Compare commits
1 commit
main
...
feature/gi
Author | SHA1 | Date | |
---|---|---|---|
2ee0cbf0a3 |
13 changed files with 55 additions and 273 deletions
|
@ -1,3 +1,2 @@
|
|||
# Ignore everything
|
||||
*
|
||||
!.pre-commit-config.yaml
|
||||
|
|
|
@ -1,16 +0,0 @@
|
|||
root = true
|
||||
|
||||
[*]
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
end_of_line = lf
|
||||
charset = utf-8
|
||||
trim_trailing_whitespace = true
|
||||
insert_final_newline = true
|
||||
|
||||
# Non-standard
|
||||
quote_type = single
|
||||
|
||||
[*.{diff,patch}]
|
||||
indent_style = unset
|
||||
indent_size = unset
|
|
@ -1,2 +0,0 @@
|
|||
all # Import all rules
|
||||
exclude_rule "MD013" # Ignore Line length
|
2
.mdlrc
2
.mdlrc
|
@ -1,2 +0,0 @@
|
|||
style "#{File.dirname(__FILE__)}/.markdown-style.rb"
|
||||
git_recurse true
|
|
@ -1,55 +0,0 @@
|
|||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v5.0.0
|
||||
hooks:
|
||||
- id: check-added-large-files
|
||||
- id: check-case-conflict
|
||||
- id: check-executables-have-shebangs
|
||||
- id: check-json
|
||||
- id: check-merge-conflict
|
||||
- id: check-symlinks
|
||||
- id: check-xml
|
||||
- id: check-yaml
|
||||
- id: double-quote-string-fixer
|
||||
- id: end-of-file-fixer
|
||||
- id: fix-byte-order-marker
|
||||
- id: mixed-line-ending
|
||||
- id: no-commit-to-branch
|
||||
- id: requirements-txt-fixer
|
||||
- id: trailing-whitespace
|
||||
args: [--markdown-linebreak-ext=md]
|
||||
- repo: https://github.com/warpnet/salt-lint
|
||||
rev: v0.9.2
|
||||
hooks:
|
||||
- id: salt-lint
|
||||
- repo: https://github.com/markdownlint/markdownlint
|
||||
rev: v0.13.0
|
||||
hooks:
|
||||
- id: markdownlint
|
||||
- repo: https://github.com/shellcheck-py/shellcheck-py
|
||||
rev: v0.9.0.5
|
||||
hooks:
|
||||
- id: shellcheck
|
||||
- repo: https://github.com/gitleaks/gitleaks
|
||||
rev: v8.18.4
|
||||
hooks:
|
||||
- id: gitleaks
|
||||
- repo: local
|
||||
hooks:
|
||||
- id: check-ssh-keys
|
||||
name: check SSH public keys in user pillars
|
||||
entry: python build/check-ssh-keys.py
|
||||
language: python
|
||||
files: ^pillars/users/.+\.sls$
|
||||
additional_dependencies: ['pyyaml==6.0.1'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO
|
||||
|
||||
- id: prettier # Copied from https://github.com/pre-commit/mirrors-prettier/ instead of referencing it to not rely on their published Prettier versions
|
||||
name: Prettier
|
||||
description: ''
|
||||
entry: prettier --write --ignore-unknown
|
||||
language: node
|
||||
'types': [text]
|
||||
args: []
|
||||
require_serial: false
|
||||
additional_dependencies: ['prettier@3'] # Renovate can't parse this, either. Unspecific to prevent local installs, when global installations are available
|
||||
minimum_pre_commit_version: '0'
|
|
@ -1,4 +0,0 @@
|
|||
semi: false
|
||||
bracketSpacing: true
|
||||
trailingComma: es5
|
||||
proseWrap: preserve
|
32
.woodpecker.yaml
Normal file
32
.woodpecker.yaml
Normal file
|
@ -0,0 +1,32 @@
|
|||
when:
|
||||
path: "*Dockerfile*"
|
||||
|
||||
steps:
|
||||
build-main:
|
||||
when:
|
||||
branch: main
|
||||
image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0
|
||||
pull: true
|
||||
settings:
|
||||
platforms: linux/amd64
|
||||
registry: ${CI_FORGE_URL}
|
||||
username: WoodpeckerCI
|
||||
password:
|
||||
from_secret: gitea_token
|
||||
repo: git.verdigado.com/${CI_REPO,,}
|
||||
tag: "latest"
|
||||
|
