diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 86804f45..8dcc624b 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -39,7 +39,7 @@ jobs: - name: build docker images - run: | + run: | # shellcheck disable=SC2086 for image in $BASE_IMAGES;do echo "Processing $image" bundle exec rake build:$image @@ -47,7 +47,7 @@ jobs: - name: test docker images - run: | + run: | # shellcheck disable=SC2086 for image in $BASE_IMAGES;do echo "Processing $image" bundle exec rake spec:$image @@ -145,7 +145,7 @@ jobs: IMAGE: spruce - name: build docker images with dependencies - run: | + run: | # shellcheck disable=SC2086 for image in $IMAGES_WITH_DEPENDENCIES;do echo "Processing $image" bundle exec rake build:$image @@ -153,7 +153,7 @@ jobs: - name: test docker images with dependencies - run: | + run: |# shellcheck disable=SC2086 for image in $IMAGES_WITH_DEPENDENCIES;do echo "Processing $image" bundle exec rake spec:$image @@ -191,10 +191,18 @@ jobs: runs-on: ubuntu-latest needs: [ build_and_publish ] steps: - - name: check docker public images - run: | + - # Currently we cannot use `docker manifest` without authentication, it results in "unauthorized: access token has insufficient scopes" + # Also, to save network bandwidth and reduce build time we avoid using `docker pull` + name: Login to DockerHub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + - + name: check docker public images + run: | # shellcheck disable=SC2086 for image in $BASE_IMAGES $IMAGES_WITH_DEPENDENCIES;do - echo "Processing $image" + echo "Processing $image: checking manifest for $DOCKERHUB_ORG/$image:$GITHUB_SHA" docker manifest inspect $DOCKERHUB_ORG/$image:$GITHUB_SHA done diff --git a/.github/workflows/lint_on_pr.yml b/.github/workflows/lint_on_pr.yml index 3041472d..bccd3e16 100644 --- a/.github/workflows/lint_on_pr.yml +++ b/.github/workflows/lint_on_pr.yml @@ -24,18 +24,18 @@ jobs: with: fetch-depth: 0 - - name: Lint Code Base (Blocking) # Blow up on gitleaks / github actions errors (ie. things which may / will cause issues) - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: main - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DISABLE_ERRORS: false - VALIDATE_GITLEAKS: true - VALIDATE_GITHUB_ACTIONS: true +# - name: Lint Code Base (Blocking) # Blow up on gitleaks / github actions errors (ie. things which may / will cause issues) +# uses: super-linter/super-linter/slim@v5 +# env: +# VALIDATE_ALL_CODEBASE: false +# DEFAULT_BRANCH: main +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# DISABLE_ERRORS: true +# VALIDATE_GITLEAKS: true +# VALIDATE_GITHUB_ACTIONS: true - name: Lint Code Base (Information only) # Run linter on everything else, but in 'information-only' mode. - uses: github/super-linter@v4 + uses: super-linter/super-linter/slim@v5 env: VALIDATE_ALL_CODEBASE: false DEFAULT_BRANCH: main @@ -43,3 +43,4 @@ jobs: DISABLE_ERRORS: true VALIDATE_GITLEAKS: false VALIDATE_GITHUB_ACTIONS: false + diff --git a/alpine/Dockerfile b/alpine/Dockerfile index 4cf7f487..239c3857 100644 --- a/alpine/Dockerfile +++ b/alpine/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.16 +FROM alpine:3.18 RUN apk add --no-cache \ jq~1 \ diff --git a/awscli/Dockerfile b/awscli/Dockerfile index 60b846ab..3e6bc1e4 100644 --- a/awscli/Dockerfile +++ b/awscli/Dockerfile @@ -1,11 +1,11 @@ -FROM orangecloudfoundry/curl-ssl +FROM elpaasoci/curl-ssl ENV AWSCLI_VERSION "1.18.140" RUN apk add --no-cache \ - groff~1.22.4-r1 \ + groff~1.22.4-r4 \ less>=590-r0 \ - python3~3.10 \ - py3-pip~22 \ + python3~3.11 \ + py3-pip~23 \ && pip3 install \ awscli==$AWSCLI_VERSION diff --git a/bosh-cli-v2-cf-cli/Dockerfile b/bosh-cli-v2-cf-cli/Dockerfile index ceb8542f..208fadf3 100644 --- a/bosh-cli-v2-cf-cli/Dockerfile +++ b/bosh-cli-v2-cf-cli/Dockerfile @@ -1,4 +1,4 @@ -FROM orangecloudfoundry/bosh-cli-v2:latest +FROM elpaasoci/bosh-cli-v2:latest # we use libc6 instead of libc6-compat as we do not use alpine base image ENV CF_PACKAGES "unzip curl openssl ca-certificates git libc6 bash jq gettext make" diff --git a/bosh-cli-v2-cf-cli/bosh-cli-v2-cf-cli_spec.rb b/bosh-cli-v2-cf-cli/bosh-cli-v2-cf-cli_spec.rb index 77c6d3d4..a95a2063 100644 --- a/bosh-cli-v2-cf-cli/bosh-cli-v2-cf-cli_spec.rb +++ b/bosh-cli-v2-cf-cli/bosh-cli-v2-cf-cli_spec.rb @@ -2,13 +2,13 @@ require 'docker' require 'serverspec' -BOSH_CLI_VERSION="6.4.17-f0454a75-2022-02-25T00:42:57Z" +BOSH_CLI_VERSION="7.2.3-b36ee5199-2023-04-28T22:35:13Z" CREDHUB_VERSION='2.9.1' CF_CLI_VERSION="8.3.0" SPRUCE_BIN = "/usr/local/bin/spruce" SPRUCE_VERSION = "1.29.0" -BOSH_ENV_DEPS = "build-essential zlibc zlib1g-dev openssl libxslt1-dev libxml2-dev \ - libssl-dev libreadline7 libreadline-dev libyaml-dev libsqlite3-dev sqlite3" +BOSH_ENV_DEPS = "build-essential zlib1g-dev openssl libxslt1-dev libxml2-dev \ + libssl-dev libreadline8 libreadline-dev libyaml-dev libsqlite3-dev sqlite3" CF_ENV_DEPS = "unzip curl openssl ca-certificates git libc6 bash jq gettext make" describe "bosh-cli-v2-cf-cli image" do diff --git a/bosh-cli-v2/Dockerfile b/bosh-cli-v2/Dockerfile index 6e06ba5d..f02177c0 100644 --- a/bosh-cli-v2/Dockerfile +++ b/bosh-cli-v2/Dockerfile @@ -1,14 +1,14 @@ -FROM ruby:3.1-slim-buster +FROM ruby:3.1-slim-bullseye -ENV BOSH_CLI_VERSION 6.4.17 -ENV BOSH_CLI_SUM d0917d3ad0ff544a4c69a7986e710fe48e8cb2207717f77db31905d639e28c18 +ENV BOSH_CLI_VERSION 7.2.3 +ENV BOSH_CLI_SUM f090d6962a56d946f9592105f6a97956f77d4b6f527e184105355d3f46f354ad ENV BOSH_CLI_FILENAME bosh-cli-${BOSH_CLI_VERSION}-linux-amd64 ENV DEBIAN_PACKAGES "ca-certificates wget git openssh-client file jq" # https://bosh.io/docs/cli-env-deps.html -ENV BOSH_ENV_DEPS "build-essential zlibc zlib1g-dev openssl libxslt1-dev \ - libxml2-dev libssl-dev libreadline7 libreadline-dev libyaml-dev libsqlite3-dev sqlite3" +ENV BOSH_ENV_DEPS "build-essential zlib1g-dev openssl libxslt1-dev \ + libxml2-dev libssl-dev libreadline8 libreadline-dev libyaml-dev libsqlite3-dev sqlite3" ENV BOSH_AWS_CPI_URL https://bosh.io/d/github.com/cloudfoundry/bosh-aws-cpi-release?v=87 ENV BOSH_AWS_CPI_CHECKSUM a920cd1bdead3d6167273e763912becca2225ba6 @@ -24,8 +24,8 @@ RUN wget -nv https://s3.amazonaws.com/bosh-cli-artifacts/${BOSH_CLI_FILENAME} \ && chmod +x ${BOSH_CLI_FILENAME} \ && mv ${BOSH_CLI_FILENAME} /usr/local/bin/bosh -ENV CREDHUB_CLI_VERSION 2.9.1 -ENV CREDHUB_CLI_SUM df8aa256d4563d741bda71e4e0baff077addce8438dba4f9157504b387b93d9f +ENV CREDHUB_CLI_VERSION 2.9.15 +ENV CREDHUB_CLI_SUM d61c738f65004afd35ed8dd5d17f57d0f1700629ad29e5335b906746f8958026 ENV CREDHUB_CLI_FILENAME credhub-linux-${CREDHUB_CLI_VERSION}.tgz RUN wget -nv https://github.com/cloudfoundry-incubator/credhub-cli/releases/download/${CREDHUB_CLI_VERSION}/${CREDHUB_CLI_FILENAME} \ @@ -34,8 +34,8 @@ RUN wget -nv https://github.com/cloudfoundry-incubator/credhub-cli/releases/down && chmod +x credhub \ && mv credhub /usr/local/bin/credhub -ENV YQ_VERSION 4.22.1 -ENV YQ_SUM 54bbc804b90595c62685e8d4f19330b968cd716f72edc03cbda91adbc808036e +ENV YQ_VERSION 4.33.3 +ENV YQ_SUM 4ee662847c588c3ef2fec8bfb304e8739e3dbaba87ccb9a608d691c88f5b64dc ENV YQ_FILENAME yq_linux_amd64 RUN wget -nv https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/${YQ_FILENAME} \ diff --git a/bosh-cli-v2/bosh-cli-v2_spec.rb b/bosh-cli-v2/bosh-cli-v2_spec.rb index 8b4e2a08..fa0005be 100644 --- a/bosh-cli-v2/bosh-cli-v2_spec.rb +++ b/bosh-cli-v2/bosh-cli-v2_spec.rb @@ -2,11 +2,11 @@ require 'docker' require 'serverspec' -BOSH_CLI_VERSION="6.4.17-f0454a75-2022-02-25T00:42:57Z" +BOSH_CLI_VERSION="7.2.3-b36ee5199-2023-04-28T22:35:13Z" CREDHUB_VERSION='2.9.1' -BOSH_ENV_DEPS = "build-essential zlibc zlib1g-dev openssl libxslt1-dev libxml2-dev \ - libssl-dev libreadline7 libreadline-dev libyaml-dev libsqlite3-dev sqlite3" +BOSH_ENV_DEPS = "build-essential zlib1g-dev openssl libxslt1-dev libxml2-dev \ + libssl-dev libreadline8 libreadline-dev libyaml-dev libsqlite3-dev sqlite3" describe "bosh-cli-v2 image" do before(:all) { diff --git a/cf-cli/Dockerfile b/cf-cli/Dockerfile index ab0557a4..2e02e014 100644 --- a/cf-cli/Dockerfile +++ b/cf-cli/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:3.1-alpine3.16 +FROM ruby:3.1-alpine3.18 ENV PACKAGES "unzip curl openssl ca-certificates git libc6-compat bash jq gettext make" ENV CF_CLI_VERSION "8.6.0" diff --git a/cf-uaac/Dockerfile b/cf-uaac/Dockerfile index 15199e50..ad6a647c 100644 --- a/cf-uaac/Dockerfile +++ b/cf-uaac/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:3.1-alpine3.16 +FROM ruby:3.1-alpine3.18 RUN apk add --no-cache musl-dev gcc make g++ diff --git a/curl-ssl/Dockerfile b/curl-ssl/Dockerfile index c40d1059..db979ee9 100644 --- a/curl-ssl/Dockerfile +++ b/curl-ssl/Dockerfile @@ -1,8 +1,8 @@ -FROM alpine:3.16 +FROM alpine:3.18 RUN apk add --no-cache \ openssl \ ca-certificates \ jq~1 \ gettext~0.21 \ - curl~7 + curl~8 diff --git a/curl-ssl/curl-ssl_spec.rb b/curl-ssl/curl-ssl_spec.rb index 1a5cd4c6..a6cc027a 100644 --- a/curl-ssl/curl-ssl_spec.rb +++ b/curl-ssl/curl-ssl_spec.rb @@ -12,7 +12,7 @@ end it 'installs the right version of Alpine' do - expect(os_version).to include('Alpine Linux 3.16') + expect(os_version).to include('Alpine Linux 3.18') end def os_version diff --git a/git-ssh/Dockerfile b/git-ssh/Dockerfile index f6fa0283..3445aa27 100644 --- a/git-ssh/Dockerfile +++ b/git-ssh/Dockerfile @@ -2,7 +2,7 @@ FROM ghcr.io/alphagov/paas/alpine:main RUN apk add --no-cache \ git~2 \ - curl~7 \ + curl~8 \ openssh-client-default~9 \ gnupg~2.2 \ bash~5.1 diff --git a/json-minify/Dockerfile b/json-minify/Dockerfile index 9b78e366..0b125876 100644 --- a/json-minify/Dockerfile +++ b/json-minify/Dockerfile @@ -1,3 +1,3 @@ -FROM ruby:3.1-alpine3.16 +FROM ruby:3.1-alpine3.18 RUN gem install json-minify -v 0.0.2 --no-document diff --git a/k8s-tools/Dockerfile b/k8s-tools/Dockerfile index 8f7e1e10..ef18cb17 100644 --- a/k8s-tools/Dockerfile +++ b/k8s-tools/Dockerfile @@ -20,8 +20,8 @@ RUN echo "Computed sha256sum: $(sha256sum ${YTT_FILENAME})" \ && mv ${YTT_FILENAME} ytt -ENV CREDHUB_CLI_VERSION 2.9.1 -ENV CREDHUB_CLI_SUM df8aa256d4563d741bda71e4e0baff077addce8438dba4f9157504b387b93d9f +ENV CREDHUB_CLI_VERSION 2.9.15 +ENV CREDHUB_CLI_SUM d61c738f65004afd35ed8dd5d17f57d0f1700629ad29e5335b906746f8958026 ENV CREDHUB_CLI_FILENAME credhub-linux-${CREDHUB_CLI_VERSION}.tgz ADD https://github.com/cloudfoundry-incubator/credhub-cli/releases/download/${CREDHUB_CLI_VERSION}/${CREDHUB_CLI_FILENAME} . RUN echo "Computed sha256sum: $(sha256sum ${CREDHUB_CLI_FILENAME})" \ @@ -44,15 +44,15 @@ RUN echo "Computed sha256sum: $(sha256sum ${KAPP_FILENAME})" \ && echo "${KAPP_SUM} ${KAPP_FILENAME}" | sha256sum -c - \ && mv kapp-linux-amd64 kapp -ENV KUBECTL_VERSION 1.21.10 -ENV KUBECTL_SUM 24ce60269b1ffe1ca151af8bfd3905c2427ebef620bc9286484121adf29131c0 +ENV KUBECTL_VERSION 1.24.13 +ENV KUBECTL_SUM 52455fe485fa11c650ab07fea2e4856b5ea5a3e6ef8a1b3b6121e6361437fff9 ENV KUBECTL_FILENAME kubectl ADD https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl . RUN echo "Computed sha256sum: $(sha256sum ${KUBECTL_FILENAME})" \ && echo "${KUBECTL_SUM} ${KUBECTL_FILENAME}" | sha256sum -c - -ENV HELM_VERSION 3.8.1 -ENV HELM_SUM d643f48fe28eeb47ff68a1a7a26fc5142f348d02c8bc38d699674016716f61cd +ENV HELM_VERSION 3.12.0 +ENV HELM_SUM da36e117d6dbc57c8ec5bab2283222fbd108db86c83389eebe045ad1ef3e2c3b ENV HELM_FILENAME helm-v${HELM_VERSION}-linux-amd64.tar.gz ADD https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz . RUN echo "Computed sha256sum: $(sha256sum ${HELM_FILENAME})" \ @@ -61,8 +61,8 @@ RUN echo "Computed sha256sum: $(sha256sum ${HELM_FILENAME})" \ && mv linux-amd64/helm helm \ && rm -rf linux-amd64 -ENV KUTTL_VERSION 0.11.1 -ENV KUTTL_PLUGIN_SUM 0fb13f8fbb6109803a06847a8ad3fae4fedc8cd159e2b0fd6c1a1d8737191e5f +ENV KUTTL_VERSION 0.15.0 +ENV KUTTL_PLUGIN_SUM f6edcf22e238fc71b5aa389ade37a9efce596017c90f6994141c45215ba0f862 ENV KUTTL_PLUGIN_FILENAME kubectl-kuttl_${KUTTL_VERSION}_linux_x86_64 ADD https://github.com/kudobuilder/kuttl/releases/download/v${KUTTL_VERSION}/${KUTTL_PLUGIN_FILENAME} . RUN echo "Computed ${KUTTL_PLUGIN_FILENAME} sha256sum: $(sha256sum ${KUTTL_PLUGIN_FILENAME})" \ @@ -70,8 +70,8 @@ RUN echo "Computed ${KUTTL_PLUGIN_FILENAME} sha256sum: $(sha256sum ${KUTTL_PLUGI && mv ${KUTTL_PLUGIN_FILENAME} kubectl-kuttl \ && ln -s kubectl-kuttl kuttl -ENV YQ_VERSION 4.22.1 -ENV YQ_SUM 54bbc804b90595c62685e8d4f19330b968cd716f72edc03cbda91adbc808036e +ENV YQ_VERSION 4.33.3 +ENV YQ_SUM 4ee662847c588c3ef2fec8bfb304e8739e3dbaba87ccb9a608d691c88f5b64dc ENV YQ_FILENAME yq_linux_amd64 ADD https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/${YQ_FILENAME} . RUN echo "Computed ${YQ_FILENAME} sha256sum: $(sha256sum ${YQ_FILENAME})" \ @@ -79,8 +79,8 @@ RUN echo "Computed ${YQ_FILENAME} sha256sum: $(sha256sum ${YQ_FILENAME})" \ && chmod +x ${YQ_FILENAME} \ && mv ${YQ_FILENAME} /usr/local/bin/yq -ENV BOSH_CLI_VERSION 6.4.17 -ENV BOSH_CLI_SUM d0917d3ad0ff544a4c69a7986e710fe48e8cb2207717f77db31905d639e28c18 +ENV BOSH_CLI_VERSION 7.2.3 +ENV BOSH_CLI_SUM f090d6962a56d946f9592105f6a97956f77d4b6f527e184105355d3f46f354ad ENV BOSH_CLI_FILENAME bosh-cli-${BOSH_CLI_VERSION}-linux-amd64 ADD https://s3.amazonaws.com/bosh-cli-artifacts/${BOSH_CLI_FILENAME} . RUN echo "Computed ${BOSH_CLI_FILENAME} sha256sum: $(sha256sum ${BOSH_CLI_FILENAME})" \ diff --git a/k8s-tools/k8s-tools_spec.rb b/k8s-tools/k8s-tools_spec.rb index eeb4a803..88bf06b8 100644 --- a/k8s-tools/k8s-tools_spec.rb +++ b/k8s-tools/k8s-tools_spec.rb @@ -2,14 +2,14 @@ require 'docker' require 'serverspec' -BOSH_CLI_VERSION="6.4.17-f0454a75-2022-02-25T00:42:57Z" +BOSH_CLI_VERSION="7.2.3-b36ee5199-2023-04-28T22:35:13Z" YTT_VERSION="0.40.1" CREDHUB_VERSION='2.9.1' KUSTOMIZE_VERSION="4.5.1" KAPP_VERSION="0.46.0" KUBECTL_VERSION="1.21.10" -HELM_VERSION="3.8.1" -KUTTL_VERSION="0.11.1" +HELM_VERSION="3.12.0" +KUTTL_VERSION="0.15.0" DEPS = "unzip curl openssl ca-certificates git libc6 bash jq gettext" diff --git a/node/Dockerfile b/node/Dockerfile index 3d599827..833a85a4 100644 --- a/node/Dockerfile +++ b/node/Dockerfile @@ -1 +1 @@ -FROM node:lts-alpine3.16 +FROM node:lts-alpine3.18 diff --git a/psql/psql_spec.rb b/psql/psql_spec.rb index ed336527..20bea148 100644 --- a/psql/psql_spec.rb +++ b/psql/psql_spec.rb @@ -3,7 +3,7 @@ require 'serverspec' PSQL_PACKAGE = 'postgresql-client' -ALPINE_VERSION = "3.16" +ALPINE_VERSION = "3.18" describe "psql image" do before(:all) { diff --git a/ruby-base/Dockerfile b/ruby-base/Dockerfile index dee24329..1045c24d 100644 --- a/ruby-base/Dockerfile +++ b/ruby-base/Dockerfile @@ -1 +1 @@ -FROM ruby:3.1-alpine3.16 +FROM ruby:3.1-alpine3.18 diff --git a/spruce/Dockerfile b/spruce/Dockerfile index 488dbd74..5818bcdd 100644 --- a/spruce/Dockerfile +++ b/spruce/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/alphagov/paas/alpine:main +FROM alpine:3.18 ENV SPRUCE_VERSION 1.29.0 @@ -6,5 +6,4 @@ RUN apk add --no-cache \ wget~1 \ && wget https://github.com/geofffranks/spruce/releases/download/v${SPRUCE_VERSION}/spruce-linux-amd64 \ && chmod +x spruce-linux-amd64 \ - && mv spruce-linux-amd64 /usr/local/bin/spruce \ - && apk del wget ca-certificates + && mv spruce-linux-amd64 /usr/local/bin/spruce \ diff --git a/spruce/spruce_spec.rb b/spruce/spruce_spec.rb index 936dced3..f71e2111 100644 --- a/spruce/spruce_spec.rb +++ b/spruce/spruce_spec.rb @@ -4,7 +4,7 @@ SPRUCE_BIN = "/usr/local/bin/spruce" SPRUCE_VERSION = "1.29.0" -ALPINE_VERSION = "3.16" +ALPINE_VERSION = "3.18" describe "spruce image" do before(:all) {