From 5ca375a97e02f36160dd6a763cb205e0839ac959 Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Wed, 17 Jan 2024 10:24:28 +0100 Subject: [PATCH] build: build renovate docker images on release (#26108) Co-authored-by: Sebastian Poxhofer --- .../{release-npm.yml => release.yml} | 55 ++++++- .github/workflows/trivy.yml | 37 +++++ renovate.json | 11 ++ tools/docker/Dockerfile | 49 +++++++ tools/docker/bake.hcl | 137 ++++++++++++++++++ tools/docker/bin/docker-entrypoint.sh | 18 +++ 6 files changed, 306 insertions(+), 1 deletion(-) rename .github/workflows/{release-npm.yml => release.yml} (53%) create mode 100644 .github/workflows/trivy.yml create mode 100644 tools/docker/Dockerfile create mode 100644 tools/docker/bake.hcl create mode 100755 tools/docker/bin/docker-entrypoint.sh diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release.yml similarity index 53% rename from .github/workflows/release-npm.yml rename to .github/workflows/release.yml index 675102e557102c..e809654ed44fb4 100644 --- a/.github/workflows/release-npm.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: release-npm +name: release on: repository_dispatch: @@ -22,6 +22,12 @@ env: GIT_SHA: ${{ github.event.client_payload.sha }} NPM_VERSION: ${{ github.event.client_payload.version }} NPM_TAG: ${{ github.event.client_payload.tag }} + RENOVATE_VERSION: ${{ github.event.client_payload.version }} + BUILDKIT_PROGRESS: plain + BUILDX_NO_DEFAULT_LOAD: 1 + DOCKER_PLATFORMS: linux/amd64,linux/arm64 + OWNER: ${{ github.repository_owner }} + FILE: renovate permissions: contents: read @@ -42,6 +48,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.GIT_SHA }} + show-progress: false - name: Enable corepack shell: bash @@ -81,3 +88,49 @@ jobs: git checkout -- .npmrc env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + + release-docker: + runs-on: ubuntu-latest + needs: + - release-npm + + permissions: + contents: read + id-token: write + packages: write + + steps: + - name: Prepare env + run: | + if [[ "${{github.event_name}}" == "workflow_dispatch" ]]; then + echo "GIT_SHA=${{ github.event.inputs.sha }}" >> "$GITHUB_ENV" + echo "RENOVATE_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_ENV" + fi + echo "OWNER=${OWNER,,}" >> ${GITHUB_ENV} + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.GIT_SHA }} + show-progress: false + + - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + + - name: Docker registry login + run: | + echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin + + - name: Build docker images ${{ env.RENOVATE_VERSION }} + run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl build + + - name: Publish docker images ${{ env.RENOVATE_VERSION }} + if: false + run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl push + + - name: Sign images + if: false + run: | + cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} + cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full + cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} + cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000000000..fdbecae398e3b3 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,37 @@ +name: trivy + +on: + # schedule: + # - cron: '59 11 * * *' + workflow_dispatch: + +permissions: {} + +jobs: + trivy: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + + strategy: + matrix: + tag: + - latest + - full + + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + show-progress: false + + - uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0 + with: + image-ref: ghcr.io/renovatebot/renovate:${{ matrix.tag }} + format: 'sarif' + output: 'trivy-results.sarif' + + - uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + sarif_file: trivy-results.sarif + category: 'docker-image-${{ matrix.tag }}' diff --git a/renovate.json b/renovate.json index ce892e08223894..c6474fec80068a 100644 --- a/renovate.json +++ b/renovate.json @@ -28,6 +28,17 @@ { "matchFileNames": ["**/__fixtures__/**"], "enabled": false + }, + { + "description": "set fix scope for base image", + "matchDepNames": ["ghcr.io/renovatebot/base-image"], + "semanticCommitType": "fix" + }, + { + "description": "set feat scope for base image major", + "matchDepNames": ["ghcr.io/renovatebot/base-image"], + "matchUpdateTypes": ["major", "minor"], + "semanticCommitType": "feat" } ], "customManagers": [ diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile new file mode 100644 index 00000000000000..bf867badda6937 --- /dev/null +++ b/tools/docker/Dockerfile @@ -0,0 +1,49 @@ +ARG RENOVATE_VERSION +ARG BASE_IMAGE_TYPE=slim + +# -------------------------------------- +# slim image +# -------------------------------------- +FROM ghcr.io/renovatebot/base-image:1.13.2@sha256:7a8653bf454e04f3401bf8058e2d23e9c4c6183b91ccfb789970cc48204216cd AS slim-base + +# -------------------------------------- +# full image +# -------------------------------------- +FROM ghcr.io/renovatebot/base-image:1.13.2-full@sha256:49f0db2a4ea1113cb519a340afbefb6d9b9b1b5493c0adf2ba5bed29102fb647 AS full-base + +# -------------------------------------- +# final image +# -------------------------------------- +FROM ${BASE_IMAGE_TYPE}-base + +LABEL name="renovate" +LABEL org.opencontainers.image.source="https://github.com/renovatebot/renovate" \ + org.opencontainers.image.url="https://renovatebot.com" \ + org.opencontainers.image.licenses="AGPL-3.0-only" + + +WORKDIR /usr/src/app + +ENV RENOVATE_X_IGNORE_NODE_WARN=true + +COPY bin/ /usr/local/bin/ +CMD ["renovate"] + +ARG RENOVATE_VERSION +RUN install-tool renovate + +# Compabillity, so `config.js` can access renovate and deps +RUN ln -sf /opt/containerbase/tools/renovate/${RENOVATE_VERSION}/node_modules ./node_modules; + +RUN set -ex; \ + renovate --version; \ + renovate-config-validator; \ + node -e "new require('re2')('.*').exec('test')"; \ + true + +LABEL \ + org.opencontainers.image.version="${RENOVATE_VERSION}" \ + org.label-schema.version="${RENOVATE_VERSION}" + +# Numeric user ID for the ubuntu user. Used to indicate a non-root user to OpenShift +USER 1000 diff --git a/tools/docker/bake.hcl b/tools/docker/bake.hcl new file mode 100644 index 00000000000000..6b8329ab97bd0e --- /dev/null +++ b/tools/docker/bake.hcl @@ -0,0 +1,137 @@ +variable "OWNER" { + default = "renovatebot" +} +variable "FILE" { + default = "renovate" +} +variable "TAG" { + default = "latest" +} +variable "RENOVATE_VERSION" { + default = "unknown" +} + +variable "APT_HTTP_PROXY" { + default = "" +} + +variable "CONTAINERBASE_DEBUG" { + default = "" +} + +variable "GITHUB_TOKEN" { + default = "" +} + +group "default" { + targets = [ + "build", + ] +} + +group "build" { + targets = [ + "build-slim", + "build-full", + ] +} + +group "push" { + targets = [ + "push-slim", + "push-full", + "push-cache-slim", + "push-cache-full", + ] +} + +target "settings" { + context = "tools/docker" + args = { + APT_HTTP_PROXY = "${APT_HTTP_PROXY}" + CONTAINERBASE_DEBUG = "${CONTAINERBASE_DEBUG}" + RENOVATE_VERSION = "${RENOVATE_VERSION}" + GITHUB_TOKEN = "${GITHUB_TOKEN}" + } + tags = [ + "ghcr.io/${OWNER}/${FILE}", + "ghcr.io/${OWNER}/${FILE}:${TAG}", + ] +} + +target "slim" { + cache-from = [ + "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}", + "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}", + ] + tags = [ + "ghcr.io/${OWNER}/${FILE}", + "ghcr.io/${OWNER}/${FILE}:${TAG}", + "${FILE}/${FILE}", + "${FILE}/${FILE}:${TAG}", + ] +} + +target "full" { + args = { + BASE_IMAGE_TYPE = "full" + } + cache-from = [ + "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-full", + "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full", + ] + tags = [ + "ghcr.io/${OWNER}/${FILE}:full", + "ghcr.io/${OWNER}/${FILE}:${TAG}-full", + "${FILE}/${FILE}:full", + "${FILE}/${FILE}:${TAG}-full", + ] +} + +target "cache" { + output = ["type=registry"] + cache-to = ["type=inline,mode=max"] +} + +target "push-cache-slim" { + inherits = [ + "settings", + "cache", + "slim", + ] + tags = [ + "ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}", + "ghcr.io/${OWNER}/docker-build-cache:${FILE}", + ] +} + +target "push-cache-full" { + inherits = [ + "settings", + "cache", + "full", + ] + tags = [ + "ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full", + "ghcr.io/${OWNER}/docker-build-cache:${FILE}-full", + ] +} + +target "build-slim" { + inherits = ["settings", "slim"] +} + +target "build-full" { + inherits = ["settings", "full"] + +} + +target "push-slim" { + inherits = ["settings", "slim"] + output = ["type=registry"] +} + +target "push-full" { + inherits = ["settings", "full"] + output = ["type=registry"] +} diff --git a/tools/docker/bin/docker-entrypoint.sh b/tools/docker/bin/docker-entrypoint.sh new file mode 100755 index 00000000000000..8d06f1fdb2f038 --- /dev/null +++ b/tools/docker/bin/docker-entrypoint.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +if [[ -f "/usr/local/etc/env" && -z "${CONTAINERBASE_ENV+x}" ]]; then + # shellcheck source=/dev/null + . /usr/local/etc/env +fi + +if [[ "${1:0:1}" = '-' ]]; then + # assume $1 is renovate flag + set -- renovate "$@" +fi + +if [[ ! -x "$(command -v "${1}")" ]]; then + # assume $1 is a repo + set -- renovate "$@" +fi + +exec dumb-init -- "$@"