forked from dependabot/dependabot-core
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.updater-core
More file actions
203 lines (172 loc) · 8.05 KB
/
Dockerfile.updater-core
File metadata and controls
203 lines (172 loc) · 8.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
# syntax=docker.io/docker/dockerfile:1.20
FROM docker.io/library/ubuntu:24.04
ARG TARGETARCH
LABEL org.opencontainers.image.source="https://github.com/dependabot/dependabot-core"
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ENV DEBIAN_FRONTEND="noninteractive" \
LC_ALL="en_US.UTF-8" \
LANG="en_US.UTF-8"
# Configures Ubuntu to use Azure mirrors, which are often faster and more reliable
# From https://github.com/Azure/LinuxPatchExtension/blob/master/src/tools/references/apt/sources.list.d/ubuntu.sources
# This is also used in other places such as the runner builds: https://github.com/actions/runner-images/blob/2f8d6ab9ef24fd8bda80b5259650fe1dc4311320/images/ubuntu/scripts/build/configure-apt-sources.sh#L11
RUN set -e; \
release=$( . /etc/os-release && echo "$VERSION_CODENAME" ); \
cat <<EOF | tee /etc/apt/sources.list.d/ubuntu.sources
# Prefer Azure mirrors
Types: deb
URIs: http://azure.archive.ubuntu.com/ubuntu/
Suites: ${release} ${release}-updates ${release}-backports
Components: main universe restricted multiverse
Architectures: i386,amd64
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Types: deb
URIs: http://azure.archive.ubuntu.com/ubuntu/
Suites: ${release}-security
Components: main universe restricted multiverse
Architectures: i386,amd64
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
# Fallback to the main Ubuntu archive if the above is not available
Types: deb
URIs: http://archive.ubuntu.com/ubuntu/
Suites: ${release} ${release}-updates ${release}-backports
Components: main universe restricted multiverse
Architectures: i386,amd64
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
# Ports Ubuntu archive is the only mirror with arm64 support
Types: deb
URIs: http://ports.ubuntu.com/
Suites: ${release} ${release}-updates ${release}-backports
Components: main universe restricted multiverse
Architectures: arm64
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: ${release}-security
Components: main universe restricted multiverse
Architectures: i386,amd64
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
EOF
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
# needed to run add-apt-repository
software-properties-common \
# Used to download the git-lfs GPG key as well as dev dependencies for CI
curl \
# Add git core ppa to get a more recent git version than the one provided by ubuntu
&& add-apt-repository -y ppa:git-core/ppa \
# Install the git-lfs mirror. See https://github.com/git-lfs/git-lfs/blob/main/INSTALLING.md
# We need this because the version of git-lfs provided by Ubuntu is outdated
# apt-transport-https is a temporary dependency to install the git-lfs apt source
&& apt-get install -y --no-install-recommends apt-transport-https \
&& mkdir -p /etc/apt/keyrings \
&& curl -fsSL 'https://packagecloud.io/github/git-lfs/gpgkey' | gpg --dearmor > /etc/apt/keyrings/github_git-lfs-archive-keyring.gpg \
&& release=$( . /etc/os-release && echo "$VERSION_CODENAME" ) \
&& echo "deb [signed-by=/etc/apt/keyrings/github_git-lfs-archive-keyring.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $release main" \
> /etc/apt/sources.list.d/github_git-lfs.list \
&& echo "deb-src [signed-by=/etc/apt/keyrings/github_git-lfs-archive-keyring.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $release main" \
>> /etc/apt/sources.list.d/github_git-lfs.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
# dev dependencies for CI
build-essential \
libgmp-dev \
# Compression libs
zlib1g-dev \
unzip \
zstd \
# VCS section
git \
git-lfs \
bzr \
mercurial \
# needed to sign commits
gnupg2 \
