Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prepare Docker images builds #25

Merged
merged 83 commits into from
Mar 3, 2025
Merged

Prepare Docker images builds #25

merged 83 commits into from
Mar 3, 2025

Conversation

AlekSi
Copy link
Member

@AlekSi AlekSi commented Mar 3, 2025

chilagrow and others added 30 commits February 25, 2025 14:37
@chilagrow
copy files from FerretDB
61aa696
@chilagrow
update path
c9f3b02
@chilagrow
bring docker build commands
f5f3529
@chilagrow
use bash
2cbc71a
@chilagrow
Merge branch 'ferretdb' into build-docker-images
518c00e
@chilagrow
Revert "use bash"
bb70393 
This reverts commit 2cbc71a.
@chilagrow
docker-init configures builder
28ba742
@chilagrow
update file path
cbcc201
@chilagrow
add docker build step in CI
350c9e4
@chilagrow
make empty var check work
19d2da9
@chilagrow
add docker tag
d0cd5c6
@chilagrow
init
90ea036
@chilagrow
produce build for major and minor pg
7a7b629
@chilagrow
add test for other org and repo
be36767
@chilagrow
add workflow for defining tags
671c133
@chilagrow
add tiny common functionality
c9a637a
@chilagrow
Merge branch 'ferretdb' into docker-tags
b3ab9cd
@chilagrow
resolve merge conflict
e6bcd74
@chilagrow
remove suffix branch
85e8033
@AlekSi
Merge branch 'ferretdb' into docker-tags
ff5bbb5
@chilagrow
use one go package
9ed208b
@chilagrow
fix merge conflict
405f79e
@chilagrow
make naming clear
d83d7cd
@chilagrow
move deb version to new file
eeba6a3
@chilagrow
clean
ae9af0c
@chilagrow
no refactoring file name in this PR
501a830
@chilagrow
empty semvar version upon error
1c06832
@chilagrow
Merge branch 'docker-tags' into build-docker-images
df8560a
@chilagrow
run CI to build tags
4c20bed
@chilagrow
update var check
bd35df9
@AlekSi AlekSi added packages PRs that should build packages trust PRs that can access Actions secrets labels Mar 3, 2025
@AlekSi AlekSi self-assigned this Mar 3, 2025
@Copilot Copilot bot review requested due to automatic review settings March 3, 2025 19:12
Copilot
Copilot AI reviewed Mar 3, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Overview

This PR aims to build Docker images for both development and production environments as part of the FerretDB packaging process.

  • Introduces several new GitHub Actions workflow steps to initialize the Docker builder and build/push Docker images.
  • Updates the BuildKit configuration by disabling garbage collection in ferretdb_packaging/buildkitd.toml.

Reviewed Changes

File Description
.github/workflows/ferretdb_packages.yml New steps added for initializing the Docker builder and for building/pushing Docker images.
ferretdb_packaging/buildkitd.toml Disables garbage collection for both OCI and containerd workers.

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

.github/workflows/ferretdb_packages.yml:209

  • [nitpick] The environment variable 'FILE' is quite generic; consider renaming it to a more descriptive identifier (e.g., IMAGE_TYPE or DOCKER_IMAGE_FLAVOR) for better clarity.
FILE=development
@mergify mergify bot mentioned this pull request Mar 3, 2025
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2025
View reviewed changes
.github/workflows/ferretdb_packages.yml
Comment on lines +200 to +203
- name: Initialize Docker builder
run: make -C ferretdb_packaging docker-init

- name: Build local development Docker image

Check failure

Code scanning / CodeQL

Checkout of untrusted code in trusted context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
.github/workflows/ferretdb_packages.yml

- name: Download .deb package
uses: actions/download-artifact@v4
with:
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging

- name: Initialize Docker builder
run: make -C ferretdb_packaging docker-init

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-init
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix AI 20 days ago

To fix the problem, we need to ensure that the downloaded artifact is extracted to a temporary directory and not directly into the workspace. This will prevent any potential malicious files from overriding existing files in the workspace. Additionally, we should verify the contents of the artifact before using it.

  • Create a temporary directory for extracting the artifact.
  • Modify the actions/download-artifact step to extract the artifact to the temporary directory.
  • Verify the contents of the artifact before proceeding with the subsequent steps.
Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -193,2 +193,5 @@
 
+      - name: Create temporary directory for artifacts
+        run: mkdir -p ${{ runner.temp }}/artifacts/
+
       - name: Download .deb package
@@ -197,3 +200,8 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/artifacts/
+
+      - name: Verify artifact contents
+        run: |
+          # Add verification logic here
+          ls ${{ runner.temp }}/artifacts/
 
EOF
@@ -193,2 +193,5 @@

- name: Create temporary directory for artifacts
run: mkdir -p ${{ runner.temp }}/artifacts/

