Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: build renovate docker images on release #26108

Merged
merged 9 commits into from
Jan 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: release-npm
name: release

on:
repository_dispatch:
Expand All @@ -22,6 +22,12 @@ env:
GIT_SHA: ${{ github.event.client_payload.sha }}
NPM_VERSION: ${{ github.event.client_payload.version }}
NPM_TAG: ${{ github.event.client_payload.tag }}
RENOVATE_VERSION: ${{ github.event.client_payload.version }}
BUILDKIT_PROGRESS: plain
BUILDX_NO_DEFAULT_LOAD: 1
DOCKER_PLATFORMS: linux/amd64,linux/arm64
OWNER: ${{ github.repository_owner }}
FILE: renovate

permissions:
contents: read
Expand All @@ -42,6 +48,7 @@ jobs:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ env.GIT_SHA }}
show-progress: false

- name: Enable corepack
shell: bash
Expand Down Expand Up @@ -81,3 +88,49 @@ jobs:
git checkout -- .npmrc
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

release-docker:
runs-on: ubuntu-latest
needs:
- release-npm

permissions:
contents: read
id-token: write
packages: write

steps:
- name: Prepare env
run: |
if [[ "${{github.event_name}}" == "workflow_dispatch" ]]; then
echo "GIT_SHA=${{ github.event.inputs.sha }}" >> "$GITHUB_ENV"
echo "RENOVATE_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_ENV"
fi
echo "OWNER=${OWNER,,}" >> ${GITHUB_ENV}

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ env.GIT_SHA }}
show-progress: false

- uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0

- name: Docker registry login
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
viceice marked this conversation as resolved.
Show resolved Hide resolved
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin

- name: Build docker images ${{ env.RENOVATE_VERSION }}
run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl build

- name: Publish docker images ${{ env.RENOVATE_VERSION }}
if: false
viceice marked this conversation as resolved.
Show resolved Hide resolved
run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl push

- name: Sign images
if: false
run: |
cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}
cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full
cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}
cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full
37 changes: 37 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: trivy

on:
# schedule:
# - cron: '59 11 * * *'
workflow_dispatch:

permissions: {}

jobs:
trivy:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write

strategy:
matrix:
tag:
- latest
- full

steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
show-progress: false

- uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
with:
image-ref: ghcr.io/renovatebot/renovate:${{ matrix.tag }}
format: 'sarif'
output: 'trivy-results.sarif'

- uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
with:
sarif_file: trivy-results.sarif
category: 'docker-image-${{ matrix.tag }}'
11 changes: 11 additions & 0 deletions renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,17 @@
{
"matchFileNames": ["**/__fixtures__/**"],
"enabled": false
},
{
"description": "set fix scope for base image",
"matchDepNames": ["ghcr.io/renovatebot/base-image"],
"semanticCommitType": "fix"
},
{
"description": "set feat scope for base image major",
"matchDepNames": ["ghcr.io/renovatebot/base-image"],
"matchUpdateTypes": ["major", "minor"],
"semanticCommitType": "feat"
}
],
"customManagers": [
Expand Down
49 changes: 49 additions & 0 deletions tools/docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
ARG RENOVATE_VERSION
ARG BASE_IMAGE_TYPE=slim

# --------------------------------------
# slim image
# --------------------------------------
FROM ghcr.io/renovatebot/base-image:1.13.2@sha256:7a8653bf454e04f3401bf8058e2d23e9c4c6183b91ccfb789970cc48204216cd AS slim-base

# --------------------------------------
# full image
# --------------------------------------
FROM ghcr.io/renovatebot/base-image:1.13.2-full@sha256:49f0db2a4ea1113cb519a340afbefb6d9b9b1b5493c0adf2ba5bed29102fb647 AS full-base

# --------------------------------------
# final image
# --------------------------------------
FROM ${BASE_IMAGE_TYPE}-base

LABEL name="renovate"
LABEL org.opencontainers.image.source="https://github.com/renovatebot/renovate" \
org.opencontainers.image.url="https://renovatebot.com" \
org.opencontainers.image.licenses="AGPL-3.0-only"


