Merge pull request #16 from Yolean/pre-push-hacks

WIP pre-push-hacks

.github/workflows/images.yaml

@@ -39,7 +39,7 @@ jobs:
       name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
-    # generated by ./test.sh for manual copy-paste to images.yaml
+    ### build steps below are generated ###
     -
       name: Build and push builder-base latest
       uses: docker/build-push-action@v5
@@ -238,6 +238,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/java:root=docker-image://ghcr.io/yolean/java:root
     -
       name: Build and push node root
       uses: docker/build-push-action@v5
@@ -266,6 +268,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/node:root=docker-image://ghcr.io/yolean/node:root
     -
       name: Build and push node-kafka root
       uses: docker/build-push-action@v5
@@ -296,6 +300,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/node-kafka:root=docker-image://ghcr.io/yolean/node-kafka:root
     -
       name: Build and push node-kafka-cache root
       uses: docker/build-push-action@v5
@@ -326,6 +332,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/node-kafka-cache:root=docker-image://ghcr.io/yolean/node-kafka-cache:root
     -
       name: Build and push node-watchexec root
       uses: docker/build-push-action@v5
@@ -354,6 +362,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/node-watchexec:root=docker-image://ghcr.io/yolean/node-watchexec:root
     -
       name: Build and push node-gcloud root
       uses: docker/build-push-action@v5
@@ -384,6 +394,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/node-gcloud:root=docker-image://ghcr.io/yolean/node-gcloud:root
     -
       name: Build and push runtime-quarkus-ubuntu root
       uses: docker/build-push-action@v5
@@ -412,6 +424,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/runtime-quarkus-ubuntu:root=docker-image://ghcr.io/yolean/runtime-quarkus-ubuntu:root
     -
       name: Build and push runtime-quarkus-ubuntu-jre root
       uses: docker/build-push-action@v5
@@ -443,6 +457,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/runtime-quarkus-ubuntu-jre:root=docker-image://ghcr.io/yolean/runtime-quarkus-ubuntu-jre:root
     -
       name: Build and push runtime-quarkus-dev root
       uses: docker/build-push-action@v5
@@ -474,6 +490,8 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/runtime-quarkus-dev:root=docker-image://ghcr.io/yolean/runtime-quarkus-dev:root
     -
       name: Build and push toil-storage root
       uses: docker/build-push-action@v5
@@ -505,3 +523,5 @@ jobs:
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
+        build-contexts: |
+          yolean/toil-storage:root=docker-image://ghcr.io/yolean/toil-storage:root

.gitignore

@@ -1 +1,2 @@
 **/node_modules/
+actions-generated.yaml

test.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+[ -z "$DEBUG" ] || set -x
+set -eo pipefail
+
+[ -n "$PLATFORMS" ] || PLATFORMS="linux/amd64,linux/arm64/v8"
+[ -n "$PLATFORM" ] || PLATFORM="--platform=$PLATFORMS"
+
+[ -z "$REGISTRY" ] || PREFIX="$REGISTRY/"
+
+SOURCE_COMMIT=$(git rev-parse --verify HEAD 2>/dev/null || echo '')
+if [[ ! -z "$SOURCE_COMMIT" ]]; then
+  GIT_STATUS=$(git status --untracked-files=normal --porcelain=v2 | grep -v ' hooks/build' || true)
+  if [[ ! -z "$GIT_STATUS" ]]; then
+    SOURCE_COMMIT="$SOURCE_COMMIT-dirty"
+  fi
+fi
+
+MULTIARCH_NONROOT="
+builder-base
+builder-base-gcc
+builder-base-gcloud
+builder-tooling
+builder-node
+builder-quarkus
+git-init
+toil
+toil-network
+node-distroless
+blobs
+"
+
+MULTIARCH_TONONROOT="
+java
+node
+node-kafka
+node-kafka-cache
+node-watchexec
+node-gcloud
+runtime-quarkus-ubuntu
+runtime-quarkus-ubuntu-jre
+runtime-quarkus-dev
+toil-storage
+"
+
+AMD64ONLY="
+runtime-quarkus
+runtime-quarkus-deno
+runtime-deno
+git-http-readonly
+headless-chrome
+"
+
+BEGIN="    ### build steps below are generated ###"
+CURRENT=.github/workflows/images.yaml
+ACTIONS=$(mktemp)
+sed "/^$BEGIN\$/q" $CURRENT > $ACTIONS
+
+function base_action {
+  local CONTEXT=$1
+  local NAME=$2
+  local TAG=$3
+  local TAGSUFFIX=""
+  [ "$TAG" = "latest" ] || local TAGSUFFIX="-$TAG"
+  cat <<EOF
+    -
+      name: Build and push $NAME $TAG
+      uses: docker/build-push-action@v5
+      env:
+        SOURCE_DATE_EPOCH: 0
+      with:
+        context: $CONTEXT
+        tags: |
+          ghcr.io/yolean/$NAME:$TAG
+          ghcr.io/yolean/$NAME:\${{ github.sha }}$TAGSUFFIX
+        platforms: linux/amd64,linux/arm64/v8
+        push: true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+EOF
+}
+
+function add_dependencies {
+  local CONTEXT=$1
+  local DEPENDENCIES="$((grep -e 'FROM --platform=$TARGETPLATFORM yolean/' $CONTEXT/Dockerfile || true) | cut -d' ' -f3)"
+  [ -z "$DEPENDENCIES" ] || echo "        build-contexts: |"
+  for NAME in $DEPENDENCIES; do
+    echo "          $NAME=docker-image://ghcr.io/$NAME"
+  done
+}
+
+for CONTEXT in $MULTIARCH_NONROOT; do
+  base_action "$CONTEXT" "$CONTEXT" latest >> $ACTIONS
+  add_dependencies "$CONTEXT" >> $ACTIONS
+done
+
+for CONTEXT in $MULTIARCH_TONONROOT; do
+  mkdir -p to-nonroot/$CONTEXT
+  echo "FROM --platform=\$TARGETPLATFORM yolean/$CONTEXT:root" > to-nonroot/$CONTEXT/Dockerfile
+  cat nonroot-footer.Dockerfile >> to-nonroot/$CONTEXT/Dockerfile
+  base_action "$CONTEXT" "$CONTEXT" root >> $ACTIONS
+  add_dependencies "$CONTEXT" >> $ACTIONS
+  base_action "to-nonroot/$CONTEXT" "$CONTEXT" latest >> $ACTIONS
+  add_dependencies "to-nonroot/$CONTEXT" >> $ACTIONS
+done
+
+for CONTEXT in $AMD64ONLY; do
+  echo "# TODO does $CONTEXT really need to be amd64-only?" >&2
+done
+
+cp $ACTIONS $CURRENT
+GIT_STATUS=$(git status --untracked-files=no --porcelain=v2)
+[ -z "$GIT_STATUS" ] && echo "Done, no local diff" || echo "Done, with local diff"

to-nonroot/java/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/java:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup

to-nonroot/node-gcloud/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/node-gcloud:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup

to-nonroot/node-kafka-cache/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/node-kafka-cache:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup

to-nonroot/node-kafka/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/node-kafka:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup

to-nonroot/node-watchexec/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/node-watchexec:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup

to-nonroot/node/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/node:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup

to-nonroot/runtime-quarkus-dev/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/runtime-quarkus-dev:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup

to-nonroot/runtime-quarkus-ubuntu-jre/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/runtime-quarkus-ubuntu-jre:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup

to-nonroot/runtime-quarkus-ubuntu/Dockerfile

@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/runtime-quarkus-ubuntu:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup