Merge pull request #388 from govCMS/feat/govcms-10212-github-token

[GOVCMS-10212]: Add swarm to manage secrets for tokens.

.docker/Dockerfile.govcms

@@ -1,12 +1,9 @@
 ARG LAGOON_IMAGE_VERSION
-
-FROM uselagoon/php-8.1-cli-drupal:${LAGOON_IMAGE_VERSION} as builder
+FROM uselagoon/php-8.1-cli-drupal:${LAGOON_IMAGE_VERSION}
 
 COPY --from=ghcr.io/salsadigitalauorg/shipshape:0.2.2 /usr/local/bin/shipshape /usr/local/bin/shipshape
 
 ARG GOVCMS_PROJECT_VERSION
-ARG COMPOSER_AUTH
-ARG GITHUB_TOKEN
 
 COPY composer.* /app/
 
@@ -26,12 +23,10 @@ RUN sed -i -e "/govcms\/govcms/ s!3.x-develop-dev!${GOVCMS_PROJECT_VERSION}!" /a
 COPY scripts/composer/ScriptHandler.php /app/scripts/composer/ScriptHandler.php
 
 ENV COMPOSER_MEMORY_LIMIT=-1
-# Set the Github OAuth token only when the variable is set.
-RUN [[ ! -z "${GITHUB_TOKEN}" ]]  && composer config -g github-oauth.github.com ${GITHUB_TOKEN} || echo "Personal Github OAuth token is not set."
 
-RUN composer validate \
-   && composer update -d /app \
-   && composer clearcache
+RUN --mount=type=secret,id=composer-auth,dst=/app/auth.json /usr/local/bin/composer validate
+RUN --mount=type=secret,id=composer-auth,dst=/app/auth.json /usr/local/bin/composer update -d /app
+RUN --mount=type=secret,id=composer-auth,dst=/app/auth.json /usr/local/bin/composer clearcache
 
 # Add bash aliases to assist with full path executables.
 COPY .docker/images/govcms/entrypoints /lagoon/entrypoints/

.gitignore

@@ -1 +1,2 @@
 .env
+auth.json

.gitlab-ci.yml

@@ -83,6 +83,9 @@ workflow:
     - export $(grep -v '^#' .env | xargs)
     - docker network prune -f && docker network inspect amazeeio-network >/dev/null || docker network create amazeeio-network
     - docker login -u $DOCKER_USER -p $DOCKER_PASS
+    - composer config github-oauth.github.com "$GITHUB_TOKEN"
+    - docker swarm init
+    - docker secret create composer-auth auth.json
     - ahoy build y
     - docker image list
 

README.md

@@ -7,7 +7,7 @@ be used by distribution/platform maintainers.
 
 Images are published to the [govcms](https://hub.docker.com/u/govcms) namespace on Docker Hub.
 
-Drupal 8 and 9 are supported through tags in Dockerhub and reference `1.x-master` and `2.x-master` respectively. When new images are released - the current state of the master branch will be tagged and pushed by the GovCMS team to docker to ensure updated images are available.
+Drupal 10 is supported through tags in Dockerhub and reference `3.x-master`. When new images are released - the current state of the master branch will be tagged and pushed by the GovCMS team to docker to ensure updated images are available.
 
 There is also the equivalent project for [GovCMS Drupal 7 images](https://github.com/govcms/govcmslagoon). Please
 be mindful that there is some duplication across the two projects, so consider whether pull requests for changes
@@ -18,22 +18,28 @@ should be accompanied by PRs on the other repository.
 _Expected tools_
 
 * [Docker](https://docs.docker.com/install/)
-* [pygmy](https://docs.amazee.io/local_docker_development/pygmy.html#installation)
 * [Ahoy](http://ahoy-cli.readthedocs.io/en/latest/#installation)
-* [Circle CI](https://circleci.com/docs/2.0/local-cli)
+* [pygmy](https://docs.amazee.io/local_docker_development/pygmy.html#installation)
 
-Clone this respository locally. You might copy `.env.default` to `.env` and modify, but running the CircleCI build will
-overwrite it if you do (probably not ideal).
+Clone this respository locally. You might copy `.env.default` to `.env` and modify.
 
 Running `ahoy build` will build the containers. There are no file mounts from the host, but if you ssh into
 one of the containers (eg `ahoy cli`) you will see the familiar /app/web, etc.
 
+### Composer credentials
+
+To avoid composer rate limiting you will need to providea personal access token that has read-only scope access to Github. Follow the [instructions from Github to create](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) a personal access token.
+
+1. Create composer auth.json `composer config github-oauth.gitub.com <token>`
+2. Enable docker swam `docker swarm init`
+3. Create a docker secret `docker secret create composer-auth auth.json`
+
+This will create a secret that is shared with the image during the build process
+
+
 ## Releasing a govcms/lagoon release to dockerhub
 
 1. Prepare a release branch from master (release/lagoon-x.x.x - replace x with the correct version)
-2. Update the .env.default GOVCMS_PROJECT_VERSION with the latest GovCMS release tag (defaults to 2.x-dev in docker-compose)
-3. Update the .env.default LAGOON_IMAGE_VERSION with the latest Lagoon release tag (defaults to :latest in docker-compose)
-4. Update the .env.default SITE_AUDIT_VERSION with the latest Site Audit release tag (defaults to 7.x-3.x in docker-compose)
-5. Add a 1.x.0-rc1 tag to this branch and push to Github - this will update the :beta and :1.x.0-rc1 tags on dockerhub
-6. Deploy a couple of test projects to OpenShift on the :beta tags (you may need to refresh the beta tags on the docker-host)
-7. When ready to release, push the 1.x.0 tag to Github, and follow up with the `ahoy release` process
+2. Update the .env.default GOVCMS_PROJECT_VERSION with the latest GovCMS release tag
+3. Update the .env.default LAGOON_IMAGE_VERSION with the latest Lagoon release tag
+4. Update the .env.default SITE_AUDIT_VERSION with the latest Site Audit release tag