- name: Download .deb package
@@ -197,3 +200,8 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/artifacts/

- name: Verify artifact contents
run: |
# Add verification logic here
ls ${{ runner.temp }}/artifacts/

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
.github/workflows/ferretdb_packages.yml
Comment on lines +203 to +213
- name: Build local development Docker image
if: steps.version.outputs.docker_development_tag_flags != ''
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=development
OUTPUT='type=docker'
TAGS=${{ steps.version.outputs.docker_development_tag_flags }}

- name: Build local production Docker image

Check failure

Code scanning / CodeQL

Checkout of untrusted code in trusted context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
.github/workflows/ferretdb_packages.yml
Comment on lines +205 to +211
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=development
OUTPUT='type=docker'
TAGS=${{ steps.version.outputs.docker_development_tag_flags }}

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-build POSTGRES_VERSION=${ matrix.pg } DOCUMENTDB_VERSION=${ steps.version.outputs.debian_version } FILE=development OUTPUT='type=docker' TAGS=${ steps.version.outputs.docker_development_tag_flags }
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix AI 20 days ago

To fix the problem, we need to ensure that the downloaded artifact is extracted to a temporary directory and not directly into the workspace. This will prevent any potential malicious files from overriding existing files in the workspace. Additionally, we should verify the contents of the artifact before using them in subsequent steps.

  • Create a temporary directory for extracting the artifact.
  • Modify the actions/download-artifact@v4 step to extract the artifact to the temporary directory.
  • Verify the contents of the artifact before using them.
Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -193,2 +193,5 @@
 
+      - name: Create temporary directory for artifacts
+        run: mkdir -p ${{ runner.temp }}/artifacts/
+
       - name: Download .deb package
@@ -197,3 +200,3 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/artifacts/
 
EOF
@@ -193,2 +193,5 @@

- name: Create temporary directory for artifacts
run: mkdir -p ${{ runner.temp }}/artifacts/

- name: Download .deb package
@@ -197,3 +200,3 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/artifacts/

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
.github/workflows/ferretdb_packages.yml
Comment on lines +213 to +243
- name: Build local production Docker image
if: steps.version.outputs.docker_production_tag_flags != ''
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=production
OUTPUT='type=docker'
TAGS=${{ steps.version.outputs.docker_production_tag_flags }}

# - name: Login to Docker Hub
# uses: docker/login-action@v3
# with:
# username: ferretdbbot
# password: ${{ secrets.DOCKER_HUB_TOKEN }}

# - name: Login to GitHub Container Registry
# uses: docker/login-action@v3
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}

# - name: Login to Quay.io
# uses: docker/login-action@v3
# with:
# registry: quay.io
# username: ferretdbbot
# password: ${{ secrets.QUAY_TOKEN }}

- name: Build and push development Docker images

Check failure

Code scanning / CodeQL

Checkout of untrusted code in trusted context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
.github/workflows/ferretdb_packages.yml
Comment on lines +215 to +221
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=production
OUTPUT='type=docker'
TAGS=${{ steps.version.outputs.docker_production_tag_flags }}

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-build POSTGRES_VERSION=${ matrix.pg } DOCUMENTDB_VERSION=${ steps.version.outputs.debian_version } FILE=production OUTPUT='type=docker' TAGS=${ steps.version.outputs.docker_production_tag_flags }
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix AI 20 days ago

To fix the artifact poisoning issue, we need to ensure that the downloaded artifacts are extracted to a temporary directory rather than the workspace. This prevents any potential overwriting of existing files. Additionally, we should verify the contents of the artifacts before using them.

  1. Create a temporary directory for extracting the artifacts.
  2. Modify the actions/download-artifact@v4 step to extract the artifacts to this temporary directory.
  3. Verify the contents of the artifacts before proceeding with any further steps.
Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -193,2 +193,5 @@
 
+      - name: Create temporary directory for artifacts
+        run: mkdir -p ${{ runner.temp }}/artifacts/
+
       - name: Download .deb package
@@ -197,3 +200,3 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/artifacts/
 
EOF
@@ -193,2 +193,5 @@

- name: Create temporary directory for artifacts
run: mkdir -p ${{ runner.temp }}/artifacts/

- name: Download .deb package
@@ -197,3 +200,3 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/artifacts/

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
.github/workflows/ferretdb_packages.yml
Comment on lines +243 to +253
- name: Build and push development Docker images
if: steps.version.outputs.docker_development_tag_flags != ''
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=development
OUTPUT='type=image,push=true'
TAGS=${{ steps.version.outputs.docker_development_tag_flags }}

