build: build renovate docker images on release (#26108)

Co-authored-by: Sebastian Poxhofer <secustor@users.noreply.github.com>
renovatebot · Jan 17, 2024 · 5ca375a · 5ca375a
1 parent db9d485
commit 5ca375a
Show file tree

Hide file tree

Showing 6 changed files with 306 additions and 1 deletion.
diff --git a/.github/workflows/release-npm.yml → .github/workflows/release.yml b/.github/workflows/release-npm.yml → .github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: release-npm
+name: release
 
 on:
   repository_dispatch:
@@ -22,6 +22,12 @@ env:
   GIT_SHA: ${{ github.event.client_payload.sha }}
   NPM_VERSION: ${{ github.event.client_payload.version }}
   NPM_TAG: ${{ github.event.client_payload.tag }}
+  RENOVATE_VERSION: ${{ github.event.client_payload.version }}
+  BUILDKIT_PROGRESS: plain
+  BUILDX_NO_DEFAULT_LOAD: 1
+  DOCKER_PLATFORMS: linux/amd64,linux/arm64
+  OWNER: ${{ github.repository_owner }}
+  FILE: renovate
 
 permissions:
   contents: read
@@ -42,6 +48,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ env.GIT_SHA }}
+          show-progress: false
 
       - name: Enable corepack
         shell: bash
@@ -81,3 +88,49 @@ jobs:
           git checkout -- .npmrc
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  release-docker:
+    runs-on: ubuntu-latest
+    needs:
+      - release-npm
+
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Prepare env
+        run: |
+          if [[ "${{github.event_name}}" == "workflow_dispatch" ]]; then
+            echo "GIT_SHA=${{ github.event.inputs.sha }}" >> "$GITHUB_ENV"
+            echo "RENOVATE_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_ENV"
+          fi
+          echo "OWNER=${OWNER,,}" >> ${GITHUB_ENV}
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ env.GIT_SHA }}
+          show-progress: false
+
+      - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+
+      - name: Docker registry login
+        run: |
+          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
+
+      - name: Build docker images ${{ env.RENOVATE_VERSION }}
+        run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl build
+
+      - name: Publish docker images ${{ env.RENOVATE_VERSION }}
+        if: false
+        run: docker buildx bake --set settings.platform=${{ env.DOCKER_PLATFORMS }} --file tools/docker/bake.hcl push
+
+      - name: Sign images
+        if: false
+        run: |
+          cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}
+          cosign sign --yes ghcr.io/${{ env.OWNER }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full
+          cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}
+          cosign sign --yes ${{ env.FILE }}/${{ env.FILE }}:${{ env.RENOVATE_VERSION }}-full
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,37 @@
+name: trivy
+
+on:
+  # schedule:
+  #   - cron: '59 11 * * *'
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    strategy:
+      matrix:
+        tag:
+          - latest
+          - full
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          show-progress: false
+
+      - uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0
+        with:
+          image-ref: ghcr.io/renovatebot/renovate:${{ matrix.tag }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+        with:
+          sarif_file: trivy-results.sarif
+          category: 'docker-image-${{ matrix.tag }}'
diff --git a/renovate.json b/renovate.json
@@ -28,6 +28,17 @@
     {
       "matchFileNames": ["**/__fixtures__/**"],
       "enabled": false
+    },
+    {
+      "description": "set fix scope for base image",
+      "matchDepNames": ["ghcr.io/renovatebot/base-image"],
+      "semanticCommitType": "fix"
+    },
+    {
+      "description": "set feat scope for base image major",
+      "matchDepNames": ["ghcr.io/renovatebot/base-image"],
+      "matchUpdateTypes": ["major", "minor"],
+      "semanticCommitType": "feat"
     }
   ],
   "customManagers": [

diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
@@ -0,0 +1,49 @@
+ARG RENOVATE_VERSION
+ARG BASE_IMAGE_TYPE=slim
+
+# --------------------------------------
+# slim image
+# --------------------------------------
+FROM ghcr.io/renovatebot/base-image:1.13.2@sha256:7a8653bf454e04f3401bf8058e2d23e9c4c6183b91ccfb789970cc48204216cd AS slim-base
+
+# --------------------------------------
+# full image
+# --------------------------------------
+FROM ghcr.io/renovatebot/base-image:1.13.2-full@sha256:49f0db2a4ea1113cb519a340afbefb6d9b9b1b5493c0adf2ba5bed29102fb647 AS full-base
+
+# --------------------------------------
+# final image
+# --------------------------------------
+FROM ${BASE_IMAGE_TYPE}-base
+
+LABEL name="renovate"
+LABEL org.opencontainers.image.source="https://github.com/renovatebot/renovate" \
+  org.opencontainers.image.url="https://renovatebot.com" \
+  org.opencontainers.image.licenses="AGPL-3.0-only"
+
+
+WORKDIR /usr/src/app
+
+ENV RENOVATE_X_IGNORE_NODE_WARN=true
+
+COPY bin/ /usr/local/bin/
+CMD ["renovate"]
+
+ARG RENOVATE_VERSION
+RUN install-tool renovate
+
+# Compabillity, so `config.js` can access renovate and deps
+RUN ln -sf /opt/containerbase/tools/renovate/${RENOVATE_VERSION}/node_modules ./node_modules;
+
+RUN set -ex; \
+  renovate --version; \
+  renovate-config-validator; \
+  node -e "new require('re2')('.*').exec('test')"; \
+  true
+
+LABEL \
+  org.opencontainers.image.version="${RENOVATE_VERSION}" \
+  org.label-schema.version="${RENOVATE_VERSION}"
+
+# Numeric user ID for the ubuntu user. Used to indicate a non-root user to OpenShift
+USER 1000
diff --git a/tools/docker/bake.hcl b/tools/docker/bake.hcl
@@ -0,0 +1,137 @@
+variable "OWNER" {
+  default = "renovatebot"
+}
+variable "FILE" {
+  default = "renovate"
+}
+variable "TAG" {
+  default = "latest"
+}
+variable "RENOVATE_VERSION" {
+  default = "unknown"
+}
+
+variable "APT_HTTP_PROXY" {
+  default = ""
+}
+
+variable "CONTAINERBASE_DEBUG" {
+  default = ""
+}
+
+variable "GITHUB_TOKEN" {
+  default = ""
+}
+
+group "default" {
+  targets = [
+    "build",
+  ]
+}
+
+group "build" {
+  targets = [
+    "build-slim",
+    "build-full",
+  ]
+}
+
+group "push" {
+  targets = [
+    "push-slim",
+    "push-full",
+    "push-cache-slim",
+    "push-cache-full",
+  ]
+}
+
+target "settings" {
+  context = "tools/docker"
+  args = {
+    APT_HTTP_PROXY      = "${APT_HTTP_PROXY}"
+    CONTAINERBASE_DEBUG = "${CONTAINERBASE_DEBUG}"
+    RENOVATE_VERSION    = "${RENOVATE_VERSION}"
+    GITHUB_TOKEN        = "${GITHUB_TOKEN}"
+  }
+  tags = [
+    "ghcr.io/${OWNER}/${FILE}",
+    "ghcr.io/${OWNER}/${FILE}:${TAG}",
+  ]
+}
+
+target "slim" {
+  cache-from = [
+    "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}",
+    "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}",
+  ]
+  tags = [
+    "ghcr.io/${OWNER}/${FILE}",
+    "ghcr.io/${OWNER}/${FILE}:${TAG}",
+    "${FILE}/${FILE}",
+    "${FILE}/${FILE}:${TAG}",
+  ]
+}
+
+target "full" {
+  args = {
+    BASE_IMAGE_TYPE = "full"
+  }
+  cache-from = [
+    "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-full",
+    "type=registry,ref=ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full",
+  ]
+   tags = [
+    "ghcr.io/${OWNER}/${FILE}:full",
+    "ghcr.io/${OWNER}/${FILE}:${TAG}-full",
+    "${FILE}/${FILE}:full",
+    "${FILE}/${FILE}:${TAG}-full",
+  ]
+}
+
+target "cache" {
+  output   = ["type=registry"]
+  cache-to = ["type=inline,mode=max"]
+}
+
+target "push-cache-slim" {
+  inherits = [
+    "settings",
+    "cache",
+    "slim",
+  ]
+  tags = [
+    "ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}",
+    "ghcr.io/${OWNER}/docker-build-cache:${FILE}",
+  ]
+}
+
+target "push-cache-full" {
+  inherits = [
+    "settings",
+    "cache",
+    "full",
+  ]
+  tags = [
+    "ghcr.io/${OWNER}/docker-build-cache:${FILE}-${TAG}-full",
+    "ghcr.io/${OWNER}/docker-build-cache:${FILE}-full",
+  ]
+}
+
+target "build-slim" {
+  inherits = ["settings", "slim"]
+}
+
+target "build-full" {
+  inherits = ["settings", "full"]
+
+}
+
+target "push-slim" {
+  inherits = ["settings", "slim"]
+  output   = ["type=registry"]
+}
+
+target "push-full" {
+  inherits = ["settings", "full"]
+  output   = ["type=registry"]
+}
diff --git a/tools/docker/bin/docker-entrypoint.sh b/tools/docker/bin/docker-entrypoint.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [[ -f "/usr/local/etc/env" && -z "${CONTAINERBASE_ENV+x}" ]]; then
+    # shellcheck source=/dev/null
+  . /usr/local/etc/env
+fi
+
+if [[ "${1:0:1}" = '-' ]]; then
+  # assume $1 is renovate flag
+  set -- renovate "$@"
+fi
+
+if [[ ! -x "$(command -v "${1}")" ]]; then
+  # assume $1 is a repo
+  set -- renovate "$@"
+fi
+
+exec dumb-init -- "$@"