Compare commits

..

No commits in common. "main" and "run-pre-commit" have entirely different histories.

10 changed files with 66 additions and 192 deletions

View file

@ -1,2 +0,0 @@
all # Import all rules
exclude_rule "MD013" # Ignore Line length

2
.mdlrc
View file

@ -1,2 +0,0 @@
style "#{File.dirname(__FILE__)}/.markdown-style.rb"
git_recurse true

View file

@ -1,3 +1,13 @@
exclude: |
(?x)
.drawio$|
^test/.*.json$|
tsconfig.json$|
.diff$|
.patch$|
.min.|
^states/common/setup/files/01-netzbegruenung.sh$|
^states/common/setup/files/01-verdigado.sh$
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0 rev: v4.6.0
@ -30,10 +40,6 @@ repos:
rev: v0.9.0.5 rev: v0.9.0.5
hooks: hooks:
- id: shellcheck - id: shellcheck
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
- repo: local - repo: local
hooks: hooks:
- id: check-ssh-keys - id: check-ssh-keys
@ -43,6 +49,12 @@ repos:
files: ^pillars/users/.+\.sls$ files: ^pillars/users/.+\.sls$
additional_dependencies: ['pyyaml==6.0.1'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO additional_dependencies: ['pyyaml==6.0.1'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO
- id: check-codeowners
name: check CODEOWNERS for alphabetical comment order
entry: python build/check-alphabetical-comments.py
language: python
files: CODEOWNERS
- id: prettier # Copied from https://github.com/pre-commit/mirrors-prettier/ instead of referencing it to not rely on their published Prettier versions - id: prettier # Copied from https://github.com/pre-commit/mirrors-prettier/ instead of referencing it to not rely on their published Prettier versions
name: Prettier name: Prettier
description: '' description: ''
@ -53,3 +65,10 @@ repos:
require_serial: false require_serial: false
additional_dependencies: ['prettier@3'] # Renovate can't parse this, either. Unspecific to prevent local installs, when global installations are available additional_dependencies: ['prettier@3'] # Renovate can't parse this, either. Unspecific to prevent local installs, when global installations are available
minimum_pre_commit_version: '0' minimum_pre_commit_version: '0'
- id: git-diff
name: git diff
entry: git diff --exit-code
language: system
pass_filenames: false
always_run: true

32
.woodpecker.yaml Normal file
View file

@ -0,0 +1,32 @@
when:
path: '*Dockerfile*'
steps:
build-main:
when:
branch: main
image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0
pull: true
settings:
platforms: linux/amd64
registry: ${CI_FORGE_URL}
username: WoodpeckerCI
password:
from_secret: gitea_token
repo: git.verdigado.com/${CI_REPO,,}
tag: 'latest'
build-branch:
when:
branch:
exclude: ['main']
image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0
pull: true
settings:
platforms: linux/amd64
registry: ${CI_FORGE_URL}
username: WoodpeckerCI
password:
from_secret: gitea_token
repo: git.verdigado.com/${CI_REPO,,}
tag: ${CI_COMMIT_BRANCH}

View file

@ -1,35 +0,0 @@
steps:
build main:
when:
- event: push
branch: main
image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a
pull: true
settings:
platforms: linux/amd64
registry: ${CI_FORGE_URL}
username: WoodpeckerCI
password:
from_secret: gitea_token
repo: git.verdigado.com/${CI_REPO,,}
tags:
- 'latest'
- ${CI_COMMIT_SHA}
build branch:
when:
- event: push
branch:
exclude: ['main']
image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a
pull: true
settings:
platforms: linux/amd64
registry: ${CI_FORGE_URL}
username: WoodpeckerCI
password:
from_secret: gitea_token
repo: git.verdigado.com/${CI_REPO,,}
tags:
- ${CI_COMMIT_BRANCH}
- ${CI_COMMIT_SHA}

