Compare commits

..

1 commit

Author SHA1 Message Date
2ee0cbf0a3
Install gitleaks binary from github releases
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2024-06-19 10:02:29 +02:00
13 changed files with 55 additions and 273 deletions

View file

@ -1,3 +1,2 @@
# Ignore everything
*
!.pre-commit-config.yaml

View file

@ -1,16 +0,0 @@
root = true
[*]
indent_style = space
indent_size = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
# Non-standard
quote_type = single
[*.{diff,patch}]
indent_style = unset
indent_size = unset

View file

@ -1,2 +0,0 @@
all # Import all rules
exclude_rule "MD013" # Ignore Line length

2
.mdlrc
View file

@ -1,2 +0,0 @@
style "#{File.dirname(__FILE__)}/.markdown-style.rb"
git_recurse true

View file

@ -1,55 +0,0 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: check-added-large-files
- id: check-case-conflict
- id: check-executables-have-shebangs
- id: check-json
- id: check-merge-conflict
- id: check-symlinks
- id: check-xml
- id: check-yaml
- id: double-quote-string-fixer
- id: end-of-file-fixer
- id: fix-byte-order-marker
- id: mixed-line-ending
- id: no-commit-to-branch
- id: requirements-txt-fixer
- id: trailing-whitespace
args: [--markdown-linebreak-ext=md]
- repo: https://github.com/warpnet/salt-lint
rev: v0.9.2
hooks:
- id: salt-lint
- repo: https://github.com/markdownlint/markdownlint
rev: v0.13.0
hooks:
- id: markdownlint
- repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.9.0.5
hooks:
- id: shellcheck
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
- repo: local
hooks:
- id: check-ssh-keys
name: check SSH public keys in user pillars
entry: python build/check-ssh-keys.py
language: python
files: ^pillars/users/.+\.sls$
additional_dependencies: ['pyyaml==6.0.1'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO
- id: prettier # Copied from https://github.com/pre-commit/mirrors-prettier/ instead of referencing it to not rely on their published Prettier versions
name: Prettier
description: ''
entry: prettier --write --ignore-unknown
language: node
'types': [text]
args: []
require_serial: false
additional_dependencies: ['prettier@3'] # Renovate can't parse this, either. Unspecific to prevent local installs, when global installations are available
minimum_pre_commit_version: '0'

View file

@ -1,4 +0,0 @@
semi: false
bracketSpacing: true
trailingComma: es5
proseWrap: preserve

32
.woodpecker.yaml Normal file
View file

@ -0,0 +1,32 @@
when:
path: "*Dockerfile*"
steps:
build-main:
when:
branch: main
image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0
pull: true
settings:
platforms: linux/amd64
registry: ${CI_FORGE_URL}
username: WoodpeckerCI
password:
from_secret: gitea_token
repo: git.verdigado.com/${CI_REPO,,}
tag: "latest"
build-branch:
when:
branch:
exclude: ["main"]
image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0
pull: true
settings:
platforms: linux/amd64
registry: ${CI_FORGE_URL}
username: WoodpeckerCI
password:
from_secret: gitea_token
repo: git.verdigado.com/${CI_REPO,,}
tag: ${CI_COMMIT_BRANCH}

View file

@ -1,35 +0,0 @@
steps:
build main:
when:
- event: push
branch: main
image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a
pull: true
settings:
platforms: linux/amd64
registry: ${CI_FORGE_URL}
username: WoodpeckerCI
password:
from_secret: gitea_token
repo: git.verdigado.com/${CI_REPO,,}
tags:
- 'latest'
- ${CI_COMMIT_SHA}
build branch:
when:
- event: push
branch:
exclude: ['main']
image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a
pull: true
settings:
platforms: linux/amd64
registry: ${CI_FORGE_URL}
username: WoodpeckerCI
password:
from_secret: gitea_token
repo: git.verdigado.com/${CI_REPO,,}
tags:
- ${CI_COMMIT_BRANCH}
- ${CI_COMMIT_SHA}

View file

@ -1,56 +0,0 @@
skip_clone: true
when:
- event: push
depends_on:
- build
variables:
- &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}'
steps:
await-image:
image: alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
environment:
IMAGE: *image
commands:
- apk add --update --no-cache img
- 'while !(( img pull $IMAGE 2>&1 | grep -q "Error: failed to unmount" )) ; do echo "Awaiting image $IMAGE..."; sleep 3; done'
- echo 'found.'
clone salt:
image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602
settings:
remote: https://git.verdigado.com/verdigado-Privileged/Salt.git
path: salt
sha: ''
ref: refs/heads/master
branch: master
pre-commit salt:
image: *image
depends_on:
- await-image
- clone salt
environment:
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
commands:
- cd salt
- pre-commit run --all-files
clone rocketchat2matrix:
image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602
settings:
remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git
path: rocketchat2matrix
sha: ''
ref: refs/heads/main
branch: master
pre-commit rocketchat2matrix:
image: *image
depends_on:
- await-image
- clone rocketchat2matrix
environment:
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
commands:
- cd rocketchat2matrix
- pre-commit run --all-files

