diff --git a/.commitlintrc.yaml b/.commitlintrc.yaml new file mode 100644 index 0000000..9cb74a7 --- /dev/null +++ b/.commitlintrc.yaml @@ -0,0 +1,2 @@ +extends: + - "@commitlint/config-conventional" diff --git a/.containerignore b/.containerignore new file mode 100644 index 0000000..fc87576 --- /dev/null +++ b/.containerignore @@ -0,0 +1,13 @@ +.git +.github +build +.env +*.md +LICENSE +.dive-ci +.hadolint.yaml +.releaserc.yaml +.commitlintrc.yaml +.containerignore +.pre-commit-config.yaml +scripts/ diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..c95b179 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,51 @@ +name: CI + +on: + pull_request: + branches: [main] + +permissions: + contents: read + pull-requests: read + +jobs: + commitlint: + name: Lint commit messages + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: wagoid/commitlint-github-action@v6 + + hadolint: + name: Lint Containerfile + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Containerfile + + build: + name: Test build + runs-on: ubuntu-latest + needs: [hadolint] + steps: + - uses: actions/checkout@v4 + + - name: Install yq + run: | + sudo curl -sSL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/v4.45.4/yq_linux_amd64" + sudo chmod +x /usr/local/bin/yq + + - name: Build image + run: | + BUILD_ARGS="" + for arg in $(yq e '.build.args[]' manifest.yaml); do + BUILD_ARGS="${BUILD_ARGS} --build-arg ${arg}" + done + # shellcheck disable=SC2086 + docker build -f Containerfile ${BUILD_ARGS} -t test-build . diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..73d9f06 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,147 @@ +name: Release + +on: + push: + branches: [main] + +permissions: + contents: write + packages: write + +jobs: + release: + name: Semantic release + runs-on: ubuntu-latest + outputs: + new_release_published: ${{ steps.semantic.outputs.new_release_published }} + new_release_version: ${{ steps.semantic.outputs.new_release_version }} + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - uses: cycjimmy/semantic-release-action@v4 + id: semantic + with: + extra_plugins: | + @semantic-release/changelog + @semantic-release/git + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + build-and-push: + name: Build, scan & push + needs: release + if: needs.release.outputs.new_release_published == 'true' + runs-on: ubuntu-latest + env: + IMAGE_VERSION: ${{ needs.release.outputs.new_release_version }} + steps: + - uses: actions/checkout@v4 + + - name: Install build tools + run: ./scripts/install_tools.sh + + - name: Read manifest + id: manifest + run: | + echo "image_name=$(yq e '.name' manifest.yaml)" >> "$GITHUB_OUTPUT" + echo "registry=$(yq e '.registry' manifest.yaml)" >> "$GITHUB_OUTPUT" + echo "format=$(yq e '.build.format' manifest.yaml)" >> "$GITHUB_OUTPUT" + + - name: Validate Containerfile + run: | + docker pull -q ghcr.io/hadolint/hadolint:latest + docker run --rm -i -v "$(pwd)/.hadolint.yaml:/.hadolint.yaml:ro" hadolint/hadolint:latest hadolint --config /.hadolint.yaml - < Containerfile + + - name: Build image + env: + IMAGE_NAME: ${{ steps.manifest.outputs.image_name }} + IMAGE_FORMAT: ${{ steps.manifest.outputs.format }} + run: | + # Build args from manifest + BUILD_ARGS="" + for arg in $(yq e '.build.args[]' manifest.yaml); do + BUILD_ARGS="${BUILD_ARGS} --build-arg ${arg}" + done + + # Labels from manifest + LABELS="" + while IFS= read -r label; do + if [[ -n "${label}" ]]; then + label_key="${label%%=*}" + label_value="${label#*=}" + label_value="${label_value%\"}" + label_value="${label_value#\"}" + LABELS="${LABELS} --label ${label_key}=${label_value}" + fi + done < <(yq e '.build.labels[]' manifest.yaml) + + # Add version label + LABELS="${LABELS} --label org.opencontainers.image.version=${IMAGE_VERSION}" + + # shellcheck disable=SC2086 + buildah build \ + --squash \ + --pull-always \ + --format "${IMAGE_FORMAT}" \ + ${BUILD_ARGS} \ + ${LABELS} \ + --tag "${IMAGE_NAME}:${IMAGE_VERSION}" \ + . + + # Save to OCI archive for scanning and pushing + mkdir -p build + buildah push "${IMAGE_NAME}:${IMAGE_VERSION}" "oci-archive:build/${IMAGE_NAME}.tar" + + # Load into Docker daemon for dive scan + skopeo copy "oci-archive:build/${IMAGE_NAME}.tar" "docker-daemon:${IMAGE_NAME}:${IMAGE_VERSION}" + + - name: Dive filesystem scan + env: + IMAGE_NAME: ${{ steps.manifest.outputs.image_name }} + run: dive --ci --source=docker "${IMAGE_NAME}:${IMAGE_VERSION}" + + - name: Trivy vulnerability scan + env: + IMAGE_NAME: ${{ steps.manifest.outputs.image_name }} + run: | + trivy image \ + --input "build/${IMAGE_NAME}.tar" \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + "${IMAGE_NAME}:${IMAGE_VERSION}" + + - name: Login to GHCR + env: + REGISTRY: ${{ steps.manifest.outputs.registry }} + run: skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}" + + - name: Push to registry + env: + IMAGE_NAME: ${{ steps.manifest.outputs.image_name }} + REGISTRY: ${{ steps.manifest.outputs.registry }} + run: | + IFS='.' read -r MAJOR MINOR PATCH <<< "${IMAGE_VERSION}" + if [ -z "${MAJOR}" ] || [ -z "${MINOR}" ] || [ -z "${PATCH}" ]; then + echo "Error: IMAGE_VERSION '${IMAGE_VERSION}' is not valid semver (expected MAJOR.MINOR.PATCH)" + exit 1 + fi + + # Push semantic version tag (1.2.3) + skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${IMAGE_VERSION}" + + # Push major.minor tag (1.2) + skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR}.${MINOR}" + + # Push major tag (1) + skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR}" + + # Push latest tag + skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:latest" + + - name: Verify pushed image + env: + REGISTRY: ${{ steps.manifest.outputs.registry }} + run: | + skopeo inspect "docker://${REGISTRY}:${IMAGE_VERSION}" --format '{{.Labels}}' diff --git a/.hadolint.yaml b/.hadolint.yaml new file mode 100644 index 0000000..bd3f280 --- /dev/null +++ b/.hadolint.yaml @@ -0,0 +1,3 @@ +trustedRegistries: + - docker.io + - ghcr.io diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..782123a --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,30 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + - id: check-merge-conflict + - id: detect-private-key + + - repo: https://github.com/hadolint/hadolint + rev: v2.12.0 + hooks: + - id: hadolint-docker + args: ["--config", ".hadolint.yaml"] + files: ^Containerfile$ + + - repo: https://github.com/shellcheck-py/shellcheck-py + rev: v0.10.0.1 + hooks: + - id: shellcheck + args: ["-e", "SC1091"] + + - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook + rev: v9.21.0 + hooks: + - id: commitlint + stages: [commit-msg] + additional_dependencies: ["@commitlint/config-conventional"] diff --git a/.releaserc.yaml b/.releaserc.yaml new file mode 100644 index 0000000..9473609 --- /dev/null +++ b/.releaserc.yaml @@ -0,0 +1,14 @@ +branches: + - main + +plugins: + - "@semantic-release/commit-analyzer" + - "@semantic-release/release-notes-generator" + - - "@semantic-release/changelog" + - changelogFile: CHANGELOG.md + - - "@semantic-release/github" + - assets: [] + - - "@semantic-release/git" + - assets: + - CHANGELOG.md + message: "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" diff --git a/Containerfile b/Containerfile index ed783d7..a348265 100644 --- a/Containerfile +++ b/Containerfile @@ -1,52 +1,101 @@ -ARG UBUNTU_VERSION=24.04 +ARG RUNNER_VERSION=2.321.0 -FROM docker.io/library/ubuntu:$UBUNTU_VERSION as base +FROM ghcr.io/actions/actions-runner:${RUNNER_VERSION} AS base -ARG APP_UID=1000 -ARG APP_HOME=/home/appuser +ARG APP_HOME=/home/runner -# Setup the non-root user -RUN userdel --remove ubuntu \ - && useradd \ - --no-log-init \ - --uid $APP_UID \ - --home-dir ${APP_HOME} \ - --create-home \ - --user-group \ - appuser && \ - chown -R appuser:appuser ${APP_HOME} +USER root -# Update and upgrade the system -RUN apt-get update \ - && apt-get upgrade -y \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get