||||
build-branch:
|
||||
when:
|
||||
branch:
|
||||
exclude: ["main"]
|
||||
image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0
|
||||
pull: true
|
||||
settings:
|
||||
platforms: linux/amd64
|
||||
registry: ${CI_FORGE_URL}
|
||||
username: WoodpeckerCI
|
||||
password:
|
||||
from_secret: gitea_token
|
||||
repo: git.verdigado.com/${CI_REPO,,}
|
||||
tag: ${CI_COMMIT_BRANCH}
|
|
@ -1,35 +0,0 @@
|
|||
steps:
|
||||
build main:
|
||||
when:
|
||||
- event: push
|
||||
branch: main
|
||||
image: woodpeckerci/plugin-docker-buildx:5.0.0@sha256:0a8e69cad4a25d641bdb51daea53ce309692c7bda1193ae04a990bb88486edd8
|
||||
pull: true
|
||||
settings:
|
||||
platforms: linux/amd64
|
||||
registry: ${CI_FORGE_URL}
|
||||
username: WoodpeckerCI
|
||||
password:
|
||||
from_secret: gitea_token
|
||||
repo: git.verdigado.com/${CI_REPO,,}
|
||||
tags:
|
||||
- 'latest'
|
||||
- ${CI_COMMIT_SHA}
|
||||
|
||||
build branch:
|
||||
when:
|
||||
- event: push
|
||||
branch:
|
||||
exclude: ['main']
|
||||
image: woodpeckerci/plugin-docker-buildx:5.0.0@sha256:0a8e69cad4a25d641bdb51daea53ce309692c7bda1193ae04a990bb88486edd8
|
||||
pull: true
|
||||
settings:
|
||||
platforms: linux/amd64
|
||||
registry: ${CI_FORGE_URL}
|
||||
username: WoodpeckerCI
|
||||
password:
|
||||
from_secret: gitea_token
|
||||
repo: git.verdigado.com/${CI_REPO,,}
|
||||
tags:
|
||||
- ${CI_COMMIT_BRANCH}
|
||||
- ${CI_COMMIT_SHA}
|
|
@ -1,56 +0,0 @@
|
|||
skip_clone: true
|
||||
when:
|
||||
- event: push
|
||||
depends_on:
|
||||
- build
|
||||
variables:
|
||||
- &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}'
|
||||
steps:
|
||||
await-image:
|
||||
image: alpine@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a
|
||||
environment:
|
||||
IMAGE: *image
|
||||
commands:
|
||||
- apk add --update --no-cache img
|
||||
- 'while !(( img pull $IMAGE 2>&1 | grep -q "Error: failed to unmount" )) ; do echo "Awaiting image $IMAGE..."; sleep 3; done'
|
||||
- echo 'found.'
|
||||
|
||||
clone salt:
|
||||
image: woodpeckerci/plugin-git@sha256:b6d40eaba0ee4274d11c96cc0e053557e6cb024fa56d26c25419c2b4dd6fbfe8
|
||||
settings:
|
||||
remote: https://git.verdigado.com/verdigado-Privileged/Salt.git
|
||||
path: salt
|
||||
sha: ''
|
||||
ref: refs/heads/master
|
||||
branch: master
|
||||
|
||||
pre-commit salt:
|
||||
image: *image
|
||||
depends_on:
|
||||
- await-image
|
||||
- clone salt
|
||||
environment:
|
||||
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
|
||||
commands:
|
||||
- cd salt
|
||||
- pre-commit run --all-files
|
||||
|
||||
clone rocketchat2matrix:
|
||||
image: woodpeckerci/plugin-git@sha256:b6d40eaba0ee4274d11c96cc0e053557e6cb024fa56d26c25419c2b4dd6fbfe8
|
||||
settings:
|
||||
remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git
|
||||
path: rocketchat2matrix
|
||||
sha: ''
|
||||
ref: refs/heads/main
|
||||
branch: master
|
||||
|
||||
pre-commit rocketchat2matrix:
|
||||
image: *image
|
||||
depends_on:
|
||||
- await-image
|
||||
- clone rocketchat2matrix
|
||||
environment:
|
||||
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
|
||||
commands:
|
||||
- cd rocketchat2matrix
|
||||
- pre-commit run --all-files
|
25
Dockerfile
25
Dockerfile
|
@ -1,33 +1,36 @@
|
|||
FROM python:3.12.4-alpine3.20@sha256:63094abdaf49e046da9f6529ecd6ce4d853d9bfbf00a25c52bbbb68b3223b490
|
||||
FROM python:3.12.3-alpine3.20@sha256:32385e61c3414ffa5a6dbf52feace89f758ad68709a48d376d56a0232162665a