View file

@ -1,33 +1,36 @@
FROM python:3.12.4-alpine3.20@sha256:7f15e22f496c65cffbbac5e30e7e98d60f3e3b9cc5ee5d51cf3c55ed604787c8
FROM python:3.12.3-alpine3.20@sha256:32385e61c3414ffa5a6dbf52feace89f758ad68709a48d376d56a0232162665a
COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /bin/
# renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
ENV BUILD_BASE_VERSION="0.5-r3"
# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose
ENV GCC_VERSION="13.2.1_git20240309-r0"
# renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose
ENV RUBY_VERSION="3.3.3-r0"
ENV RUBY_VERSION="3.3.1-r0"
# renovate: datasource=repology depName=alpine_3_20/git versioning=loose
ENV GIT_VERSION="2.45.2-r0"
# renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose
ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4"
ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3"
# renovate: datasource=pypi depName=pre-commit versioning=pep440
ENV PRE_COMMIT_VERSION="3.8.0"
RUN mkdir /data /tmp/pre-commit
COPY .pre-commit-config.yaml /tmp/pre-commit
ENV PRE_COMMIT_VERSION="3.7.1"
# renovate: datasource=rubygems depName=mdl versioning=ruby
ENV MDL_VERSION="0.13.0"
# renovate: datasource=repology depName=gitleaks versioning=loose
ENV GITLEAKS_VERSION="v8.18.4"
RUN apk add --update --no-cache \
build-base="${BUILD_BASE_VERSION}" \
gcc="${GCC_VERSION}" \
ruby="${RUBY_VERSION}" \
ruby-dev="${RUBY_VERSION}" \
git="${GIT_VERSION}" \
openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \
&& \
pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \
gem install --no-document mdl -v "${MDL_VERSION}" && \
mkdir /data && \
git config --global --add safe.directory /data && \
cd /tmp/pre-commit && \
git init --initial-branch main && \
pre-commit install --install-hooks && \
rm -rf /tmp/pre-commit
wget https://github.com/gitleaks/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && \
tar xf gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && cp gitleaks /usr/bin/
WORKDIR /data

View file

@ -1,73 +0,0 @@
# verdigado pre-commit container
A container image to include all dependencies (and a warmed up cache) used in our [`pre-commit`](https://pre-commit.com/) hooks/CI steps to speed up execution.
If you see any pre-commit CI jobs installing dependencies:
- Make sure to execute `pre-commit` using this container
- Add the hook to this repo's `.pre-commit-config.yaml`
- Optionally install dependencies in the `Dockerfile` with the versions set up for `Renovate`
## Usage
In your `.woodpecker.yaml`, adapt and add the following block:
```yaml
steps:
check-pre-commit:
image: git.verdigado.com/verdigado-images/container-pre-commit:latest
environment:
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
commands:
- pre-commit run --all-files
```
If renovate is set up for your repo, it'll add and update the pinned digest/hash of the image.
## Development
Generally you should have `Docker` or something alike installed.
If you need to copy files into the container, don't forget to add exclusions to the general _exclude all_ in `.dockerignore`.
To **update the base image** (like `3.12.4-alpine3.20` to a newer Alpine version), manual work is still required, but supported by a little script. **Renovate might not create a PR for newer image tags.**
1. In the `Dockerfile`, update the Alpine version for the image and the renovate comments (`# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose`).
```diff
- FROM python:3-alpine3.19@sha256:00c0ffeeacab...
+ FROM python:3-alpine3.20 # You can omit the sha256 digest, the script prints it out
# ...
- # renovate: datasource=repology depName=alpine_3_19/build-base versioning=loose
+ # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
ENV BUILD_BASE_VERSION="0.8.15"
# ...
```
1. Now run `./get_pkg_versions.sh`. It pulls the alpine image from the Dockerfile, prints it's digest and the latest packages it could find via `apk` inside that container and prints out the names and versions.
Example output of `./get_pkg_versions.sh` for a new image, which is not yet pulled:
```plain
Unable to find image 'python:3.12.3-alpine3.18' locally
3.12.3-alpine3.18: Pulling from library/python
619be1103602: Pull complete
[...]
0eb61f1af52e: Pull complete
Digest: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
Status: Downloaded newer image for python:3.12.3-alpine3.18
[Script output starts here]
Checking 5/5 latest package versions on python:3.12.3-alpine3.18
Image digest found: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
---
build-base-0.5-r3
gcc-12.2.1_git20220924-r10
git-2.40.1-r0
openssh-keygen-9.3_p2-r1
ruby-3.2.4-r0
```
1. Copy the package versions and update the respective `ENV` with it manually in the `Dockerfile`. You also might add the digest to the base image.
1. Test building the image and you can commit it.

View file

@ -1,15 +0,0 @@
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
IMAGE=$(grep -oP 'FROM \K.*alpine[^ ]+' Dockerfile)
PACKAGES=$(grep -oP '#.+depName=alpine.+/\K[^ ]+' Dockerfile)
# shellcheck disable=SC2086
PACKAGES_NO_BR=$(echo ${PACKAGES} | tr -d '\n')
PACKAGES_VERSIONS=$(docker run --rm -t --entrypoint /bin/sh "$IMAGE" -c "apk --update --no-cache list $PACKAGES_NO_BR | cut -d ' ' -f 1 | grep -v '^fetch$'")
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE" | cut -d '@' -f2)
echo "Checking $(echo "$PACKAGES" | wc -l)/$(echo "$PACKAGES_VERSIONS" | wc -l) latest package versions on $IMAGE"
echo "Image digest found: $DIGEST"
echo "---"
echo "$PACKAGES_VERSIONS"

View file

@ -1,6 +1,8 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["local>renovate/config"],
"extends": [
"local>renovate/config"
],
"branchPrefix": "renovate-",
"groupName": "all dependencies",
"groupSlug": "all",
@ -8,14 +10,18 @@
{
"groupName": "all dependencies",
"groupSlug": "all",
"matchPackageNames": ["/*/"]
"matchPackagePatterns": [
"*"
]
}
],
"separateMajorMinor": false,
"customManagers": [
{
"customType": "regex",
"fileMatch": ["^Dockerfile$"],
"fileMatch": [
"^Dockerfile$"
],
"matchStrings": [
"#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=\"(?<currentValue>.*)\"\\s"
],