autoremove -y \ - && apt-get autoclean -y - -# Add Python 3.12, 3.13 and 3.14 -# Add deadsnake apt repository +# System upgrade, Python 3.12/3.13 (deadsnakes), skopeo, buildah # hadolint ignore=DL3008 RUN apt-get update \ + && apt-get upgrade -y \ && apt-get install --no-install-recommends -y gnupg ca-certificates software-properties-common curl \ && DEBIAN_FRONTEND=noninteractive add-apt-repository -y ppa:deadsnakes/ppa \ && apt-get update \ - && apt-get install --no-install-recommends -y python3.12 python3.13 python3.14 \ + && apt-get install --no-install-recommends -y \ + build-essential \ + python3.12 python3.12-dev \ + python3.13 python3.13-dev \ + skopeo buildah \ + && apt-get autoremove -y \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -# Install Poetry latest version and add it to PATH +# deadsnakes PPA does not ship python3.x-pip or ensurepip; bootstrap via get-pip.py # hadolint ignore=DL4006 -RUN curl -sSL https://install.python-poetry.org | python3 - +RUN curl -sSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py \ + && python3.12 /tmp/get-pip.py --no-cache-dir \ + && python3.13 /tmp/get-pip.py --no-cache-dir \ + && rm /tmp/get-pip.py -# Install UV -# hadolint ignore=DL4006 -RUN curl -LsSf https://astral.sh/uv/install.sh | sh +# Configure buildah storage for container/rootless usage +RUN mkdir -p /etc/containers \ + && printf '[storage]\ndriver = "vfs"\n' > /etc/containers/storage.conf -# Add Poetry and UV to PATH -RUN echo "export PATH=\"${APP_HOME}/.local/bin:\$PATH\"" >> ~/.bashrc +# Install trivy (vulnerability scanner) +# hadolint ignore=DL3008,DL4006 +RUN curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key \ + | gpg --dearmor -o /usr/share/keyrings/trivy.gpg \ + && echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \ + | tee /etc/apt/sources.list.d/trivy.list \ + && apt-get update \ + && apt-get install --no-install-recommends -y trivy \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Install dive (container filesystem analysis) +ARG DIVE_VERSION=0.12.0 +# hadolint ignore=DL3008 +RUN curl -sSL -o /tmp/dive.deb \ + "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.deb" \ + && apt-get update \ + && apt-get install --no-install-recommends -y /tmp/dive.deb \ + && rm /tmp/dive.deb \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Install hadolint (Dockerfile/Containerfile linter) +ARG HADOLINT_VERSION=2.12.0 +RUN curl -sSL -o /usr/local/bin/hadolint \ + "https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64" \ + && chmod +x /usr/local/bin/hadolint -FROM base as runtime +# Install yq (YAML processor) +ARG YQ_VERSION=4.45.4 +RUN curl -sSL -o /usr/local/bin/yq \ + "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" \ + && chmod +x /usr/local/bin/yq + +# Install Argo Workflows CLI +ARG ARGO_VERSION=3.6.4 +RUN curl -sSL -o /tmp/argo-linux-amd64.gz \ + "https://github.com/argoproj/argo-workflows/releases/download/v${ARGO_VERSION}/argo-linux-amd64.gz" \ + && gunzip /tmp/argo-linux-amd64.gz \ + && mv /tmp/argo-linux-amd64 /usr/local/bin/argo \ + && chmod +x /usr/local/bin/argo + +# Install Kargo CLI +ARG KARGO_VERSION=1.9.2 +RUN curl -sSL -o /usr/local/bin/kargo \ + "https://github.com/akuity/kargo/releases/download/v${KARGO_VERSION}/kargo-linux-amd64" \ + && chmod +x /usr/local/bin/kargo + +# Install pack (Cloud Native Buildpacks CLI) +ARG PACK_VERSION=0.36.4 +RUN curl -sSL -o /tmp/pack.tgz \ + "https://github.com/buildpacks/pack/releases/download/v${PACK_VERSION}/pack-v${PACK_VERSION}-linux.tgz" \ + && tar -xzf /tmp/pack.tgz -C /usr/local/bin/ \ + && rm /tmp/pack.tgz + +# Install pre-commit +# hadolint ignore=DL3013 +RUN pip3 install --no-cache-dir pre-commit + +# Base stage must not end as root (hadolint DL3002) +USER runner + +FROM base AS runtime LABEL org.opencontainers.image.source=https://github.com/deerhide/python-github-runner LABEL org.opencontainers.image.description="Python GitHub Runner" @@ -54,7 +103,7 @@ LABEL org.opencontainers.image.licenses="MIT" LABEL