From 4afb2cec8265e1c9ec6d2dc53ae6b75d78279749 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 16 May 2024 07:04:18 +0000 Subject: [PATCH 01/31] Renovate: Update all dependencies --- .woodpecker.yaml | 4 ++-- Dockerfile | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.woodpecker.yaml b/.woodpecker.yaml index 27af0e5..77c76e1 100644 --- a/.woodpecker.yaml +++ b/.woodpecker.yaml @@ -5,7 +5,7 @@ steps: build-main: when: branch: main - image: woodpeckerci/plugin-docker-buildx:3.2.1@sha256:a4a4e4cfd6ca3a8234d7bc87e771fea0ced1326d174e2620f670331358cbcddb + image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0 pull: true settings: platforms: linux/amd64 @@ -20,7 +20,7 @@ steps: when: branch: exclude: ["main"] - image: woodpeckerci/plugin-docker-buildx:3.2.1@sha256:a4a4e4cfd6ca3a8234d7bc87e771fea0ced1326d174e2620f670331358cbcddb + image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0 pull: true settings: platforms: linux/amd64 diff --git a/Dockerfile b/Dockerfile index 365f936..ea925e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,13 +6,13 @@ ENV BUILD_BASE_VERSION="0.5-r3" # renovate: datasource=repology depName=alpine_3_19/gcc versioning=loose ENV GCC_VERSION="13.2.1_git20231014-r0" # renovate: datasource=repology depName=alpine_3_19/ruby versioning=loose -ENV RUBY_VERSION="3.2.2-r1" +ENV RUBY_VERSION="3.2.4-r0" # renovate: datasource=repology depName=alpine_3_19/git versioning=loose -ENV GIT_VERSION="2.43.0-r0" +ENV GIT_VERSION="2.43.4-r0" # renovate: datasource=repology depName=alpine_3_19/openssh-keygen versioning=loose ENV OPENSSH_KEYGEN_VERSION="9.6_p1-r0" # renovate: datasource=pypi depName=pre-commit versioning=pep440 -ENV PRE_COMMIT_VERSION="3.7.0" +ENV PRE_COMMIT_VERSION="3.7.1" # renovate: datasource=rubygems depName=mdl versioning=ruby ENV MDL_VERSION="0.13.0" From ef85aab84282e6546170c6ae58aaf6941fe7a468 Mon Sep 17 00:00:00 2001 From: Sven Seeberg Date: Fri, 17 May 2024 15:46:52 +0200 Subject: [PATCH 02/31] Add ruby-devel package --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index ea925e1..1887590 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,6 +20,7 @@ RUN apk add --update --no-cache \ build-base="${BUILD_BASE_VERSION}" \ gcc="${GCC_VERSION}" \ ruby="${RUBY_VERSION}" \ + ruby-dev="${RUBY_VERSION}" \ git="${GIT_VERSION}" \ openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \ && \ From a1a0cfc40db026a7b74523e155a6c754640e906d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20H=C3=BCttemann?= Date: Tue, 4 Jun 2024 11:52:58 +0200 Subject: [PATCH 03/31] Upgrade to alpine 3.20 --- Dockerfile | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1887590..6a579d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,16 @@ -FROM python:3.12.3-alpine3.19@sha256:ef097620baf1272e38264207003b0982285da3236a20ed829bf6bbf1e85fe3cb +FROM python:3.12.3-alpine3.20@sha256:53cab1eabac71d6160eeabe09fd3144de789f75de62b9833e49f67534edc547e COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /bin/ -# renovate: datasource=repology depName=alpine_3_19/build-base versioning=loose +# renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" -# renovate: datasource=repology depName=alpine_3_19/gcc versioning=loose -ENV GCC_VERSION="13.2.1_git20231014-r0" -# renovate: datasource=repology depName=alpine_3_19/ruby versioning=loose -ENV RUBY_VERSION="3.2.4-r0" -# renovate: datasource=repology depName=alpine_3_19/git versioning=loose -ENV GIT_VERSION="2.43.4-r0" -# renovate: datasource=repology depName=alpine_3_19/openssh-keygen versioning=loose -ENV OPENSSH_KEYGEN_VERSION="9.6_p1-r0" +# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose +ENV GCC_VERSION="13.2.1_git20240309-r0" +# renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose +ENV RUBY_VERSION="3.3.1-r0" +# renovate: datasource=repology