Compare commits
1 commit
main
...
feature/gi
Author | SHA1 | Date | |
---|---|---|---|
2ee0cbf0a3 |
13 changed files with 55 additions and 273 deletions
|
@ -1,3 +1,2 @@
|
||||||
# Ignore everything
|
# Ignore everything
|
||||||
*
|
*
|
||||||
!.pre-commit-config.yaml
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
root = true
|
|
||||||
|
|
||||||
[*]
|
|
||||||
indent_style = space
|
|
||||||
indent_size = 2
|
|
||||||
end_of_line = lf
|
|
||||||
charset = utf-8
|
|
||||||
trim_trailing_whitespace = true
|
|
||||||
insert_final_newline = true
|
|
||||||
|
|
||||||
# Non-standard
|
|
||||||
quote_type = single
|
|
||||||
|
|
||||||
[*.{diff,patch}]
|
|
||||||
indent_style = unset
|
|
||||||
indent_size = unset
|
|
|
@ -1,2 +0,0 @@
|
||||||
all # Import all rules
|
|
||||||
exclude_rule "MD013" # Ignore Line length
|
|
2
.mdlrc
2
.mdlrc
|
@ -1,2 +0,0 @@
|
||||||
style "#{File.dirname(__FILE__)}/.markdown-style.rb"
|
|
||||||
git_recurse true
|
|
|
@ -1,55 +0,0 @@
|
||||||
repos:
|
|
||||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
|
||||||
rev: v4.6.0
|
|
||||||
hooks:
|
|
||||||
- id: check-added-large-files
|
|
||||||
- id: check-case-conflict
|
|
||||||
- id: check-executables-have-shebangs
|
|
||||||
- id: check-json
|
|
||||||
- id: check-merge-conflict
|
|
||||||
- id: check-symlinks
|
|
||||||
- id: check-xml
|
|
||||||
- id: check-yaml
|
|
||||||
- id: double-quote-string-fixer
|
|
||||||
- id: end-of-file-fixer
|
|
||||||
- id: fix-byte-order-marker
|
|
||||||
- id: mixed-line-ending
|
|
||||||
- id: no-commit-to-branch
|
|
||||||
- id: requirements-txt-fixer
|
|
||||||
- id: trailing-whitespace
|
|
||||||
args: [--markdown-linebreak-ext=md]
|
|
||||||
- repo: https://github.com/warpnet/salt-lint
|
|
||||||
rev: v0.9.2
|
|
||||||
hooks:
|
|
||||||
- id: salt-lint
|
|
||||||
- repo: https://github.com/markdownlint/markdownlint
|
|
||||||
rev: v0.13.0
|
|
||||||
hooks:
|
|
||||||
- id: markdownlint
|
|
||||||
- repo: https://github.com/shellcheck-py/shellcheck-py
|
|
||||||
rev: v0.9.0.5
|
|
||||||
hooks:
|
|
||||||
- id: shellcheck
|
|
||||||
- repo: https://github.com/gitleaks/gitleaks
|
|
||||||
rev: v8.18.4
|
|
||||||
hooks:
|
|
||||||
- id: gitleaks
|
|
||||||
- repo: local
|
|
||||||
hooks:
|
|
||||||
- id: check-ssh-keys
|
|
||||||
name: check SSH public keys in user pillars
|
|
||||||
entry: python build/check-ssh-keys.py
|
|
||||||
language: python
|
|
||||||
files: ^pillars/users/.+\.sls$
|
|
||||||
additional_dependencies: ['pyyaml==6.0.1'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO
|
|
||||||
|
|
||||||
- id: prettier # Copied from https://github.com/pre-commit/mirrors-prettier/ instead of referencing it to not rely on their published Prettier versions
|
|
||||||
name: Prettier
|
|
||||||
description: ''
|
|
||||||
entry: prettier --write --ignore-unknown
|
|
||||||
language: node
|
|
||||||
'types': [text]
|
|
||||||
args: []
|
|
||||||
require_serial: false
|
|
||||||