org.opencontainers.image.authors="Deerhide" LABEL org.opencontainers.image.vendor="Deerhide" -USER ${APP_UID} +USER runner WORKDIR ${APP_HOME} # Install Poetry latest version and add it to PATH @@ -67,6 +116,3 @@ RUN curl -LsSf https://astral.sh/uv/install.sh | sh # Add Poetry and UV to PATH RUN echo "export PATH=\"${APP_HOME}/.local/bin:\$PATH\"" >> ~/.bashrc - -# Placeholder command to keep the container running -# CMD ["/bin/bash", "-c", "while true; do sleep 1; done"] diff --git a/README.md b/README.md index 4075017..18eb208 100644 --- a/README.md +++ b/README.md @@ -1,40 +1,204 @@ -# Deerhide / Template for Container Image +# Deerhide / Python GitHub Runner -## Pre-requisites +Container image based on the [GitHub Actions Runner](https://github.com/actions/runner) with Python tooling, DevOps CLIs, and a full container build pipeline baked in. Designed to be used as a self-hosted runner that can build itself. -### Install `docker` -[See Docker documentation](https://docs.docker.com/get-docker/) +## What's included -### Install tools +### Base image + +`ghcr.io/actions/actions-runner` (GitHub Actions Runner) + +### Python + +| Tool | Version | +|------|---------| +| Python | 3.12, 3.13 (via deadsnakes PPA) | +| Poetry | latest | +| UV | latest | + +### DevOps CLIs + +| Tool | Description | +|------|-------------| +| [Argo Workflows CLI](https://github.com/argoproj/argo-workflows) | Workflow orchestration on Kubernetes | +| [Kargo CLI](https://github.com/akuity/kargo) | Application lifecycle orchestration | +| [pack](https://github.com/buildpacks/pack) | Cloud Native Buildpacks CLI | +| [skopeo](https://github.com/containers/skopeo) | Container image registry operations | + +### Build pipeline tools + +These tools allow the image to run its own build pipeline as a self-hosted runner. + +| Tool | Description | +|------|-------------| +| [buildah](https://github.com/containers/buildah) | OCI container image builder | +| [dive](https://github.com/wagoodman/dive) | Container filesystem analysis | +| [trivy](https://github.com/aquasecurity/trivy) | Vulnerability scanner | +| [hadolint](https://github.com/hadolint/hadolint) | Dockerfile/Containerfile linter | +| [yq](https://github.com/mikefarah/yq) | YAML processor | +| [pre-commit](https://pre-commit.com/) | Git hooks framework | + +## CI/CD + +### Workflows + +| Workflow | Trigger | Description | +|----------|---------|-------------| +| **CI** | Pull request to `main` | Commitlint, hadolint lint, test build | +| **Release** | Push to `main` | Semantic release, build, scan, push to GHCR | +| **Renovate** | Automated | Keeps tool versions and dependencies up to date via PRs | + +### Release process + +Releases are fully automated via [semantic-release](https://github.com/semantic-release/semantic-release). Pushing to `main` triggers version analysis based on [Conventional Commits](https://www.conventionalcommits.org/). Tool versions are kept up to date automatically by [Renovate](https://docs.renovatebot.com/). + +| Commit prefix | Version bump | +|---------------|-------------| +| `fix:` | Patch (1.0.0 -> 1.0.1) | +| `feat:` | Minor (1.0.0 -> 1.1.0) | +| `feat!:` / `BREAKING CHANGE:` | Major (1.0.0 -> 2.0.0) | + +When a new version is determined, the release workflow: + +1. Creates a GitHub release with auto-generated notes +2. Updates `CHANGELOG.md` +3. Validates the Containerfile with hadolint +4. Builds the image with `buildah` (OCI format, squashed layers) +5. Runs `dive` filesystem efficiency scan +6. Runs `trivy` vulnerability scan (HIGH/CRITICAL) +7. Pushes to GHCR with semver tags: `1.2.3`, `1.2`, `1`, `latest` + +### Image tags + +``` +ghcr.io/deerhide/python-github-runner:latest +ghcr.io/deerhide/python-github-runner:1 +ghcr.io/deerhide/python-github-runner:1.2 +ghcr.io/deerhide/python-github-runner:1.2.3 +``` + +## Local development + +### Pre-requisites + +Install [Docker](https://docs.docker.com/get-docker/), then install the build