depName=alpine_3_20/git versioning=loose +ENV GIT_VERSION="2.45.2-r0" +# renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose +ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3" # renovate: datasource=pypi depName=pre-commit versioning=pep440 ENV PRE_COMMIT_VERSION="3.7.1" # renovate: datasource=rubygems depName=mdl versioning=ruby From dd09aab113b92c9d6b578820c6a32f863d56b9f4 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 6 Jun 2024 07:04:37 +0000 Subject: [PATCH 04/31] Renovate: Update python:3.12.3-alpine3.20 Docker digest to 32385e6 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6a579d9..8201e43 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.3-alpine3.20@sha256:53cab1eabac71d6160eeabe09fd3144de789f75de62b9833e49f67534edc547e +FROM python:3.12.3-alpine3.20@sha256:32385e61c3414ffa5a6dbf52feace89f758ad68709a48d376d56a0232162665a COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /bin/ # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose From fbc13e5630acb2d2b17ecb33441bdcf7bd6b4850 Mon Sep 17 00:00:00 2001 From: Sven Seeberg Date: Wed, 19 Jun 2024 10:01:36 +0200 Subject: [PATCH 05/31] Install gitleaks binary from github releases --- Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8201e43..b3ac7ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,8 @@ ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3" ENV PRE_COMMIT_VERSION="3.7.1" # renovate: datasource=rubygems depName=mdl versioning=ruby ENV MDL_VERSION="0.13.0" +# renovate: datasource=repology depName=gitleaks versioning=loose +ENV GITLEAKS_VERSION="8.18.4" RUN apk add --update --no-cache \ build-base="${BUILD_BASE_VERSION}" \ @@ -27,6 +29,8 @@ RUN apk add --update --no-cache \ pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \ gem install --no-document mdl -v "${MDL_VERSION}" && \ mkdir /data && \ - git config --global --add safe.directory /data + git config --global --add safe.directory /data && \ + wget https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && \ + tar xf gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && cp gitleaks /usr/bin/ WORKDIR /data From 53d8640163959795fe2e7258b5fa4bc329bc88f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20H=C3=BCttemann?= Date: Wed, 19 Jun 2024 13:36:12 +0200 Subject: [PATCH 06/31] Copy gitleaks from container --- Dockerfile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index b3ac7ef..688f4a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ FROM python:3.12.3-alpine3.20@sha256:32385e61c3414ffa5a6dbf52feace89f758ad68709a48d376d56a0232162665a -COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /bin/ +COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /usr/bin/ +COPY --from=ghcr.io/gitleaks/gitleaks:v8.18.4@sha256:f44e526acc67786b7476db413edb993ce2d152660d32fb3eb48d9bca06fa83f8 /usr/bin/gitleaks /usr/bin/ # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" @@ -15,8 +16,6 @@ ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3" ENV PRE_COMMIT_VERSION="3.7.1" # renovate: datasource=rubygems depName=mdl versioning=ruby ENV MDL_VERSION="0.13.0" -# renovate: datasource=repology depName=gitleaks versioning=loose -ENV GITLEAKS_VERSION="8.18.4" RUN apk add --update --no-cache \ build-base="${BUILD_BASE_VERSION}" \ @@ -29,8 +28,6 @@ RUN apk add --update --no-cache \ pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \ gem install --no-document mdl -v "${MDL_VERSION}" && \ mkdir /data && \ - git config --global --add safe.directory /data && \ - wget https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && \ - tar xf gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz && cp gitleaks /usr/bin/ + git config --global --add safe.directory /data WORKDIR /data From 94a4817e70a0ef9da77cb627ea5c158ec3439747 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 