WORKDIR /usr/src/app

ENV RENOVATE_X_IGNORE_NODE_WARN=true

COPY bin/ /usr/local/bin/
CMD ["renovate"]

ARG RENOVATE_VERSION
RUN install-tool renovate

# Compabillity, so `config.js` can access renovate and deps
RUN ln -sf /opt/containerbase/tools/renovate/${RENOVATE_VERSION}/node_modules ./node_modules;

RUN set -ex; \
renovate --version; \
renovate-config-validator; \
node -e "new require('re2')('.*').exec('test')"; \
true

LABEL \
org.opencontainers.image.version="${RENOVATE_VERSION}" \
org.label-schema.version="${RENOVATE_VERSION}"

# Numeric user ID for the ubuntu user. Used to indicate a non-root user to OpenShift
USER 1000
137 changes: 137 additions & 0 deletions tools/docker/bake.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
variable "OWNER" {
default = "renovatebot"
}
variable "FILE" {
default = "renovate"
}
variable "TAG" {
default = "latest"
}
variable "RENOVATE_VERSION" {
default = "unknown"
}

variable "APT_HTTP_PROXY" {
default = ""
}

variable "CONTAINERBASE_DEBUG" {
default = ""
}

variable "GITHUB_TOKEN" {
default = ""
}

group "default" {
targets = [
"build",
]
}

group "build" {
targets = [
"build-slim",
"build-full",
]
}

group "push" {
targets = [
"push-slim",
"push-full",
"push-cache-slim",
"push-cache-full",
]
}

target "settings" {
context = "tools/docker"
args = {
APT_HTTP_PROXY = "${APT_HTTP_PROXY}"
CONTAINERBASE_DEBUG = "${CONTAINERBASE_DEBUG}"
RENOVATE_VERSION = "${RENOVATE_VERSION}"
GITHUB_TOKEN = "${GITHUB_TOKEN}"
}
tags = [
"ghcr.io/${OWNER}/${FILE}",
"ghcr.io/${OWNER}/${FILE}:${TAG}",
]
}

target "slim" {
cache-from = [
"type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}",
"type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}",
]
tags = [
"ghcr.io/${OWNER}/${FILE}",
"ghcr.io/${OWNER}/${FILE}:${TAG}",
"${FILE}/${FILE}",
"${FILE}/${FILE}:${TAG}",
]
}

target "full" {
args = {
BASE_IMAGE_TYPE = "full"
}
cache-from = [
"type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-full",
"type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full",
]
tags = [
"ghcr.io/${OWNER}/${FILE}:full",
"ghcr.io/${OWNER}/${FILE}:${TAG}-full",
"${FILE}/${FILE}:full",
"${FILE}/${FILE}:${TAG}-full",
]
}

target "cache" {
output = ["type=registry"]
cache-to = ["type=inline,mode=max"]
}

target "push-cache-slim" {
inherits = [
"settings",
"cache",
"slim",
]
tags = [
"ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}",
"ghcr.io/${OWNER}/docker-build-cache:${FILE}",
]
}

target "push-cache-full" {
inherits = [
"settings",
"cache",
"full",
]
tags = [
"ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full",
"ghcr.io/${OWNER}/docker-build-cache:${FILE}-full",
]
}

target "build-slim" {
inherits = ["settings", "slim"]
}

target "build-full" {
inherits = ["settings", "full"]

}

target "push-slim" {
inherits = ["settings", "slim"]
output = ["type=registry"]
}

target "push-full" {
inherits = ["settings", "full"]
output = ["type=registry"]
}
18 changes: 18 additions & 0 deletions tools/docker/bin/docker-entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/bin/bash

if [[ -f "/usr/local/etc/env" && -z "${CONTAINERBASE_ENV+x}" ]]; then
# shellcheck source=/dev/null
. /usr/local/etc/env
fi

if [[ "${1:0:1}" = '-' ]]; then
# assume $1 is renovate flag
set -- renovate "$@"
fi

if [[ ! -x "$(command -v "${1}")" ]]; then
# assume $1 is a repo
set -- renovate "$@"
fi

exec dumb-init -- "$@"