tools: ```bash ./scripts/install_tools.sh ``` -## How to build the container image +Local install may use different (e.g. latest) versions for some tools than the pinned versions in the image and CI. + +### Configuration -### Update `manifest.yaml` +Build configuration is defined in `manifest.yaml`: ```yaml -name: deerhide_container_example -tags: +name: python-github-runner +tags: - latest -registry: ghcr.io/deerhide/template_container_image +registry: ghcr.io/deerhide/python-github-runner build: format: oci args: - - APP_UID=1000 - - UBUNTU_VERSION=24.04 + - RUNNER_VERSION=2.321.0 + - ARGO_VERSION=3.6.4 + - KARGO_VERSION=1.9.2 + - PACK_VERSION=0.36.4 + - DIVE_VERSION=0.12.0 + - HADOLINT_VERSION=2.12.0 + - YQ_VERSION=4.45.4 + labels: + - org.opencontainers.image.source=https://github.com/deerhide/python-github-runner + - org.opencontainers.image.description="Python GitHub Runner" + - org.opencontainers.image.licenses="MIT" + - org.opencontainers.image.authors="Deerhide" + - org.opencontainers.image.vendor="Deerhide" ``` -### Authenticate to the container registry +### Build + +Authenticate to the container registry: ```bash skopeo login ghcr.io ``` -### Launch Builder +Run the full build pipeline (lint, build, scan, push): ```bash ./scripts/builder.sh ``` + +### Pre-commit hooks + +Install the git hooks locally: + +```bash +pre-commit install --hook-type pre-commit --hook-type commit-msg +``` + +Hooks run automatically on every commit: + +| Hook | Stage | Description | +|------|-------|-------------| +| trailing-whitespace | pre-commit | Remove trailing whitespace | +| end-of-file-fixer | pre-commit | Ensure files end with a newline | +| check-yaml | pre-commit | Validate YAML syntax | +| check-added-large-files | pre-commit | Prevent large files from being committed | +| check-merge-conflict | pre-commit | Detect merge conflict markers | +| detect-private-key | pre-commit | Prevent private keys from being committed | +| hadolint | pre-commit | Lint Containerfile | +| shellcheck | pre-commit | Lint shell scripts | +| commitlint | commit-msg | Validate conventional commit messages | + +Run all hooks manually against all files: + +```bash +pre-commit run --all-files +``` + +### Contributing + +This project uses [Conventional Commits](https://www.conventionalcommits.org/). Commit messages are validated by commitlint on pull requests and locally via pre-commit hooks. + +```bash +# Good +git commit -m "feat: add kubectl to image" +git commit -m "fix: correct trivy scan exit code" +git commit -m "chore: update argo to v3.7.0" + +# Bad +git commit -m "added stuff" +git commit -m "WIP" +``` + +## Project structure + +``` +. +├── Containerfile # Multi-stage container definition +├── manifest.yaml # Build configuration and metadata +├── CHANGELOG.md # Generated by semantic-release +├── install-man-page.sh # Optional: install yq man page locally +├── .releaserc.yaml # Semantic release configuration +├── .hadolint.yaml # Hadolint configuration +├── .commitlintrc.yaml # Commitlint configuration +├── .pre-commit-config.yaml # Pre-commit hooks configuration +├── .containerignore # Build context exclusions +├── .dive-ci # Dive efficiency thresholds +├── .github/ +│ └── workflows/ +│ ├── ci.yaml # PR validation +│ └── release.yaml # Semantic release + build + push +├── renovate.json # Renovate dependency update config +└── scripts/ + ├── builder.sh # Local build orchestration + ├── install_tools.sh # Build tool installer + ├── lib_utils.sh # Logging utilities + └── login_skopeo.sh # Registry authentication helper +``` + +## License + +[MIT](LICENSE) diff --git a/manifest.yaml b/manifest.yaml index 2a3b6c9..111c6ee 100644 --- a/manifest.yaml +++ b/manifest.yaml @@ -1,12 +1,17 @@ name: python-github-runner -tags: +tags: - latest registry: ghcr.io/deerhide/python-github-runner build: format: oci args: - - APP_UID=1000 - - UBUNTU_VERSION=24.04 + - RUNNER_VERSION=2.321.0 + - ARGO_VERSION=3.6.4 + - KARGO_VERSION=1.9.2 + - PACK_VERSION=0.36.4 + - DIVE_VERSION=0.12.0 + - HADOLINT_VERSION=2.12.0 + - YQ_VERSION=4.45.4 labels: - org.opencontainers.image.source=https://github.com/deerhide/python-github-runner - org.opencontainers.image.description="Python GitHub Runner" diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..33e4886 --- /dev/null +++ b/renovate.