View file

@ -1,56 +0,0 @@
skip_clone: true
when:
- event: push
depends_on:
- build
variables:
- &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}'
steps:
await-image:
image: alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
environment:
IMAGE: *image
commands:
- apk add --update --no-cache img
- 'while !(( img pull $IMAGE 2>&1 | grep -q "Error: failed to unmount" )) ; do echo "Awaiting image $IMAGE..."; sleep 3; done'
- echo 'found.'
clone salt:
image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602
settings:
remote: https://git.verdigado.com/verdigado-Privileged/Salt.git
path: salt
sha: ''
ref: refs/heads/master
branch: master
pre-commit salt:
image: *image
depends_on:
- await-image
- clone salt
environment:
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
commands:
- cd salt
- pre-commit run --all-files
clone rocketchat2matrix:
image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602
settings:
remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git
path: rocketchat2matrix
sha: ''
ref: refs/heads/main
branch: master
pre-commit rocketchat2matrix:
image: *image
depends_on:
- await-image
- clone rocketchat2matrix
environment:
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
commands:
- cd rocketchat2matrix
- pre-commit run --all-files

View file

@ -1,17 +1,21 @@
FROM python:3.12.4-alpine3.20@sha256:7f15e22f496c65cffbbac5e30e7e98d60f3e3b9cc5ee5d51cf3c55ed604787c8 FROM python:3.12.4-alpine3.20@sha256:a982997504b8ec596f553d78f4de4b961bbdf5254e0177f6e99bb34f4ef16f95
COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /usr/bin/
COPY --from=ghcr.io/gitleaks/gitleaks:v8.18.4@sha256:f44e526acc67786b7476db413edb993ce2d152660d32fb3eb48d9bca06fa83f8 /usr/bin/gitleaks /usr/bin/
# renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
ENV BUILD_BASE_VERSION="0.5-r3" ENV BUILD_BASE_VERSION="0.5-r3"
# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose # renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose
ENV GCC_VERSION="13.2.1_git20240309-r0" ENV GCC_VERSION="13.2.1_git20240309-r0"
# renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose # renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose
ENV RUBY_VERSION="3.3.3-r0" ENV RUBY_VERSION="3.3.1-r0"
# renovate: datasource=repology depName=alpine_3_20/git versioning=loose # renovate: datasource=repology depName=alpine_3_20/git versioning=loose
ENV GIT_VERSION="2.45.2-r0" ENV GIT_VERSION="2.45.2-r0"
# renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose # renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose
ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4" ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3"
# renovate: datasource=pypi depName=pre-commit versioning=pep440 # renovate: datasource=pypi depName=pre-commit versioning=pep440
ENV PRE_COMMIT_VERSION="3.8.0" ENV PRE_COMMIT_VERSION="3.7.1"
# renovate: datasource=rubygems depName=mdl versioning=ruby
ENV MDL_VERSION="0.13.0"
RUN mkdir /data /tmp/pre-commit RUN mkdir /data /tmp/pre-commit
COPY .pre-commit-config.yaml /tmp/pre-commit COPY .pre-commit-config.yaml /tmp/pre-commit
@ -19,11 +23,13 @@ COPY .pre-commit-config.yaml /tmp/pre-commit
RUN apk add --update --no-cache \ RUN apk add --update --no-cache \
build-base="${BUILD_BASE_VERSION}" \ build-base="${BUILD_BASE_VERSION}" \
gcc="${GCC_VERSION}" \ gcc="${GCC_VERSION}" \
ruby="${RUBY_VERSION}" \
ruby-dev="${RUBY_VERSION}" \ ruby-dev="${RUBY_VERSION}" \
git="${GIT_VERSION}" \ git="${GIT_VERSION}" \
openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \ openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \
&& \ && \
pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \ pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \
gem install --no-document mdl -v "${MDL_VERSION}" && \
git config --global --add safe.directory /data && \ git config --global --add safe.directory /data && \
cd /tmp/pre-commit && \ cd /tmp/pre-commit && \
git init --initial-branch main && \ git init --initial-branch main && \