- name: Build and push production Docker images

Check failure

Code scanning / CodeQL

Checkout of untrusted code in trusted context Critical

Potential execution of untrusted code on a privileged workflow (
pull_request_target
Loading
)
.github/workflows/ferretdb_packages.yml
Comment on lines +245 to +251
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=development
OUTPUT='type=image,push=true'
TAGS=${{ steps.version.outputs.docker_development_tag_flags }}

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-build POSTGRES_VERSION=${ matrix.pg } DOCUMENTDB_VERSION=${ steps.version.outputs.debian_version } FILE=development OUTPUT='type=image,push=true' TAGS=${ steps.version.outputs.docker_development_tag_flags }
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix AI 20 days ago

To fix the problem, we need to ensure that the contents of the downloaded artifact are extracted to a temporary directory rather than the runner workspace. This will prevent any potential overriding of existing files by untrusted artifact contents. Specifically, we will create a temporary directory using ${{ runner.temp }}/artifacts/ and extract the artifact there. This change will be made in the .github/workflows/ferretdb_packages.yml file.

Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -193,2 +193,5 @@
 
+      - name: Create temporary directory for artifacts
+        run: mkdir -p ${{ runner.temp }}/artifacts/
+
       - name: Download .deb package
@@ -197,3 +200,3 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/artifacts/
 
EOF
@@ -193,2 +193,5 @@

- name: Create temporary directory for artifacts
run: mkdir -p ${{ runner.temp }}/artifacts/

- name: Download .deb package
@@ -197,3 +200,3 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/artifacts/

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
.github/workflows/ferretdb_packages.yml
Comment on lines +255 to +261
run: >
make -C ferretdb_packaging docker-build
POSTGRES_VERSION=${{ matrix.pg }}
DOCUMENTDB_VERSION=${{ steps.version.outputs.debian_version }}
FILE=production
OUTPUT='type=image,push=true'
TAGS=${{ steps.version.outputs.docker_production_tag_flags }}

Check failure

Code scanning / CodeQL

Artifact poisoning Critical

Potential artifact poisoning in
make -C ferretdb_packaging docker-build POSTGRES_VERSION=${ matrix.pg } DOCUMENTDB_VERSION=${ steps.version.outputs.debian_version } FILE=production OUTPUT='type=image,push=true' TAGS=${ steps.version.outputs.docker_production_tag_flags }
Loading
, which may be controlled by an external user (
pull_request_target
Loading
).

Copilot Autofix AI 20 days ago

To fix the problem, we need to ensure that the downloaded artifacts are treated as untrusted and are extracted to a temporary directory. Additionally, we should verify the contents of the artifacts before using them in subsequent steps. This can be achieved by creating a temporary directory for the artifacts and updating the workflow to extract the artifacts there.

  1. Create a temporary directory for the artifacts.
  2. Update the actions/download-artifact step to extract the artifacts to the temporary directory.
  3. Verify the contents of the artifacts before using them.
Suggested changeset 1
.github/workflows/ferretdb_packages.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ferretdb_packages.yml b/.github/workflows/ferretdb_packages.yml
--- a/.github/workflows/ferretdb_packages.yml
+++ b/.github/workflows/ferretdb_packages.yml
@@ -193,2 +193,5 @@
 
+      - name: Create temporary directory for artifacts
+        run: mkdir -p ${{ runner.temp }}/artifacts/
+
       - name: Download .deb package
@@ -197,3 +200,12 @@
           name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
-          path: packaging
+          path: ${{ runner.temp }}/artifacts/
+
+      - name: Verify artifact contents
+        run: |
+          # Add verification logic here
+          # Example: Check if the expected files are present
+          if [ ! -f ${{ runner.temp }}/artifacts/expected_file.deb ]; then
+            echo "Expected file not found in the artifact"
+            exit 1
+          fi
 
EOF
@@ -193,2 +193,5 @@

- name: Create temporary directory for artifacts
run: mkdir -p ${{ runner.temp }}/artifacts/

- name: Download .deb package
@@ -197,3 +200,12 @@
name: deb12-${{ matrix.pg }}-${{ steps.version.outputs.debian_version }}
path: packaging
path: ${{ runner.temp }}/artifacts/

- name: Verify artifact contents
run: |
# Add verification logic here
# Example: Check if the expected files are present
if [ ! -f ${{ runner.temp }}/artifacts/expected_file.deb ]; then
echo "Expected file not found in the artifact"
exit 1
fi

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@AlekSi AlekSi changed the title Build Docker images Prepare Docker images builds Mar 3, 2025
@AlekSi AlekSi merged commit 92eb372 into ferretdb Mar 3, 2025
23 of 25 checks passed
@AlekSi AlekSi deleted the build-docker-images branch March 3, 2025 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@AlekSi AlekSi

Labels
packages PRs that should build packages trust PRs that can access Actions secrets
Projects
Current Engineering
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Build DocumentDB Docker images in the documentdb repo
2 participants
@AlekSi @chilagrow