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended" + ], + "customManagers": [ + { + "customType": "regex", + "description": "Update GitHub Actions Runner version", + "fileMatch": ["^Containerfile$", "^manifest\\.yaml$"], + "matchStrings": ["RUNNER_VERSION=(?\\S+)"], + "depNameTemplate": "actions/runner", + "datasourceTemplate": "github-releases", + "extractVersionTemplate": "^v?(?.+)$" + }, + { + "customType": "regex", + "description": "Update Dive version", + "fileMatch": ["^Containerfile$", "^manifest\\.yaml$"], + "matchStrings": ["DIVE_VERSION=(?\\S+)"], + "depNameTemplate": "wagoodman/dive", + "datasourceTemplate": "github-releases", + "extractVersionTemplate": "^v?(?.+)$" + }, + { + "customType": "regex", + "description": "Update Hadolint version", + "fileMatch": ["^Containerfile$", "^manifest\\.yaml$"], + "matchStrings": ["HADOLINT_VERSION=(?\\S+)"], + "depNameTemplate": "hadolint/hadolint", + "datasourceTemplate": "github-releases", + "extractVersionTemplate": "^v?(?.+)$" + }, + { + "customType": "regex", + "description": "Update yq version", + "fileMatch": ["^Containerfile$", "^manifest\\.yaml$"], + "matchStrings": ["YQ_VERSION=(?\\S+)"], + "depNameTemplate": "mikefarah/yq", + "datasourceTemplate": "github-releases", + "extractVersionTemplate": "^v?(?.+)$" + }, + { + "customType": "regex", + "description": "Update Argo Workflows CLI version", + "fileMatch": ["^Containerfile$", "^manifest\\.yaml$"], + "matchStrings": ["ARGO_VERSION=(?\\S+)"], + "depNameTemplate": "argoproj/argo-workflows", + "datasourceTemplate": "github-releases", + "extractVersionTemplate": "^v?(?.+)$" + }, + { + "customType": "regex", + "description": "Update Kargo CLI version", + "fileMatch": ["^Containerfile$", "^manifest\\.yaml$"], + "matchStrings": ["KARGO_VERSION=(?\\S+)"], + "depNameTemplate": "akuity/kargo", + "datasourceTemplate": "github-releases", + "extractVersionTemplate": "^v?(?.+)$" + }, + { + "customType": "regex", + "description": "Update pack (Buildpacks) CLI version", + "fileMatch": ["^Containerfile$", "^manifest\\.yaml$"], + "matchStrings": ["PACK_VERSION=(?\\S+)"], + "depNameTemplate": "buildpacks/pack", + "datasourceTemplate": "github-releases", + "extractVersionTemplate": "^v?(?.+)$" + } + ] +} diff --git a/scripts/builder.sh b/scripts/builder.sh index e552af1..394bb8f 100755 --- a/scripts/builder.sh +++ b/scripts/builder.sh @@ -47,13 +47,13 @@ clean_build_dir(){ hadolint_validate(){ local hadolint_exec local hadolint_exit_code - log_info "Validating Dockerfile with hadolint" + log_info "Validating Containerfile with hadolint" ${CLI} pull -q ghcr.io/hadolint/hadolint:latest > /dev/null log_trace "$(${CLI} run --rm -i hadolint/hadolint:latest hadolint -v)" set +e hadolint_exec=$( - ${CLI} run --rm -i hadolint/hadolint:latest < Containerfile \ + ${CLI} run --rm -i -v "$(pwd)/.hadolint.yaml:/.hadolint.yaml:ro" hadolint/hadolint:latest hadolint --config /.hadolint.yaml - < Containerfile \ 2>&1 ) hadolint_exit_code=$? @@ -312,7 +312,7 @@ trivy_scan () { # Main clean_build_dir -check_for_manifest # Check for manifest file existence\ +check_for_manifest # Check for manifest file existence IMAGE_NAME=$(retrieve_name_from_manifest) # Retrieve image name from manifest log_info "Starting build process" diff --git a/scripts/install_tools.sh b/scripts/install_tools.sh index 774d721..342355f 100755 --- a/scripts/install_tools.sh +++ b/scripts/install_tools.sh @@ -27,7 +27,7 @@ sudo apt-get install trivy -y # Install buildah sudo apt-get install buildah -y -# Install yq\ +# Install yq VERSION="v4.45.4" BINARY="yq_linux_amd64" wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - |\