From 5f133bcb82f789963786bd115389aa2c7422141c Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Mon, 4 Dec 2023 15:51:15 +0100 Subject: [PATCH 1/9] build: build renovate docker images on release --- .../{release-npm.yml => release.yml} | 53 ++++++- renovate.json | 11 ++ tools/docker/Dockerfile | 49 +++++++ tools/docker/bake.hcl | 137 ++++++++++++++++++ tools/docker/bin/docker-entrypoint.sh | 18 +++ 5 files changed, 267 insertions(+), 1 deletion(-) rename .github/workflows/{release-npm.yml => release.yml} (54%) create mode 100644 tools/docker/Dockerfile create mode 100644 tools/docker/bake.hcl create mode 100644 tools/docker/bin/docker-entrypoint.sh diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release.yml similarity index 54% rename from .github/workflows/release-npm.yml rename to .github/workflows/release.yml index 675102e557102c..d94bcc5eaf1154 100644 --- a/.github/workflows/release-npm.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: release-npm +name: release on: repository_dispatch: @@ -22,6 +22,12 @@ env: GIT_SHA: ${{ github.event.client_payload.sha }} NPM_VERSION: ${{ github.event.client_payload.version }} NPM_TAG: ${{ github.event.client_payload.tag }} + RENOVATE_VERSION: ${{ github.event.client_payload.version }} + BUILDKIT_PROGRESS: plain + BUILDX_NO_DEFAULT_LOAD: 1 + DOCKER_PLATFORMS: linux/amd64,linux/arm64 + OWNER: ${{ github.repository_owner }} + FILE: renovate permissions: contents: read @@ -42,6 +48,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ env.GIT_SHA }} + show-progress: false - name: Enable corepack shell: bash @@ -81,3 +88,47 @@ jobs: git checkout -- .npmrc env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + + release-docker: + runs-on: ubuntu-latest + needs: + - release-npm + + permissions: + contents: read + id-token: write + packages: write + + steps: + - name: Prepare env + run: | + if [[ "${{github.event_name}}" == "workflow_dispatch" ]]; then + echo "GIT_SHA=${{ github.event.inputs.sha }}" >> "$GITHUB_ENV" + echo "RENOVATE_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_ENV" + fi + echo "OWNER=${OWNER,,}" >> ${GITHUB_ENV} + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.GIT_SHA }} + show-progress: false + + - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + + - name: Docker registry login + run: | + echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin + + - name: Build docker images ${{ env.RENOVATE_VERSION }} + run: docker builx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl build + + - name: Publish docker images ${{ env.RENOVATE_VERSION }} + run: docker builx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl push + + - name: Sign images + run: | + cosign sign --yes ghcr.io/${{ env.OWNER }}:${{ env.RENOVATE_VERSION }} + cosign sign --yes ghcr.io/${{ env.OWNER }}:${{ env.RENOVATE_VERSION }}-full + cosign sign --yes renovate/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} + cosign sign --yes renovate/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full diff --git a/renovate.json b/renovate.json index ce892e08223894..c6474fec80068a 100644 --- a/renovate.json +++ b/renovate.json @@ -28,6 +28,17 @@ { "matchFileNames": ["**/__fixtures__/**"], "enabled": false + }, + { + "description": "set fix scope for base image", + "matchDepNames": ["ghcr.io/renovatebot/base-image"], + "semanticCommitType": "fix" + }, + { + "description": "set feat scope for base image major", + "matchDepNames": ["ghcr.io/renovatebot/base-image"], + "matchUpdateTypes": ["major", "minor"], + "semanticCommitType": "feat" } ], "customManagers": [ diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile new file mode 100644 index 00000000000000..3f0712376d14df --- /dev/null +++ b/tools/docker/Dockerfile @@ -0,0 +1,49 @@ +ARG RENOVATE_VERSION +ARG BASE_IMAGE_TYPE=slim + +# -------------------------------------- +# slim image +# -------------------------------------- +FROM ghcr.io/renovatebot/base-image:1.1.2@sha256:54df57ae52fa4e89bd06485bb77d15e9009452d67eee8fce29354efd5d0c8608 AS slim-base + +# -------------------------------------- +# full image +# -------------------------------------- +FROM ghcr.io/renovatebot/base-image:1.1.2-full@sha256:8b8496edab237fb20e202c97baf49ea22244da003d019512ace29184cf755bf4 AS full-base + +# -------------------------------------- +# final image +# -------------------------------------- +FROM ${BASE_IMAGE_TYPE}-base + +LABEL name="renovate" +LABEL org.opencontainers.image.source="https://github.com/renovatebot/renovate" \ + org.opencontainers.image.url="https://renovatebot.com" \ + org.opencontainers.image.licenses="AGPL-3.0-only" + + +WORKDIR /usr/src/app + +ENV RENOVATE_X_IGNORE_NODE_WARN=true + +COPY bin/ /usr/local/bin/ +CMD ["renovate"] + +ARG RENOVATE_VERSION +RUN install-tool renovate + +# Compabillity, so `config.js` can access renovate and deps +RUN ln -sf /opt/containerbase/tools/renovate/${RENOVATE_VERSION}/node_modules ./node_modules; + +RUN set -ex; \ + renovate --version; \ + renovate-config-validator; \ + node -e "new require('re2')('.*').exec('test')"; \ + true + +LABEL \ + org.opencontainers.image.version="${RENOVATE_VERSION}" \ + org.label-schema.version="${RENOVATE_VERSION}" + +# Numeric user ID for the ubuntu user. Used to indicate a non-root user to OpenShift +USER 1000 diff --git a/tools/docker/bake.hcl b/tools/docker/bake.hcl new file mode 100644 index 00000000000000..55fb596bb35bed --- /dev/null +++ b/tools/docker/bake.hcl @@ -0,0 +1,137 @@ +variable "OWNER" { + default = "renovatebot" +} +variable "FILE" { + default = "renovate" +} +variable "TAG" { + default = "latest" +} +variable "RENOVATE_VERSION" { + default = "unknown" +} + +variable "APT_HTTP_PROXY" { + default = "" +} + +variable "CONTAINERBASE_DEBUG" { + default = "" +} + +variable "GITHUB_TOKEN" { + default = "" +} + +group "default" { + targets = [ + "build", + ] +} + +group "build" { + targets = [ + "build-slim", + "build-full", + ] +} + +group "push" { + targets = [ + "push-slim", + "push-full", + "push-cache-slim", + "push-cache-full", + ] +} + +target "settings" { + context = "tools/docker" + args = { + APT_HTTP_PROXY = "${APT_HTTP_PROXY}" + CONTAINERBASE_DEBUG = "${CONTAINERBASE_DEBUG}" + RENOVATE_VERSION = "${RENOVATE_VERSION}" + GITHUB_TOKEN = "${GITHUB_TOKEN}" + } + tags = [ + "ghcr.io/${OWNER}/${FILE}", + "ghcr.io/${OWNER}/${FILE}:${TAG}", + ] +} + +target "slim" { + cache-from = [ + "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}", + "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}", + ] + tags = [ + "ghcr.io/${OWNER}/${FILE}", + "ghcr.io/${OWNER}/${FILE}:${TAG}", + "renovate/${FILE}", + "renovate/${FILE}:${TAG}", + ] +} + +target "full" { + args = { + BASE_IMAGE_TYPE = "full" + } + cache-from = [ + "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-full", + "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full", + ] + tags = [ + "ghcr.io/${OWNER}/${FILE}:full", + "ghcr.io/${OWNER}/${FILE}:${TAG}-full", + "renovate/${FILE}:full", + "renovate/${FILE}:${TAG}-full", + ] +} + +target "cache" { + output = ["type=registry"] + cache-to = ["type=inline,mode=max"] +} + +target "push-cache-slim" { + inherits = [ + "settings", + "cache", + "slim", + ] + tags = [ + "ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}", + "ghcr.io/${OWNER}/docker-build-cache:${FILE}", + ] +} + +target "push-cache-full" { + inherits = [ + "settings", + "cache", + "full", + ] + tags = [ + "ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full", + "ghcr.io/${OWNER}/docker-build-cache:${FILE}-full", + ] +} + +target "build-slim" { + inherits = ["settings", "slim"] +} + +target "build-full" { + inherits = ["settings", "full"] + +} + +target "push-slim" { + inherits = ["settings", "slim"] + output = ["type=registry"] +} + +target "push-full" { + inherits = ["settings", "full"] + output = ["type=registry"] +} diff --git a/tools/docker/bin/docker-entrypoint.sh b/tools/docker/bin/docker-entrypoint.sh new file mode 100644 index 00000000000000..8d06f1fdb2f038 --- /dev/null +++ b/tools/docker/bin/docker-entrypoint.