additional_dependencies: ['prettier@3'] # Renovate can't parse this, either. Unspecific to prevent local installs, when global installations are available
|
|
||||||
minimum_pre_commit_version: '0'
|
|
|
@ -1,4 +0,0 @@
|
||||||
semi: false
|
|
||||||
bracketSpacing: true
|
|
||||||
trailingComma: es5
|
|
||||||
proseWrap: preserve
|
|
32
.woodpecker.yaml
Normal file
32
.woodpecker.yaml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
when:
|
||||||
|
path: "*Dockerfile*"
|
||||||
|
|
||||||
|
steps:
|
||||||
|
build-main:
|
||||||
|
when:
|
||||||
|
branch: main
|
||||||
|
image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0
|
||||||
|
pull: true
|
||||||
|
settings:
|
||||||
|
platforms: linux/amd64
|
||||||
|
registry: ${CI_FORGE_URL}
|
||||||
|
username: WoodpeckerCI
|
||||||
|
password:
|
||||||
|
from_secret: gitea_token
|
||||||
|
repo: git.verdigado.com/${CI_REPO,,}
|
||||||
|
tag: "latest"
|
||||||
|
|
||||||
|
build-branch:
|
||||||
|
when:
|
||||||
|
branch:
|
||||||
|
exclude: ["main"]
|
||||||
|
image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0
|
||||||
|
pull: true
|
||||||
|
settings:
|
||||||
|
platforms: linux/amd64
|
||||||
|
registry: ${CI_FORGE_URL}
|
||||||
|
username: WoodpeckerCI
|
||||||
|
password:
|
||||||
|
from_secret: gitea_token
|
||||||
|
repo: git.verdigado.com/${CI_REPO,,}
|
||||||
|
tag: ${CI_COMMIT_BRANCH}
|
|
@ -1,35 +0,0 @@
|
||||||
steps:
|
|
||||||
build main:
|
|
||||||
when:
|
|
||||||
- event: push
|
|
||||||
branch: main
|
|
||||||
image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a
|
|
||||||
pull: true
|
|
||||||
settings:
|
|
||||||
platforms: linux/amd64
|
|
||||||
registry: ${CI_FORGE_URL}
|
|
||||||
username: WoodpeckerCI
|
|
||||||
password:
|
|
||||||
from_secret: gitea_token
|
|
||||||
repo: git.verdigado.com/${CI_REPO,,}
|
|
||||||
tags:
|
|
||||||
- 'latest'
|
|
||||||
- ${CI_COMMIT_SHA}
|
|
||||||
|
|
||||||
build branch:
|
|
||||||
when:
|
|
||||||
- event: push
|
|
||||||
branch:
|
|
||||||
exclude: ['main']
|
|
||||||
image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a
|
|
||||||
pull: true
|
|
||||||
settings:
|
|
||||||
platforms: linux/amd64
|
|
||||||
registry: ${CI_FORGE_URL}
|
|
||||||
username: WoodpeckerCI
|
|
||||||
password:
|
|
||||||
from_secret: gitea_token
|
|
||||||
repo: git.verdigado.com/${CI_REPO,,}
|
|
||||||
tags:
|
|
||||||
- ${CI_COMMIT_BRANCH}
|
|
||||||
- ${CI_COMMIT_SHA}
|
|
|
@ -1,56 +0,0 @@
|
||||||
skip_clone: true
|
|
||||||
when:
|
|
||||||
- event: push
|
|
||||||
depends_on:
|
|
||||||
- build
|
|
||||||
variables:
|
|
||||||
- &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}'
|
|
||||||
steps:
|
|
||||||
await-image:
|
|
||||||
image: alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
|
|
||||||
environment:
|
|
||||||
IMAGE: *image
|
|
||||||
commands:
|
|
||||||
- apk add --update --no-cache img
|
|
||||||
- 'while !(( img pull $IMAGE 2>&1 | grep -q "Error: failed to unmount" )) ; do echo "Awaiting image $IMAGE..."; sleep 3; done'
|
|
||||||
- echo 'found.'