|
||||
COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /bin/
|
||||
|
||||
# renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
|
||||
ENV BUILD_BASE_VERSION="0.5-r3"
|
||||
# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose
|
||||
ENV GCC_VERSION="13.2.1_git20240309-r0"
|
||||
# renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose
|
||||
ENV RUBY_VERSION="3.3.3-r0"
|
||||
ENV RUBY_VERSION="3.3.1-r0"
|
||||
# renovate: datasource=repology depName=alpine_3_20/git versioning=loose
|
||||
ENV GIT_VERSION="2.45.2-r0"
|
||||
# renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose
|
||||
ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4"
|
||||
ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3"
|
||||
# renovate: datasource=pypi depName=pre-commit versioning=pep440
|
||||
ENV PRE_COMMIT_VERSION="4.0.1"
|
||||
|
||||
RUN mkdir /data /tmp/pre-commit
|
||||
COPY .pre-commit-config.yaml /tmp/pre-commit
|
||||
ENV PRE_COMMIT_VERSION="3.7.1"
|
||||
# renovate: datasource=rubygems depName=mdl versioning=ruby
|
||||
ENV MDL_VERSION="0.13.0"
|
||||
# renovate: datasource=repology depName=gitleaks versioning=loose
|
||||
ENV GITLEAKS_VERSION="v8.18.4"
|
||||
|
||||
RUN apk add --update --no-cache \
|
||||
build-base="${BUILD_BASE_VERSION}" \
|
||||
gcc="${GCC_VERSION}" \
|
||||
ruby="${RUBY_VERSION}" \
|
||||
ruby-dev="${RUBY_VERSION}" \
|
||||
git="${GIT_VERSION}" \
|
||||
openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \
|
||||
&& \
|
||||
pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \
|
||||
gem install --no-document mdl -v "${MDL_VERSION}" && \
|
||||
mkdir /data && \
|
||||
git config --global --add safe.directory /data && \
|
||||
cd /tmp/pre-commit && \
|
||||
git init --initial-branch main && \
|
||||
pre-commit install --install-hooks && \
|
||||
rm -rf /tmp/pre-commit
|
||||
wget https://github.com/gitleaks/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && \
|
||||
tar xf gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && cp gitleaks /usr/bin/
|
||||
|
||||
WORKDIR /data
|
||||
|
|
73
README.md
73
README.md
|
@ -1,73 +0,0 @@
|
|||
# verdigado pre-commit container
|
||||
|
||||
A container image to include all dependencies (and a warmed up cache) used in our [`pre-commit`](https://pre-commit.com/) hooks/CI steps to speed up execution.
|
||||
|
||||
If you see any pre-commit CI jobs installing dependencies:
|
||||
|
||||
- Make sure to execute `pre-commit` using this container
|
||||
- Add the hook to this repo's `.pre-commit-config.yaml`
|
||||
- Optionally install dependencies in the `Dockerfile` with the versions set up for `Renovate`
|
||||
|
||||
## Usage
|
||||
|
||||
In your `.woodpecker.yaml`, adapt and add the following block:
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
check-pre-commit:
|
||||
image: git.verdigado.com/verdigado-images/container-pre-commit:latest
|
||||
environment:
|
||||
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
|
||||
commands:
|
||||
- pre-commit run --all-files
|
||||
```
|
||||
|
||||
If renovate is set up for your repo, it'll add and update the pinned digest/hash of the image.
|
||||
|
||||
## Development
|
||||
|
||||
Generally you should have `Docker` or something alike installed.
|
||||
|
||||
If you need to copy files into the container, don't forget to add exclusions to the general _exclude all_ in `.dockerignore`.