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +if [[ -f "/usr/local/etc/env" && -z "${CONTAINERBASE_ENV+x}" ]]; then + # shellcheck source=/dev/null + . /usr/local/etc/env +fi + +if [[ "${1:0:1}" = '-' ]]; then + # assume $1 is renovate flag + set -- renovate "$@" +fi + +if [[ ! -x "$(command -v "${1}")" ]]; then + # assume $1 is a repo + set -- renovate "$@" +fi + +exec dumb-init -- "$@" From 4096d612d38776f604b20df2ee1fa900ad89a5ac Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Tue, 5 Dec 2023 08:50:21 +0100 Subject: [PATCH 2/9] fix: wrong image names --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d94bcc5eaf1154..aa44975d32802f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -128,7 +128,7 @@ jobs: - name: Sign images run: | - cosign sign --yes ghcr.io/${{ env.OWNER }}:${{ env.RENOVATE_VERSION }} - cosign sign --yes ghcr.io/${{ env.OWNER }}:${{ env.RENOVATE_VERSION }}-full + cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} + cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full cosign sign --yes renovate/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} cosign sign --yes renovate/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full From 8eae7e7a4e5e0e0b63b5192b441a46134810ecdc Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Tue, 5 Dec 2023 08:50:35 +0100 Subject: [PATCH 3/9] ci: add trivy scan --- .github/workflows/trivy.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000000000..3afc11b4c4ece4 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,37 @@ +name: trivy + +on: + schedule: + - cron: '59 11 * * *' + workflow_dispatch: + +permissions: {} + +jobs: + trivy: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + + strategy: + matrix: + tag: + - latest + - full + + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + show-progress: false + + - uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0 + with: + image-ref: ghcr.io/renovatebot/renovate:${{ matrix.tag }} + format: 'sarif' + output: 'trivy-results.sarif' + + - uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + sarif_file: trivy-results.sarif + category: 'docker-image-${{ matrix.tag }}' From 6dc2a1859fb6e6aa587a6fa9c612732097326c0d Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Tue, 5 Dec 2023 08:51:49 +0100 Subject: [PATCH 4/9] fix: update names --- .github/workflows/release.yml | 4 ++-- tools/docker/bake.hcl | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aa44975d32802f..433275a42973c5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -130,5 +130,5 @@ jobs: run: | cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full - cosign sign --yes renovate/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} - cosign sign --yes renovate/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full + cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} + cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full diff --git a/tools/docker/bake.hcl b/tools/docker/bake.hcl index 55fb596bb35bed..6b8329ab97bd0e 100644 --- a/tools/docker/bake.hcl +++ b/tools/docker/bake.hcl @@ -67,8 +67,8 @@ target "slim" { tags = [ "ghcr.io/${OWNER}/${FILE}", "ghcr.io/${OWNER}/${FILE}:${TAG}", - "renovate/${FILE}", - "renovate/${FILE}:${TAG}", + "${FILE}/${FILE}", + "${FILE}/${FILE}:${TAG}", ] } @@ -83,8 +83,8 @@ target "full" { tags = [ "ghcr.io/${OWNER}/${FILE}:full", "ghcr.io/${OWNER}/${FILE}:${TAG}-full", - "renovate/${FILE}:full", - "renovate/${FILE}:${TAG}-full", + "${FILE}/${FILE}:full", + "${FILE}/${FILE}:${TAG}-full", ] } From 9d8404546fda13e81c918d58143090cb651b520d Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Tue, 5 Dec 2023 09:04:47 +0100 Subject: [PATCH 5/9] fix: add executable flag --- tools/docker/bin/docker-entrypoint.