19 Jun 2024 11:55:58 +0000 Subject: [PATCH 07/31] Renovate: Update python Docker tag to v3.12.4 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 688f4a5..656026c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.3-alpine3.20@sha256:32385e61c3414ffa5a6dbf52feace89f758ad68709a48d376d56a0232162665a +FROM python:3.12.4-alpine3.20@sha256:a982997504b8ec596f553d78f4de4b961bbdf5254e0177f6e99bb34f4ef16f95 COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /usr/bin/ COPY --from=ghcr.io/gitleaks/gitleaks:v8.18.4@sha256:f44e526acc67786b7476db413edb993ce2d152660d32fb3eb48d9bca06fa83f8 /usr/bin/gitleaks /usr/bin/ From 90590626b8024e01ab53661492f7f1fa77fc2c30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20H=C3=BCttemann?= Date: Wed, 19 Jun 2024 17:18:17 +0200 Subject: [PATCH 08/31] Run pre-commit to warm up cache --- .dockerignore | 1 + .editorconfig | 16 +++++++++ .pre-commit-config.yaml | 74 +++++++++++++++++++++++++++++++++++++++++ .prettierrc.yaml | 4 +++ .woodpecker.yaml | 6 ++-- Dockerfile | 10 ++++-- renovate.json | 12 ++----- 7 files changed, 109 insertions(+), 14 deletions(-) create mode 100644 .editorconfig create mode 100644 .pre-commit-config.yaml create mode 100644 .prettierrc.yaml diff --git a/.dockerignore b/.dockerignore index ea32980..7e91a32 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,2 +1,3 @@ # Ignore everything * +!.pre-commit-config.yaml diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..4bd3180 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +root = true + +[*] +indent_style = space +indent_size = 2 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true + +# Non-standard +quote_type = single + +[*.{diff,patch}] +indent_style = unset +indent_size = unset diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..ecadcac --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,74 @@ +exclude: | + (?x) + .drawio$| + ^test/.*.json$| + tsconfig.json$| + .diff$| + .patch$| + .min.| + ^states/common/setup/files/01-netzbegruenung.sh$| + ^states/common/setup/files/01-verdigado.sh$ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: check-added-large-files + - id: check-case-conflict + - id: check-executables-have-shebangs + - id: check-json + - id: check-merge-conflict + - id: check-symlinks + - id: check-xml + - id: check-yaml + - id: double-quote-string-fixer + - id: end-of-file-fixer + - id: fix-byte-order-marker + - id: mixed-line-ending + - id: no-commit-to-branch + - id: requirements-txt-fixer + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - repo: https://github.com/warpnet/salt-lint + rev: v0.9.2 + hooks: + - id: salt-lint + - repo: https://github.com/markdownlint/markdownlint + rev: v0.13.0 + hooks: + - id: markdownlint + - repo: https://github.com/shellcheck-py/shellcheck-py + rev: v0.9.0.5 + hooks: + - id: shellcheck + - repo: local + hooks: + - id: check-ssh-keys + name: check SSH public keys in user pillars + entry: python build/check-ssh-keys.py + language: python + files: ^pillars/users/.+\.sls$ + additional_dependencies: ['pyyaml==6.0.1'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO + + - id: check-codeowners + name: check CODEOWNERS for alphabetical comment order + entry: python build/check-alphabetical-comments.py + language: python + files: CODEOWNERS + + - id: prettier # Copied from https://github.com/pre-commit/mirrors-prettier/ instead of referencing it to not rely on their published Prettier versions + name: Prettier + description: '' + entry: prettier --write --ignore-unknown + language: node + 'types': [text] + args: [] + require_serial: false + additional_dependencies: ['prettier@3'] # Renovate can't parse this, either. Unspecific to prevent local installs, when global installations are available + minimum_pre_commit_version: '0' + + - id: git-diff + name: git diff + entry: git diff --exit-code + language: system + pass_filenames: false + always_run: true diff --git a/.prettierrc.yaml b/.prettierrc.yaml new file mode 100644 index 0000000..85e2c9f --- /dev/null +++ b/.prettierrc.yaml @@ -0,0 +1,4 @@ +semi: false +bracketSpacing: true +trailingComma: es5 +proseWrap: preserve diff --git a/.woodpecker.yaml b/.woodpecker.yaml index 77c76e1..463d1a5 100644 --- a/.woodpecker.yaml +++ b/.woodpecker.yaml @@ -1,5 +1,5 @@ when: - path: "*Dockerfile*" + path: '*Dockerfile*' steps: build-main: @@ -14,12 +14,12 @@ steps: password: from_secret: gitea_token repo: git.verdigado.com/${CI_REPO,,} - tag: "latest" + tag: 'latest' build-branch: when: branch: - exclude: ["main"] + exclude: ['main'] image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0 pull: true settings: diff --git a/Dockerfile b/Dockerfile index 656026c..d5f6e51 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,9 @@ ENV PRE_COMMIT_VERSION="3.7.1" # renovate: datasource=rubygems depName=mdl versioning=ruby ENV MDL_VERSION="0.13.0" +RUN mkdir /data /tmp/pre-commit +COPY .pre-commit-config.yaml /tmp/pre-commit + RUN apk add --update --no-cache \ build-base="${BUILD_BASE_VERSION}" \ gcc="${GCC_VERSION}" \ @@ -27,7 +30,10 @@ RUN apk add --update --no-cache \ && \ pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \ gem install --no-document mdl -v "${MDL_VERSION}" && \ - mkdir /data && \ - git config --global --add safe.directory /data + git config --global --add safe.directory /data && \ + cd /tmp/pre-commit && \ + git init --initial-branch main && \ + pre-commit install --install-hooks && \ + rm -rf /tmp/pre-commit WORKDIR /data diff --git a/renovate.json b/renovate.json index 19827ba..2cb753a 100644 --- a/renovate.json +++ b/renovate.json @@ -1,8 +1,6 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "local>renovate/config" - ], + "extends": ["local>renovate/config"], "branchPrefix": "renovate-", "groupName": "all dependencies", "groupSlug": "all", @@ -10,18 +8,14 @@ { "groupName": "all dependencies", "groupSlug": "all", - "matchPackagePatterns": [ - "*" - ] + "matchPackagePatterns": ["*"] } ], "separateMajorMinor": false, "customManagers": [ { "customType": "regex", - "fileMatch": [ - "^Dockerfile$" - ], + "fileMatch": ["^Dockerfile$"], "matchStrings": [ "#\\s*renovate:\\s*datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\sENV .*?_VERSION=\"(?.*)\"\\s" ], From 2fd071bb7827d940dded421791d2a4e7d588136e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20H=C3=BCttemann?= Date: Thu, 20 Jun 2024 11:35:33 +0200 Subject: [PATCH 09/31] Update gitleaks to use native hook --- .pre-commit-config.yaml | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ecadcac..91c892e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,13 +1,3 @@ -exclude: | - (?x) - .drawio$| - ^test/.*.json$| - tsconfig.json$| - .diff$| - .patch$| - .min.| - ^states/common/setup/files/01-netzbegruenung.sh$| - ^states/common/setup/files/01-verdigado.sh$ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.6.0 @@ -40,6 +30,10 @@ repos: rev: v0.9.0.5 hooks: - id: shellcheck + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.1 + hooks: + - id: gitleaks - repo: local hooks: - id: check-ssh-keys @@ -49,12 +43,6 @@ repos: files: ^pillars/users/.+\.sls$ additional_dependencies: ['pyyaml==6.0.1'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO - - id: check-codeowners - name: check CODEOWNERS for alphabetical comment order - entry: python build/check-alphabetical-comments.py - language: python - files: CODEOWNERS - - id: prettier # Copied from https://github.com/pre-commit/mirrors-prettier/ instead of referencing it to not rely on their published Prettier versions name: Prettier description: '' @@ -65,10 +53,3 @@ repos: require_serial: false additional_dependencies: ['prettier@3'] # Renovate can't parse this, either. Unspecific to prevent local installs, when global installations are available minimum_pre_commit_version: '0' - - - id: git-diff - name: git diff - entry: git diff --exit-code - language: system - pass_filenames: false - always_run: true From 4e449c56a7c982e5ae47a661a546977c11604893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20H=C3=BCttemann?