded) |
| `DSLIM_PRESERVE_PATH_FILE` | File with paths to keep from original image in their original state (changes to the selected container image files when it runs will be discarded) |
| `DSLIM_INCLUDE_PATH` | Keep path from original image |
| `DSLIM_INCLUDE_PATH_FILE` | File with paths to keep from original image |
| `DSLIM_INCLUDE_BIN` | Keep binary from original image (executable or shared object using its absolute path) |
| `DSLIM_INCLUDE_BIN_FILE` | File with shared binary file names to include from image |
| `DSLIM_INCLUDE_EXE_FILE` | File with executable file names to include from image |
| `DSLIM_INCLUDE_EXE` | Keep executable from original image (by executable name) |
> Please note that when you disable HTTP probing (either by setting **`DSLIM_HTTP_PROBE_OFF`** to **`true`** or **`DSLIM_HTTP_PROBE`** to **`false`**), it will effectively modify the behavior of the continue mode (if the **`DSLIM_CONTINUE_AFTER`** value is undefined) by imposing a timeout of **1** second. This adjustment occurs because, by default, when HTTP probes are disabled, the Slim's behavior will switch to '**enter**' mode — and there is no way to interact with the temporary container created by Slim within the GitHub Action runner.
To view the report results generated by the Slim build command, you can access the `report` property (`Object`) of the `steps` outputs context. Here's an example of how to access it: `${{ steps.<id>.outputs.report }}`.
```yaml
# Slim it!
- uses: kitabisa/docker-slim-action@v1
id: slim
env:
DSLIM_HTTP_PROBE: false
with:
target: ${{ github.repository }}:latest
# Dump the report
- run: echo "${REPORT}"
env:
REPORT: ${{ steps.slim.outputs.report }}
```
## License
The associated scripts and documentation in this project are released under the MIT License.
