From 5ca375a97e02f36160dd6a763cb205e0839ac959 Mon Sep 17 00:00:00 2001
From: Michael Kriese <michael.kriese@visualon.de>
Date: Wed, 17 Jan 2024 10:24:28 +0100
Subject: [PATCH] build: build renovate docker images on release (#26108)
Co-authored-by: Sebastian Poxhofer <secustor@users.noreply.github.com>
---
.../{release-npm.yml => release.yml} | 55 ++++++-
.github/workflows/trivy.yml | 37 +++++
renovate.json | 11 ++
tools/docker/Dockerfile | 49 +++++++
tools/docker/bake.hcl | 137 ++++++++++++++++++
tools/docker/bin/docker-entrypoint.sh | 18 +++
6 files changed, 306 insertions(+), 1 deletion(-)
rename .github/workflows/{release-npm.yml => release.yml} (53%)
create mode 100644 .github/workflows/trivy.yml
create mode 100644 tools/docker/Dockerfile
create mode 100644 tools/docker/bake.hcl
create mode 100755 tools/docker/bin/docker-entrypoint.sh
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release.yml
similarity index 53%
rename from .github/workflows/release-npm.yml
rename to .github/workflows/release.yml
index 675102e557..e809654ed4 100644
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: release-npm
+name: release
on:
repository_dispatch:
@@ -22,6 +22,12 @@ env:
GIT_SHA: ${{ github.event.client_payload.sha }}
NPM_VERSION: ${{ github.event.client_payload.version }}
NPM_TAG: ${{ github.event.client_payload.tag }}
+ RENOVATE_VERSION: ${{ github.event.client_payload.version }}
+ BUILDKIT_PROGRESS: plain
+ BUILDX_NO_DEFAULT_LOAD: 1
+ DOCKER_PLATFORMS: linux/amd64,linux/arm64
+ OWNER: ${{ github.repository_owner }}
+ FILE: renovate
permissions:
contents: read
@@ -42,6 +48,7 @@ jobs:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ env.GIT_SHA }}
+ show-progress: false
- name: Enable corepack
shell: bash
@@ -81,3 +88,49 @@ jobs:
git checkout -- .npmrc
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+ release-docker:
+ runs-on: ubuntu-latest
+ needs:
+ - release-npm
+
+ permissions:
+ contents: read
+ id-token: write
+ packages: write
+
+ steps:
+ - name: Prepare env
+ run: |
+ if [[ "${{github.event_name}}" == "workflow_dispatch" ]]; then
+ echo "GIT_SHA=${{ github.event.inputs.sha }}" >> "$GITHUB_ENV"
+ echo "RENOVATE_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_ENV"
+ fi
+ echo "OWNER=${OWNER,,}" >> ${GITHUB_ENV}
+
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ ref: ${{ env.GIT_SHA }}
+ show-progress: false
+
+ - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+
+ - name: Docker registry login
+ run: |
+ echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
+ echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
+
+ - name: Build docker images ${{ env.RENOVATE_VERSION }}
+ run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl build
+
+ - name: Publish docker images ${{ env.RENOVATE_VERSION }}
+ if: false
+ run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl push
+
+ - name: Sign images
+ if: false
+ run: |
+ cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}
+ cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full
+ cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}
+ cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 0000000000..fdbecae398
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,37 @@
+name: trivy
+
+on:
+ # schedule:
+ # - cron: '59 11 * * *'
+ workflow_dispatch:
+
+permissions: {}
+
+jobs:
+ trivy:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+
+ strategy:
+ matrix:
+ tag:
+ - latest
+ - full
+
+ steps:
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ show-progress: false
+
+ - uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
+ with:
+ image-ref: ghcr.io/renovatebot/renovate:${{ matrix.tag }}
+ format: 'sarif'
+ output: 'trivy-results.sarif'
+
+ - uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+ with:
+ sarif_file: trivy-results.sarif
+ category: 'docker-image-${{ matrix.tag }}'
diff --git a/renovate.json b/renovate.json
index ce892e0822..c6474fec80 100644
--- a/renovate.json
+++ b/renovate.json
@@ -28,6 +28,17 @@
{
"matchFileNames": ["**/__fixtures__/**"],
"enabled": false
+ },
+ {
+ "description": "set fix scope for base image",
+ "matchDepNames": ["ghcr.io/renovatebot/base-image"],
+ "semanticCommitType": "fix"
+ },
+ {
+ "description": "set feat scope for base image major",
+ "matchDepNames": ["ghcr.io/renovatebot/base-image"],
+ "matchUpdateTypes": ["major", "minor"],
+ "semanticCommitType": "feat"
}
],
"customManagers": [
diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
new file mode 100644
index 0000000000..bf867badda
--- /dev/null
+++ b/tools/docker/Dockerfile
@@ -0,0 +1,49 @@
+ARG RENOVATE_VERSION
+ARG BASE_IMAGE_TYPE=slim