|
|
||||||
|
|
||||||
clone salt:
|
|
||||||
image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602
|
|
||||||
settings:
|
|
||||||
remote: https://git.verdigado.com/verdigado-Privileged/Salt.git
|
|
||||||
path: salt
|
|
||||||
sha: ''
|
|
||||||
ref: refs/heads/master
|
|
||||||
branch: master
|
|
||||||
|
|
||||||
pre-commit salt:
|
|
||||||
image: *image
|
|
||||||
depends_on:
|
|
||||||
- await-image
|
|
||||||
- clone salt
|
|
||||||
environment:
|
|
||||||
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
|
|
||||||
commands:
|
|
||||||
- cd salt
|
|
||||||
- pre-commit run --all-files
|
|
||||||
|
|
||||||
clone rocketchat2matrix:
|
|
||||||
image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602
|
|
||||||
settings:
|
|
||||||
remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git
|
|
||||||
path: rocketchat2matrix
|
|
||||||
sha: ''
|
|
||||||
ref: refs/heads/main
|
|
||||||
branch: master
|
|
||||||
|
|
||||||
pre-commit rocketchat2matrix:
|
|
||||||
image: *image
|
|
||||||
depends_on:
|
|
||||||
- await-image
|
|
||||||
- clone rocketchat2matrix
|
|
||||||
environment:
|
|
||||||
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
|
|
||||||
commands:
|
|
||||||
- cd rocketchat2matrix
|
|
||||||
- pre-commit run --all-files
|
|
25
Dockerfile
25
Dockerfile
|
@ -1,33 +1,36 @@
|
||||||
FROM python:3.12.4-alpine3.20@sha256:7f15e22f496c65cffbbac5e30e7e98d60f3e3b9cc5ee5d51cf3c55ed604787c8
|
FROM python:3.12.3-alpine3.20@sha256:32385e61c3414ffa5a6dbf52feace89f758ad68709a48d376d56a0232162665a
|
||||||
|
COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /bin/
|
||||||
|
|
||||||
# renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
|
# renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
|
||||||
ENV BUILD_BASE_VERSION="0.5-r3"
|
ENV BUILD_BASE_VERSION="0.5-r3"
|
||||||
# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose
|
# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose
|
||||||
ENV GCC_VERSION="13.2.1_git20240309-r0"
|
ENV GCC_VERSION="13.2.1_git20240309-r0"
|
||||||
# renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose
|
# renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose
|
||||||
ENV RUBY_VERSION="3.3.3-r0"
|
ENV RUBY_VERSION="3.3.1-r0"
|
||||||
# renovate: datasource=repology depName=alpine_3_20/git versioning=loose
|
# renovate: datasource=repology depName=alpine_3_20/git versioning=loose
|
||||||
ENV GIT_VERSION="2.45.2-r0"
|
ENV GIT_VERSION="2.45.2-r0"
|
||||||
# renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose
|
# renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose
|
||||||
ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4"
|
ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3"
|
||||||
# renovate: datasource=pypi depName=pre-commit versioning=pep440
|
# renovate: datasource=pypi depName=pre-commit versioning=pep440
|
||||||
ENV PRE_COMMIT_VERSION="3.8.0"
|
ENV PRE_COMMIT_VERSION="3.7.1"
|
||||||
|
# renovate: datasource=rubygems depName=mdl versioning=ruby
|
||||||
RUN mkdir /data /tmp/pre-commit
|
ENV MDL_VERSION="0.13.0"
|
||||||
COPY .pre-commit-config.yaml /tmp/pre-commit
|
# renovate: datasource=repology depName=gitleaks versioning=loose
|
||||||
|
ENV GITLEAKS_VERSION="v8.18.4"
|
||||||
|
|
||||||
RUN apk add --update --no-cache \
|
RUN apk add --update --no-cache \
|
||||||
build-base="${BUILD_BASE_VERSION}" \
|
build-base="${BUILD_BASE_VERSION}" \
|
||||||
gcc="${GCC_VERSION}" \
|
gcc="${GCC_VERSION}" \
|
||||||
|
ruby="${RUBY_VERSION}" \
|
||||||