|
||||
|
||||
To **update the base image** (like `3.12.4-alpine3.20` to a newer Alpine version), manual work is still required, but supported by a little script. **Renovate might not create a PR for newer image tags.**
|
||||
|
||||
1. In the `Dockerfile`, update the Alpine version for the image and the renovate comments (`# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose`).
|
||||
|
||||
```diff
|
||||
- FROM python:3-alpine3.19@sha256:00c0ffeeacab...
|
||||
+ FROM python:3-alpine3.20 # You can omit the sha256 digest, the script prints it out
|
||||
# ...
|
||||
|
||||
- # renovate: datasource=repology depName=alpine_3_19/build-base versioning=loose
|
||||
+ # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
|
||||
ENV BUILD_BASE_VERSION="0.8.15"
|
||||
# ...
|
||||
```
|
||||
|
||||
1. Now run `./get_pkg_versions.sh`. It pulls the alpine image from the Dockerfile, prints it's digest and the latest packages it could find via `apk` inside that container and prints out the names and versions.
|
||||
|
||||
Example output of `./get_pkg_versions.sh` for a new image, which is not yet pulled:
|
||||
|
||||
```plain
|
||||
Unable to find image 'python:3.12.3-alpine3.18' locally
|
||||
3.12.3-alpine3.18: Pulling from library/python
|
||||
619be1103602: Pull complete
|
||||
[...]
|
||||
0eb61f1af52e: Pull complete
|
||||
Digest: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
|
||||
Status: Downloaded newer image for python:3.12.3-alpine3.18
|
||||
[Script output starts here]
|
||||
Checking 5/5 latest package versions on python:3.12.3-alpine3.18
|
||||
Image digest found: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
|
||||
---
|
||||
build-base-0.5-r3
|
||||
gcc-12.2.1_git20220924-r10
|
||||
git-2.40.1-r0
|
||||
openssh-keygen-9.3_p2-r1
|
||||
ruby-3.2.4-r0
|
||||
```
|
||||
|
||||
1. Copy the package versions and update the respective `ENV` with it manually in the `Dockerfile`. You also might add the digest to the base image.
|
||||
|
||||
1. Test building the image and you can commit it.
|
|
@ -1,15 +0,0 @@
|
|||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
IFS=$'\n\t'
|
||||
|
||||
IMAGE=$(grep -oP 'FROM \K.*alpine[^ ]+' Dockerfile)
|
||||
PACKAGES=$(grep -oP '#.+depName=alpine.+/\K[^ ]+' Dockerfile)
|
||||
# shellcheck disable=SC2086
|
||||
PACKAGES_NO_BR=$(echo ${PACKAGES} | tr -d '\n')
|
||||
PACKAGES_VERSIONS=$(docker run --rm -t --entrypoint /bin/sh "$IMAGE" -c "apk --update --no-cache list $PACKAGES_NO_BR | cut -d ' ' -f 1 | grep -v '^fetch$'")
|
||||
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE" | cut -d '@' -f2)
|
||||
|
||||
echo "Checking $(echo "$PACKAGES" | wc -l)/$(echo "$PACKAGES_VERSIONS" | wc -l) latest package versions on $IMAGE"
|
||||
echo "Image digest found: $DIGEST"
|
||||
echo "---"
|
||||
echo "$PACKAGES_VERSIONS"
|
|
@ -1,6 +1,8 @@
|
|||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": ["local>renovate/config"],
|
||||
"extends": [
|
||||
"local>renovate/config"
|
||||
],
|
||||
"branchPrefix": "renovate-",
|
||||
"groupName": "all dependencies",
|
||||
"groupSlug": "all",
|
||||
|
@ -8,14 +10,18 @@
|
|||
{
|
||||
"groupName": "all dependencies",
|
||||
"groupSlug": "all",
|
||||
"matchPackageNames": ["/*/"]
|
||||
"matchPackagePatterns": [
|
||||
"*"
|
||||
]
|
||||
}
|
||||
],
|
||||
"separateMajorMinor": false,
|
||||
"customManagers": [
|
||||
{
|
||||
"customType": "regex",
|
||||
"fileMatch": ["^Dockerfile$"],
|
||||
"fileMatch": [
|
||||
"^Dockerfile$"
|
||||
],
|
||||
"matchStrings": [
|
||||
"#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=\"(?<currentValue>.*)\"\\s"
|
||||
],
|
||||
|
|
Loading…
Reference in a new issue