# for git repo access with ssh key credentials
openssh-client \
# Installs certs in dependabot-action and CLI
ca-certificates \
# used to check if a file is binary in the VendorUpdater
file \
# used by Ruby to parse YAML
libyaml-dev \
locales \
&& locale-gen en_US.UTF-8 \
# No longer needed post git-core ppa addition and git-lfs install
&& apt purge software-properties-common apt-transport-https -y && apt-get autoremove -y \
&& rm -rf /var/lib/apt/lists/*
ARG USER_UID=1000
ARG USER_GID=$USER_UID
RUN <<EOT
# Check if the group and user already exist, if not create them
if ! getent group "$USER_GID"; then
groupadd --gid "$USER_GID" dependabot
else
GROUP_NAME=$(getent group "$USER_GID" | awk -F':' '{print $1}')
groupmod -n dependabot "$GROUP_NAME"
fi
if ! getent passwd "$USER_UID"; then
useradd --uid "$USER_UID" --gid "$USER_GID" -m dependabot
else
USER_NAME=$(getent passwd "$USER_UID" | awk -F':' '{print $1}')
OLD_HOME=$(getent passwd "$USER_UID" | awk -F':' '{print $6}')
usermod -l dependabot "$USER_NAME"
# Rename the home directory if it exists and isn't already /home/dependabot
if [ -d "$OLD_HOME" ] && [ "$OLD_HOME" != "/home/dependabot" ]; then
usermod -d /home/dependabot -m dependabot
fi
fi
mkdir -p /opt
chown dependabot:dependabot /opt
chgrp dependabot /etc/ssl/certs
chmod g+w /etc/ssl/certs
EOT
USER dependabot
ENV DEPENDABOT_HOME="/home/dependabot"
WORKDIR $DEPENDABOT_HOME
# Install Ruby from official Docker image
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v2/monkey_patches/definition_ruby_version_patch.rb`
COPY --from=docker.io/library/ruby:3.4.8-bookworm --chown=dependabot:dependabot /usr/local /usr/local
# For users to determine if dependabot is running
ENV DEPENDABOT=true
# Disable automatic pulling of files stored with Git LFS
# This avoids downloading large files not necessary for the dependabot scripts
ENV GIT_LFS_SKIP_SMUDGE=1
# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-${TARGETARCH}.tar.gz"
RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependabot-updater/
COPY --chown=dependabot:dependabot --parents */.bundle */*.gemspec common/lib/dependabot.rb LICENSE omnibus $DEPENDABOT_HOME
# This ARG must be updated when adding/removing ecosystems - it invalidates Docker layer cache
ARG ECOSYSTEM_LIST="bazel bun bundler cargo composer conda devcontainers docker docker_compose dotnet_sdk elm git_submodules github_actions go_modules gradle helm hex julia maven npm_and_yarn nuget opentofu pre_commit pub python rust_toolchain silent swift terraform uv vcpkg"
# prevent having all the source in every ecosystem image
RUN for ecosystem in $ECOSYSTEM_LIST; do \
mkdir -p $ecosystem/lib/dependabot; \
touch $ecosystem/lib/dependabot/$ecosystem.rb; \
done
WORKDIR $DEPENDABOT_HOME/dependabot-updater
# RubyGems & Bundler should be bumped together following these steps:
# * Bump RubyGems version below. That will also automatically update the default Bundler version.
# * Regenerate `updater/Gemfile.lock` via `BUNDLE_GEMFILE=updater/Gemfile bundle lock --update --bundler`.
# * Regenerate `Gemfile.lock` via `bundle lock --update --bundler`.
#
# Note that RubyGems & Bundler versions are currently released in sync, but
# RubyGems version is one major ahead. So when bumping to RubyGems 3.y.z, Bundler
# version will jump to 2.y.z
ARG RUBYGEMS_VERSION=3.7.2
ARG GEM_ENABLED=true
RUN if [[ "$GEM_ENABLED" == "true" ]]; then \
gem update --system $RUBYGEMS_VERSION; \
bundle config set --local path 'vendor'; \
bundle config set --local frozen 'true'; \
bundle config set --local without 'development'; \
bundle install; \
rm -rf ~/.bundle; \
fi
ENV PATH="$DEPENDABOT_HOME/bin:$PATH"
ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
# Make the build arg available inside the Dependabot container
ARG DEPENDABOT_UPDATER_VERSION=development
ENV DEPENDABOT_UPDATER_VERSION=$DEPENDABOT_UPDATER_VERSION
USER root
CMD ["bin/run"]