ruby-dev="${RUBY_VERSION}" \
|
ruby-dev="${RUBY_VERSION}" \
|
||||||
git="${GIT_VERSION}" \
|
git="${GIT_VERSION}" \
|
||||||
openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \
|
openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \
|
||||||
&& \
|
&& \
|
||||||
pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \
|
pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \
|
||||||
|
gem install --no-document mdl -v "${MDL_VERSION}" && \
|
||||||
|
mkdir /data && \
|
||||||
git config --global --add safe.directory /data && \
|
git config --global --add safe.directory /data && \
|
||||||
cd /tmp/pre-commit && \
|
wget https://github.com/gitleaks/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && \
|
||||||
git init --initial-branch main && \
|
tar xf gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && cp gitleaks /usr/bin/
|
||||||
pre-commit install --install-hooks && \
|
|
||||||
rm -rf /tmp/pre-commit
|
|
||||||
|
|
||||||
WORKDIR /data
|
WORKDIR /data
|
||||||
|
|
73
README.md
73
README.md
|
@ -1,73 +0,0 @@
|
||||||
# verdigado pre-commit container
|
|
||||||
|
|
||||||
A container image to include all dependencies (and a warmed up cache) used in our [`pre-commit`](https://pre-commit.com/) hooks/CI steps to speed up execution.
|
|
||||||
|
|
||||||
If you see any pre-commit CI jobs installing dependencies:
|
|
||||||
|
|
||||||
- Make sure to execute `pre-commit` using this container
|
|
||||||
- Add the hook to this repo's `.pre-commit-config.yaml`
|
|
||||||
- Optionally install dependencies in the `Dockerfile` with the versions set up for `Renovate`
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
In your `.woodpecker.yaml`, adapt and add the following block:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
steps:
|
|
||||||
check-pre-commit:
|
|
||||||
image: git.verdigado.com/verdigado-images/container-pre-commit:latest
|
|
||||||
environment:
|
|
||||||
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
|
|
||||||
commands:
|
|
||||||
- pre-commit run --all-files
|
|
||||||
```
|
|
||||||
|
|
||||||
If renovate is set up for your repo, it'll add and update the pinned digest/hash of the image.
|
|
||||||
|
|
||||||
## Development
|
|
||||||
|
|
||||||
Generally you should have `Docker` or something alike installed.
|
|
||||||
|
|
||||||
If you need to copy files into the container, don't forget to add exclusions to the general _exclude all_ in `.dockerignore`.
|
|
||||||
|
|
||||||
To **update the base image** (like `3.12.4-alpine3.20` to a newer Alpine version), manual work is still required, but supported by a little script. **Renovate might not create a PR for newer image tags.**
|
|
||||||
|
|
||||||
1. In the `Dockerfile`, update the Alpine version for the image and the renovate comments (`# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose`).
|
|
||||||
|
|
||||||
```diff
|
|
||||||
- FROM python:3-alpine3.19@sha256:00c0ffeeacab...
|
|
||||||
+ FROM python:3-alpine3.20 # You can omit the sha256 digest, the script prints it out
|
|
||||||
# ...
|
|
||||||
|
|
||||||
- # renovate: datasource=repology depName=alpine_3_19/build-base versioning=loose
|
|
||||||
+ # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
|
|
||||||
ENV BUILD_BASE_VERSION="0.8.15"
|
|
||||||
# ...
|
|
||||||
```
|
|
||||||
|
|
||||||
1. Now run `./get_pkg_versions.sh`. It pulls the alpine image from the Dockerfile, prints it's digest and the latest packages it could find via `apk` inside that container and prints out the names and versions.
