From 0121e40ca96e0fd7c6427e3257fa387a5505a7d2 Mon Sep 17 00:00:00 2001 From: Nuru Date: Tue, 11 Jun 2024 00:37:17 -0700 Subject: [PATCH 1/3] Update build OSes, pre-install Python --- .github/workflows/rpmbuild.yml | 2 +- Makefile | 2 +- apk/Dockerfile-alpine | 5 +++-- deb/Dockerfile.stable-slim | 5 ++++- rpm/{Dockerfile.centos8 => Dockerfile.ubi} | 5 ++++- 5 files changed, 13 insertions(+), 6 deletions(-) rename rpm/{Dockerfile.centos8 => Dockerfile.ubi} (88%) diff --git a/.github/workflows/rpmbuild.yml b/.github/workflows/rpmbuild.yml index e4913c4d45..50566922e2 100644 --- a/.github/workflows/rpmbuild.yml +++ b/.github/workflows/rpmbuild.yml @@ -22,7 +22,7 @@ jobs: strategy: matrix: centos: - - 'centos8' + - 'ubi' steps: - name: "Checkout source code at current commit" uses: actions/checkout@v4 diff --git a/Makefile b/Makefile index f6b3bfda4e..999aa598f9 100644 --- a/Makefile +++ b/Makefile @@ -97,7 +97,7 @@ docker/build/apk/shell run/apk: # MATRIX BUILD docker/build/deb/shell docker/build/deb/test run/deb : BUILDER_VERSION=stable-slim -docker/build/rpm/shell docker/build/rpm/test run/rpm : BUILDER_VERSION=centos8 +docker/build/rpm/shell docker/build/rpm/test run/rpm : BUILDER_VERSION=ubi ## Build package as a test docker/build/%/test: diff --git a/apk/Dockerfile-alpine b/apk/Dockerfile-alpine index 3c05e52ff6..eab4737972 100644 --- a/apk/Dockerfile-alpine +++ b/apk/Dockerfile-alpine @@ -1,5 +1,5 @@ # Need to use version number so that it gets updated here and triggers a build -FROM alpine:3.17.3 +FROM alpine:3.19.1 ENV LC_ALL=C.UTF-8 ENV PS1="(apk) \w \$ " @@ -16,6 +16,7 @@ RUN apk add --no-cache bash curl && \ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories RUN apk update && \ - apk add make curl alpine-sdk shadow bash jq sudo go + apk add make curl alpine-sdk shadow bash jq sudo go && \ + apk add --update -U python3 python3-dev py3-pip libffi-dev gcc linux-headers musl-dev openssl-dev RUN echo "auth sufficient pam_shells.so" > /etc/pam.d/chsh diff --git a/deb/Dockerfile.stable-slim b/deb/Dockerfile.stable-slim index 8f15696edc..bfb71a003e 100644 --- a/deb/Dockerfile.stable-slim +++ b/deb/Dockerfile.stable-slim @@ -1,5 +1,8 @@ # Need to use version number so that it gets updated here and triggers a build -FROM debian:11.5-slim +ARG PYTHON_VERSION=3.12.3 +ARG DEBIAN_CODENAME=bookworm + +FROM python:${PYTHON_VERSION}-slim-${DEBIAN_CODENAME} ENV LC_ALL=C.UTF-8 ENV PS1="(deb) \w \$ " diff --git a/rpm/Dockerfile.centos8 b/rpm/Dockerfile.ubi similarity index 88% rename from rpm/Dockerfile.centos8 rename to rpm/Dockerfile.ubi index aaa6e90302..5cab986bbc 100644 --- a/rpm/Dockerfile.centos8 +++ b/rpm/Dockerfile.ubi @@ -1,4 +1,5 @@ -FROM registry.access.redhat.com/ubi8/ubi +# UBI replaces Centos +FROM registry.access.redhat.com/ubi9/ubi ENV LC_ALL=C.UTF-8 ENV PS1="(rpm) \w \$ " @@ -7,6 +8,8 @@ RUN yum clean all && yum -y install ruby-devel gcc make rpm-build rubygems git z # install sudo, needed by package sudosh, and protected, so it is nearly impossible to remove RUN yum -y install sudo +RUN yum -y install python3.12 python3-pip + # https://github.com/jordansissel/fpm/issues/1663 # # # RUN gem install --no-document backports -v 3.15.0 From 7d4f41a5f76fdc7c6378ee1dda11587d5e159e68 Mon Sep 17 00:00:00 2001 From: Nuru Date: Tue, 11 Jun 2024 13:14:11 -0700 Subject: [PATCH 2/3] Publish images to GitHub repo --- .github/workflows/apkbuild.yml | 7 ++++--- .github/workflows/debbuild.yml | 7 ++++--- .github/workflows/rpmbuild.yml | 7 ++++--- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/apkbuild.yml b/.github/workflows/apkbuild.yml index cf6e2c73c1..c17ff25a9f 100644 --- a/.github/workflows/apkbuild.yml +++ b/.github/workflows/apkbuild.yml @@ -31,7 +31,7 @@ jobs: BUILDER: apkbuild MATRIX_TAG: ${{matrix.alpine}} run: | - DOCKER_IMAGE=${{ github.repository }}-${BUILDER} + DOCKER_IMAGE=ghcr.io/${{ github.repository }}-${BUILDER} TAGS="${DOCKER_IMAGE}:${MATRIX_TAG},${DOCKER_IMAGE}:latest" COMMIT_SHA="${GITHUB_SHA}" if [[ $GITHUB_REF == refs/tags/* ]]; then @@ -50,8 +50,9 @@ jobs: - name: Login to DockerHub uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + registry: ghcr.io + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" - name: "Build and push APK builder docker image to DockerHub" id: docker_build_builder uses: docker/build-push-action@v5 diff --git a/.github/workflows/debbuild.yml b/.github/workflows/debbuild.yml index e09d3ec7d5..6b1e8ed0f8 100644 --- a/.github/workflows/debbuild.yml +++ b/.github/workflows/debbuild.yml @@ -32,7 +32,7 @@ jobs: BUILDER: debbuild MATRIX_TAG: ${{matrix.debian}} run: | - DOCKER_IMAGE=${{ github.repository }}-${BUILDER} + DOCKER_IMAGE=ghcr.io/${{ github.repository }}-${BUILDER} TAGS="${DOCKER_IMAGE}:${MATRIX_TAG},${DOCKER_IMAGE}:latest" COMMIT_SHA="${GITHUB_SHA}" if [[ $GITHUB_REF == refs/tags/* ]]; then @@ -53,8 +53,9 @@ jobs: - name: Login to DockerHub uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + registry: ghcr.io + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" - name: "Build and push Debian builder docker image to DockerHub" id: docker_build_builder uses: docker/build-push-action@v5 diff --git a/.github/workflows/rpmbuild.yml b/.github/workflows/rpmbuild.yml index 50566922e2..a17787ac4a 100644 --- a/.github/workflows/rpmbuild.yml +++ b/.github/workflows/rpmbuild.yml @@ -32,7 +32,7 @@ jobs: BUILDER: rpmbuild MATRIX_TAG: ${{matrix.centos}} run: | - DOCKER_IMAGE=${{ github.repository }}-${BUILDER} + DOCKER_IMAGE=ghcr.io/${{ github.repository }}-${BUILDER} TAGS="${DOCKER_IMAGE}:${MATRIX_TAG},${DOCKER_IMAGE}:latest" COMMIT_SHA="${GITHUB_SHA}" if [[ $GITHUB_REF == refs/tags/* ]]; then @@ -53,8 +53,9 @@ jobs: - name: Login to DockerHub uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} + registry: ghcr.io + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" - name: "Build and push RPM builder docker image to DockerHub" id: docker_build_builder uses: docker/build-push-action@v5 From 277d1acfacf05fb285c6676e81df7f9c7e877ef8 Mon Sep 17 00:00:00 2001 From: Nuru Date: Tue, 11 Jun 2024 13:41:38 -0700 Subject: [PATCH 3/3] Add permissions to builders workflows --- .github/workflows/apkbuild.yml | 8 +++++++- .github/workflows/debbuild.yml | 6 ++++++ .github/workflows/rpmbuild.yml | 6 ++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/apkbuild.yml b/.github/workflows/apkbuild.yml index c17ff25a9f..f6c2cb2a83 100644 --- a/.github/workflows/apkbuild.yml +++ b/.github/workflows/apkbuild.yml @@ -14,6 +14,12 @@ on: paths: - apk/** +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: build-and-push: runs-on: ubuntu-latest @@ -47,7 +53,7 @@ jobs: echo "tags=${TAGS}" >> $GITHUB_OUTPUT - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Login to DockerHub + - name: Login to Container Registry uses: docker/login-action@v3 with: registry: ghcr.io diff --git a/.github/workflows/debbuild.yml b/.github/workflows/debbuild.yml index 6b1e8ed0f8..cd1040c751 100644 --- a/.github/workflows/debbuild.yml +++ b/.github/workflows/debbuild.yml @@ -16,6 +16,12 @@ on: - deb/** - .github/workflows/debbuild.yml +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: build-and-push: runs-on: ubuntu-latest diff --git a/.github/workflows/rpmbuild.yml b/.github/workflows/rpmbuild.yml index a17787ac4a..66e543317d 100644 --- a/.github/workflows/rpmbuild.yml +++ b/.github/workflows/rpmbuild.yml @@ -16,6 +16,12 @@ on: - rpm/** - .github/workflows/rpmbuild.yml +permissions: + contents: read + packages: write + attestations: write + id-token: write + jobs: build-and-push: runs-on: ubuntu-latest