= Date: Thu, 20 Jun 2024 12:00:53 +0200 Subject: [PATCH 10/31] Add README --- .markdown-style.rb | 2 ++ .mdlrc | 2 ++ README.md | 31 +++++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 .markdown-style.rb create mode 100644 .mdlrc create mode 100644 README.md diff --git a/.markdown-style.rb b/.markdown-style.rb new file mode 100644 index 0000000..c4366da --- /dev/null +++ b/.markdown-style.rb @@ -0,0 +1,2 @@ +all # Import all rules +exclude_rule "MD013" # Ignore Line length diff --git a/.mdlrc b/.mdlrc new file mode 100644 index 0000000..7cc7d12 --- /dev/null +++ b/.mdlrc @@ -0,0 +1,2 @@ +style "#{File.dirname(__FILE__)}/.markdown-style.rb" +git_recurse true diff --git a/README.md b/README.md new file mode 100644 index 0000000..4e0c04a --- /dev/null +++ b/README.md @@ -0,0 +1,31 @@ +# verdigado pre-commit container + +A container image to include all dependencies (and a warmed up cache) used in our [`pre-commit`](https://pre-commit.com/) hooks/CI steps to speed up execution. + +If you see any pre-commit CI jobs installing dependencies: + +- Make sure to execute `pre-commit` using this container +- Add the hook to this repo's `.pre-commit-config.yaml` +- Optionally install dependencies in the `Dockerfile` with the versions set up for `Renovate` + +## Usage + +In your `.woodpecker.yaml`, adapt and add the following block: + +```yaml +steps: + check-pre-commit: + image: git.verdigado.com/verdigado-images/container-pre-commit:latest + environment: + - SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check + commands: + - pre-commit run --all-files +``` + +If renovate is set up, it'll add and update the pinned digest/hash of the image. + +## Development + +If you need to copy files into the container, don't forget to add exclusions to the general _exclude all_ in `.dockerignore`. + +To update the base image (like `3.12.4-alpine3.20` to a newer Alpine version), manual work is still required. In the `Dockerfile`, update the Alpine version for the image, the renovate comments (`# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose`), and the package versions for that OS version from the repo (Like on the [Alpine Package Page for gcc](https://pkgs.alpinelinux.org/packages?name=gcc&branch=v3.20&repo=&arch=x86_64)). From 7b022827a10c6cf5ac16ac0991e5327abeb9ac08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20H=C3=BCttemann?= Date: Thu, 20 Jun 2024 16:25:44 +0200 Subject: [PATCH 11/31] Remove dependencies to let pre-commit install them --- Dockerfile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index d5f6e51..9991bd2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,4 @@ FROM python:3.12.4-alpine3.20@sha256:a982997504b8ec596f553d78f4de4b961bbdf5254e0177f6e99bb34f4ef16f95 -COPY --from=koalaman/shellcheck:v0.10.0@sha256:2097951f02e735b613f4a34de20c40f937a6c8f18ecb170612c88c34517221fb /bin/shellcheck /usr/bin/ -COPY --from=ghcr.io/gitleaks/gitleaks:v8.18.4@sha256:f44e526acc67786b7476db413edb993ce2d152660d32fb3eb48d9bca06fa83f8 /usr/bin/gitleaks /usr/bin/ # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" @@ -14,8 +12,6 @@ ENV GIT_VERSION="2.45.2-r0" ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3" # renovate: datasource=pypi depName=pre-commit versioning=pep440 ENV PRE_COMMIT_VERSION="3.7.1" -# renovate: datasource=rubygems depName=mdl versioning=ruby -ENV MDL_VERSION="0.13.0" RUN mkdir /data /tmp/pre-commit