+
+# --------------------------------------
+# slim image
+# --------------------------------------
+FROM ghcr.io/renovatebot/base-image:1.13.2@sha256:7a8653bf454e04f3401bf8058e2d23e9c4c6183b91ccfb789970cc48204216cd AS slim-base
+
+# --------------------------------------
+# full image
+# --------------------------------------
+FROM ghcr.io/renovatebot/base-image:1.13.2-full@sha256:49f0db2a4ea1113cb519a340afbefb6d9b9b1b5493c0adf2ba5bed29102fb647 AS full-base
+
+# --------------------------------------
+# final image
+# --------------------------------------
+FROM ${BASE_IMAGE_TYPE}-base
+
+LABEL name="renovate"
+LABEL org.opencontainers.image.source="https://github.com/renovatebot/renovate" \
+ org.opencontainers.image.url="https://renovatebot.com" \
+ org.opencontainers.image.licenses="AGPL-3.0-only"
+
+
+WORKDIR /usr/src/app
+
+ENV RENOVATE_X_IGNORE_NODE_WARN=true
+
+COPY bin/ /usr/local/bin/
+CMD ["renovate"]
+
+ARG RENOVATE_VERSION
+RUN install-tool renovate
+
+# Compabillity, so `config.js` can access renovate and deps
+RUN ln -sf /opt/containerbase/tools/renovate/${RENOVATE_VERSION}/node_modules ./node_modules;
+
+RUN set -ex; \
+ renovate --version; \
+ renovate-config-validator; \
+ node -e "new require('re2')('.*').exec('test')"; \
+ true
+
+LABEL \
+ org.opencontainers.image.version="${RENOVATE_VERSION}" \
+ org.label-schema.version="${RENOVATE_VERSION}"
+
+# Numeric user ID for the ubuntu user. Used to indicate a non-root user to OpenShift
+USER 1000
diff --git a/tools/docker/bake.hcl b/tools/docker/bake.hcl
new file mode 100644
index 0000000000..6b8329ab97
--- /dev/null
+++ b/tools/docker/bake.hcl
@@ -0,0 +1,137 @@
+variable "OWNER" {
+ default = "renovatebot"
+}
+variable "FILE" {
+ default = "renovate"
+}
+variable "TAG" {
+ default = "latest"
+}
+variable "RENOVATE_VERSION" {
+ default = "unknown"
+}
+
+variable "APT_HTTP_PROXY" {
+ default = ""
+}
+
+variable "CONTAINERBASE_DEBUG" {
+ default = ""
+}
+
+variable "GITHUB_TOKEN" {
+ default = ""
+}
+
+group "default" {
+ targets = [
+ "build",
+ ]
+}
+
+group "build" {
+ targets = [
+ "build-slim",
+ "build-full",
+ ]
+}
+
+group "push" {
+ targets = [
+ "push-slim",
+ "push-full",
+ "push-cache-slim",
+ "push-cache-full",
+ ]
+}
+
+target "settings" {
+ context = "tools/docker"
+ args = {
+ APT_HTTP_PROXY = "${APT_HTTP_PROXY}"
+ CONTAINERBASE_DEBUG = "${CONTAINERBASE_DEBUG}"
+ RENOVATE_VERSION = "${RENOVATE_VERSION}"
+ GITHUB_TOKEN = "${GITHUB_TOKEN}"
+ }
+ tags = [
+ "ghcr.io/${OWNER}/${FILE}",
+ "ghcr.io/${OWNER}/${FILE}:${TAG}",
+ ]
+}
+
+target "slim" {
+ cache-from = [
+ "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}",
+ "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}",
+ ]
+ tags = [
+ "ghcr.io/${OWNER}/${FILE}",
+ "ghcr.io/${OWNER}/${FILE}:${TAG}",
+ "${FILE}/${FILE}",
+ "${FILE}/${FILE}:${TAG}",
+ ]
+}
+
+target "full" {
+ args = {
+ BASE_IMAGE_TYPE = "full"
+ }
+ cache-from = [
+ "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-full",
+ "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full",
+ ]
+ tags = [
+ "ghcr.io/${OWNER}/${FILE}:full",
+ "ghcr.io/${OWNER}/${FILE}:${TAG}-full",
+ "${FILE}/${FILE}:full",
+ "${FILE}/${FILE}:${TAG}-full",
+ ]
+}
+
+target "cache" {
+ output = ["type=registry"]
+ cache-to = ["type=inline,mode=max"]
+}
+
+target "push-cache-slim" {
+ inherits = [
+ "settings",
+ "cache",
+ "slim",
+ ]
+ tags = [
+ "ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}",
+ "ghcr.io/${OWNER}/docker-build-cache:${FILE}",
+ ]
+}
+
+target "push-cache-full" {
+ inherits = [
+ "settings",
+ "cache",
+ "full",
+ ]
+ tags = [
+ "ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full",
+ "ghcr.io/${OWNER}/docker-build-cache:${FILE}-full",
+ ]
+}
+
+target "build-slim" {
+ inherits = ["settings", "slim"]
+}
+
+target "build-full" {
+ inherits = ["settings", "full"]
+
+}
+
+target "push-slim" {
+ inherits = ["settings", "slim"]
+ output = ["type=registry"]
+}
+
+target "push-full" {
+ inherits = ["settings", "full"]
+ output = ["type=registry"]
+}
diff --git a/tools/docker/bin/docker-entrypoint.sh b/tools/docker/bin/docker-entrypoint.sh
new file mode 100755
index 0000000000..8d06f1fdb2
--- /dev/null
+++ b/tools/docker/bin/docker-entrypoint.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [[ -f "/usr/local/etc/env" && -z "${CONTAINERBASE_ENV+x}" ]]; then
+ # shellcheck source=/dev/null
+ . /usr/local/etc/env
+fi
+
+if [[ "${1:0:1}" = '-' ]]; then
+ # assume $1 is renovate flag
+ set -- renovate "$@"
+fi
+
+if [[ ! -x "$(command -v "${1}")" ]]; then
+ # assume $1 is a repo
+ set -- renovate "$@"
+fi
+
+exec dumb-init -- "$@"
--
GitLab