|
|
||||||
|
|
||||||
Example output of `./get_pkg_versions.sh` for a new image, which is not yet pulled:
|
|
||||||
|
|
||||||
```plain
|
|
||||||
Unable to find image 'python:3.12.3-alpine3.18' locally
|
|
||||||
3.12.3-alpine3.18: Pulling from library/python
|
|
||||||
619be1103602: Pull complete
|
|
||||||
[...]
|
|
||||||
0eb61f1af52e: Pull complete
|
|
||||||
Digest: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
|
|
||||||
Status: Downloaded newer image for python:3.12.3-alpine3.18
|
|
||||||
[Script output starts here]
|
|
||||||
Checking 5/5 latest package versions on python:3.12.3-alpine3.18
|
|
||||||
Image digest found: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
|
|
||||||
---
|
|
||||||
build-base-0.5-r3
|
|
||||||
gcc-12.2.1_git20220924-r10
|
|
||||||
git-2.40.1-r0
|
|
||||||
openssh-keygen-9.3_p2-r1
|
|
||||||
ruby-3.2.4-r0
|
|
||||||
```
|
|
||||||
|
|
||||||
1. Copy the package versions and update the respective `ENV` with it manually in the `Dockerfile`. You also might add the digest to the base image.
|
|
||||||
|
|
||||||
1. Test building the image and you can commit it.
|
|
|
@ -1,15 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
set -euo pipefail
|
|
||||||
IFS=$'\n\t'
|
|
||||||
|
|
||||||
IMAGE=$(grep -oP 'FROM \K.*alpine[^ ]+' Dockerfile)
|
|
||||||
PACKAGES=$(grep -oP '#.+depName=alpine.+/\K[^ ]+' Dockerfile)
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
PACKAGES_NO_BR=$(echo ${PACKAGES} | tr -d '\n')
|
|
||||||
PACKAGES_VERSIONS=$(docker run --rm -t --entrypoint /bin/sh "$IMAGE" -c "apk --update --no-cache list $PACKAGES_NO_BR | cut -d ' ' -f 1 | grep -v '^fetch$'")
|
|
||||||
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE" | cut -d '@' -f2)
|
|
||||||
|
|
||||||
echo "Checking $(echo "$PACKAGES" | wc -l)/$(echo "$PACKAGES_VERSIONS" | wc -l) latest package versions on $IMAGE"
|
|
||||||
echo "Image digest found: $DIGEST"
|
|
||||||
echo "---"
|
|
||||||
echo "$PACKAGES_VERSIONS"
|
|
|
@ -1,6 +1,8 @@
|
||||||
{
|
{
|
||||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||||
"extends": ["local>renovate/config"],
|
"extends": [
|
||||||
|
"local>renovate/config"
|
||||||
|
],
|
||||||
"branchPrefix": "renovate-",
|
"branchPrefix": "renovate-",
|
||||||
"groupName": "all dependencies",
|
"groupName": "all dependencies",
|
||||||
"groupSlug": "all",
|
"groupSlug": "all",
|
||||||
|
@ -8,14 +10,18 @@
|
||||||
{
|
{
|
||||||
"groupName": "all dependencies",
|
"groupName": "all dependencies",
|
||||||
"groupSlug": "all",
|
"groupSlug": "all",
|
||||||
"matchPackageNames": ["/*/"]
|
"matchPackagePatterns": [
|
||||||
|
"*"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"separateMajorMinor": false,
|
"separateMajorMinor": false,
|
||||||
"customManagers": [
|
"customManagers": [
|
||||||
{
|
{
|
||||||
"customType": "regex",
|
"customType": "regex",
|
||||||
"fileMatch": ["^Dockerfile$"],
|
"fileMatch": [
|
||||||
|
"^Dockerfile$"
|
||||||
|
],
|
||||||
"matchStrings": [
|
"matchStrings": [
|
||||||
"#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=\"(?<currentValue>.*)\"\\s"
|
"#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=\"(?<currentValue>.*)\"\\s"
|
||||||
],
|
],
|
||||||
|
|
Loading…
Reference in a new issue