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 tools/docker/bin/docker-entrypoint.sh diff --git a/tools/docker/bin/docker-entrypoint.sh b/tools/docker/bin/docker-entrypoint.sh old mode 100644 new mode 100755 From 931baf04571cf38a6872744fec676eea6d173ecf Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Tue, 5 Dec 2023 09:11:57 +0100 Subject: [PATCH 6/9] ci: disable trivy cron --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 3afc11b4c4ece4..fdbecae398e3b3 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,8 +1,8 @@ name: trivy on: - schedule: - - cron: '59 11 * * *' + # schedule: + # - cron: '59 11 * * *' workflow_dispatch: permissions: {} From a7663f7c906fd463cc2266a51951d4744d9a29a5 Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Mon, 15 Jan 2024 11:38:40 +0100 Subject: [PATCH 7/9] fix: disable image publish --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 433275a42973c5..fe5a55d48b15b1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -124,9 +124,11 @@ jobs: run: docker builx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl build - name: Publish docker images ${{ env.RENOVATE_VERSION }} + if: false run: docker builx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl push - name: Sign images + if: false run: | cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }} cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full From 061774d489940bfcc211616c3b761b58cdc11130 Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Mon, 15 Jan 2024 11:39:54 +0100 Subject: [PATCH 8/9] fix: bump base image version --- tools/docker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile index 3f0712376d14df..bf867badda6937 100644 --- a/tools/docker/Dockerfile +++ b/tools/docker/Dockerfile @@ -4,12 +4,12 @@ ARG BASE_IMAGE_TYPE=slim # -------------------------------------- # slim image # -------------------------------------- -FROM ghcr.io/renovatebot/base-image:1.1.2@sha256:54df57ae52fa4e89bd06485bb77d15e9009452d67eee8fce29354efd5d0c8608 AS slim-base +FROM ghcr.io/renovatebot/base-image:1.13.2@sha256:7a8653bf454e04f3401bf8058e2d23e9c4c6183b91ccfb789970cc48204216cd AS slim-base # -------------------------------------- # full image # -------------------------------------- -FROM ghcr.io/renovatebot/base-image:1.1.2-full@sha256:8b8496edab237fb20e202c97baf49ea22244da003d019512ace29184cf755bf4 AS full-base +FROM ghcr.io/renovatebot/base-image:1.13.2-full@sha256:49f0db2a4ea1113cb519a340afbefb6d9b9b1b5493c0adf2ba5bed29102fb647 AS full-base # -------------------------------------- # final image From 5ae433626051977e81ae52398d9272e9acd74058 Mon Sep 17 00:00:00 2001 From: Michael Kriese Date: Wed, 17 Jan 2024 10:20:55 +0100 Subject: [PATCH 9/9] Apply suggestions from code review Co-authored-by: Sebastian Poxhofer --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe5a55d48b15b1..e809654ed44fb4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -121,11 +121,11 @@ jobs: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin - name: Build docker images ${{ env.RENOVATE_VERSION }} - run: docker builx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl build + run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl build - name: Publish docker images ${{ env.RENOVATE_VERSION }} if: false - run: docker builx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl push + run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl push - name: Sign images if: false