View file

@ -1,73 +0,0 @@
# verdigado pre-commit container
A container image to include all dependencies (and a warmed up cache) used in our [`pre-commit`](https://pre-commit.com/) hooks/CI steps to speed up execution.
If you see any pre-commit CI jobs installing dependencies:
- Make sure to execute `pre-commit` using this container
- Add the hook to this repo's `.pre-commit-config.yaml`
- Optionally install dependencies in the `Dockerfile` with the versions set up for `Renovate`
## Usage
In your `.woodpecker.yaml`, adapt and add the following block:
```yaml
steps:
check-pre-commit:
image: git.verdigado.com/verdigado-images/container-pre-commit:latest
environment:
- SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check
commands:
- pre-commit run --all-files
```
If renovate is set up for your repo, it'll add and update the pinned digest/hash of the image.
## Development
Generally you should have `Docker` or something alike installed.
If you need to copy files into the container, don't forget to add exclusions to the general _exclude all_ in `.dockerignore`.
To **update the base image** (like `3.12.4-alpine3.20` to a newer Alpine version), manual work is still required, but supported by a little script. **Renovate might not create a PR for newer image tags.**
1. In the `Dockerfile`, update the Alpine version for the image and the renovate comments (`# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose`).
```diff
- FROM python:3-alpine3.19@sha256:00c0ffeeacab...
+ FROM python:3-alpine3.20 # You can omit the sha256 digest, the script prints it out
# ...
- # renovate: datasource=repology depName=alpine_3_19/build-base versioning=loose
+ # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose
ENV BUILD_BASE_VERSION="0.8.15"
# ...
```
1. Now run `./get_pkg_versions.sh`. It pulls the alpine image from the Dockerfile, prints it's digest and the latest packages it could find via `apk` inside that container and prints out the names and versions.
Example output of `./get_pkg_versions.sh` for a new image, which is not yet pulled:
```plain
Unable to find image 'python:3.12.3-alpine3.18' locally
3.12.3-alpine3.18: Pulling from library/python
619be1103602: Pull complete
[...]
0eb61f1af52e: Pull complete
Digest: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
Status: Downloaded newer image for python:3.12.3-alpine3.18
[Script output starts here]
Checking 5/5 latest package versions on python:3.12.3-alpine3.18
Image digest found: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
---
build-base-0.5-r3
gcc-12.2.1_git20220924-r10
git-2.40.1-r0
openssh-keygen-9.3_p2-r1
ruby-3.2.4-r0
```
1. Copy the package versions and update the respective `ENV` with it manually in the `Dockerfile`. You also might add the digest to the base image.
1. Test building the image and you can commit it.

View file

@ -1,15 +0,0 @@
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
IMAGE=$(grep -oP 'FROM \K.*alpine[^ ]+' Dockerfile)
PACKAGES=$(grep -oP '#.+depName=alpine.+/\K[^ ]+' Dockerfile)
# shellcheck disable=SC2086
PACKAGES_NO_BR=$(echo ${PACKAGES} | tr -d '\n')
PACKAGES_VERSIONS=$(docker run --rm -t --entrypoint /bin/sh "$IMAGE" -c "apk --update --no-cache list $PACKAGES_NO_BR | cut -d ' ' -f 1 | grep -v '^fetch$'")
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE" | cut -d '@' -f2)
echo "Checking $(echo "$PACKAGES" | wc -l)/$(echo "$PACKAGES_VERSIONS" | wc -l) latest package versions on $IMAGE"
echo "Image digest found: $DIGEST"
echo "---"
echo "$PACKAGES_VERSIONS"

View file

@ -8,7 +8,7 @@
{ {
"groupName": "all dependencies", "groupName": "all dependencies",
"groupSlug": "all", "groupSlug": "all",
"matchPackageNames": ["/*/"] "matchPackagePatterns": ["*"]
} }
], ],
"separateMajorMinor": false, "separateMajorMinor": false,