COPY .pre-commit-config.yaml /tmp/pre-commit @@ -23,13 +19,11 @@ COPY .pre-commit-config.yaml /tmp/pre-commit RUN apk add --update --no-cache \ build-base="${BUILD_BASE_VERSION}" \ gcc="${GCC_VERSION}" \ - ruby="${RUBY_VERSION}" \ ruby-dev="${RUBY_VERSION}" \ git="${GIT_VERSION}" \ openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \ && \ pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \ - gem install --no-document mdl -v "${MDL_VERSION}" && \ git config --global --add safe.directory /data && \ cd /tmp/pre-commit && \ git init --initial-branch main && \ From 64c3f1fa9c79dd21689cb9b0bbe47e8e78ee05af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20H=C3=BCttemann?= Date: Thu, 20 Jun 2024 16:39:03 +0200 Subject: [PATCH 12/31] Add tests for pre-commit container Run pre-commit on the freshly built container against salt and rc2matrix --- .woodpecker.yaml => .woodpecker/.build.yaml | 23 +++++---- .woodpecker/.test.yaml | 56 +++++++++++++++++++++ 2 files changed, 69 insertions(+), 10 deletions(-) rename .woodpecker.yaml => .woodpecker/.build.yaml (72%) create mode 100644 .woodpecker/.test.yaml diff --git a/.woodpecker.yaml b/.woodpecker/.build.yaml similarity index 72% rename from .woodpecker.yaml rename to .woodpecker/.build.yaml index 463d1a5..f59d616 100644 --- a/.woodpecker.yaml +++ b/.woodpecker/.build.yaml @@ -1,10 +1,8 @@ -when: - path: '*Dockerfile*' - steps: - build-main: + build main: when: - branch: main + - event: push + branch: main image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0 pull: true settings: @@ -14,12 +12,15 @@ steps: password: from_secret: gitea_token repo: git.verdigado.com/${CI_REPO,,} - tag: 'latest' + tags: + - 'latest' + - ${CI_COMMIT_SHA} - build-branch: + build branch: when: - branch: - exclude: ['main'] + - event: push + branch: + exclude: ['main'] image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0 pull: true settings: @@ -29,4 +30,6 @@ steps: password: from_secret: gitea_token repo: git.verdigado.com/${CI_REPO,,} - tag: ${CI_COMMIT_BRANCH} + tags: + - ${CI_COMMIT_BRANCH} + - ${CI_COMMIT_SHA} diff --git a/.woodpecker/.test.yaml b/.woodpecker/.test.yaml new file mode 100644 index 0000000..69c9a51 --- /dev/null +++ b/.woodpecker/.test.yaml @@ -0,0 +1,56 @@ +skip_clone: true +when: + - event: push +depends_on: + - build +variables: + - &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}' +steps: + await-image: + image: alpine + environment: + IMAGE: *image + commands: + - apk add --update --no-cache img + - 'while !(( img pull $IMAGE 2>&1 | grep -q "Error: failed to unmount" )) ; do echo "Awaiting image $IMAGE..."; sleep 3; done' + - echo 'found.' + + clone salt: + image: woodpeckerci/plugin-git + settings: + remote: https://git.verdigado.com/verdigado-Privileged/Salt.git + path: salt + sha: '' + ref: refs/heads/master + branch: master + + pre-commit salt: + image: *image + depends_on: + - await-image + - clone salt + environment: + - SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check + commands: + - cd salt + - pre-commit run --all-files + + clone rocketchat2matrix: + image: woodpeckerci/plugin-git + settings: + remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git + path: rocketchat2matrix + sha: '' + ref: refs/heads/main + branch: master + + pre-commit rocketchat2matrix: + image: *image + depends_on: + - await-image + - clone rocketchat2matrix + environment: + - SKIP=no-commit-to-branch # Ignore "don't commit to protected branch" check + commands: + - cd rocketchat2matrix + - pre-commit run --all-files From e43b05e0fdd30f4cb56b9f74e25fd18d1ba6a6d8 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 25 Jun 2024 07:02:53 +0000 Subject: [PATCH 13/31] Renovate: Pin dependencies --- .woodpecker/.test.yaml | 6 +++--- Dockerfile | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.woodpecker/.test.yaml b/.woodpecker/.test.yaml index 69c9a51..b63c742 100644 --- a/.woodpecker/.test.yaml +++ b/.woodpecker/.test.yaml @@ -7,7 +7,7 @@ variables: - &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}' steps: await-image: - image: alpine + image: alpine@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 environment: IMAGE: *image commands: @@ -16,7 +16,7 @@ steps: - echo 'found.' clone salt: - image: woodpeckerci/plugin-git + image: woodpeckerci/plugin-git@sha256:7af90de3a9aa5dc93cc0d5cd2e67e28cb237d4b8e891ccacfd9031f78f4b05a8 settings: remote: https://git.verdigado.com/verdigado-Privileged/Salt.git path: salt @@ -36,7 +36,7 @@ steps: - pre-commit run --all-files clone rocketchat2matrix: - image: woodpeckerci/plugin-git + image: woodpeckerci/plugin-git@sha256:7af90de3a9aa5dc93cc0d5cd2e67e28cb237d4b8e891ccacfd9031f78f4b05a8 settings: remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git path: rocketchat2matrix diff --git a/Dockerfile b/Dockerfile index 9991bd2..e988a6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,11 @@ -FROM python:3.12.4-alpine3.20@sha256:a982997504b8ec596f553d78f4de4b961bbdf5254e0177f6e99bb34f4ef16f95 +FROM python:3.12.4-alpine3.20@sha256:dc095966439c68283a01dde5e5bc9819ba24b28037dddd64ea224bf7aafc0c82 # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" # renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose ENV GCC_VERSION="13.2.1_git20240309-r0" # renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose -ENV RUBY_VERSION="3.3.1-r0" +ENV RUBY_VERSION="3.3.3-r0" # renovate: datasource=repology depName=alpine_3_20/git versioning=loose ENV GIT_VERSION="2.45.2-r0" # renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose From 9354a361a36944d8a9faeb87310f895d144550b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20H=C3=BCttemann?= Date: Thu, 20 Jun 2024 14:19:23 +0200 Subject: [PATCH 14/31] Add package version script --- README.md | 46 +++++++++++++++++++++++++++++++++++++++++++-- get_pkg_versions.sh | 15 +++++++++++++++ 2 files changed, 59 insertions(+), 2 deletions(-) create mode 100755 get_pkg_versions.sh diff --git a/README.md b/README.md index 4e0c04a..e193f46 100644 --- a/README.md +++ b/README.md @@ -22,10 +22,52 @@ steps: - pre-commit run --all-files ``` -If renovate is set up, it'll add and update the pinned digest/hash of the image. +If renovate is set up for your repo, it'll add and update the pinned digest/hash of the image. ## Development +Generally you should have `Docker` or something alike installed. + If you need to copy files into the container, don't forget to add exclusions to the general _exclude all_ in `.dockerignore`. -To update the base image (like `3.12.4-alpine3.20` to a newer Alpine version), manual work is still required. In the `Dockerfile`, update the Alpine version for the image, the renovate comments (`# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose`), and the package versions for that OS version from the repo (Like on the [Alpine Package Page for gcc](https://pkgs.alpinelinux.org/packages?name=gcc&branch=v3.20&repo=&arch=x86_64)). +To **update the base image** (like `3.12.4-alpine3.20` to a newer Alpine version), manual work is still required, but supported by a little script. **Renovate might not create a PR for newer image tags.** + +1. In the `Dockerfile`, update the Alpine version for the image and the renovate comments (`# renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose`). + + ```diff + - FROM python:3-alpine3.19@sha256:00c0ffeeacab... + + FROM python:3-alpine3.20 # You can omit the sha256 digest, the script prints it out + # ... + + - # renovate: datasource=repology depName=alpine_3_19/build-base versioning=loose + + # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose + ENV BUILD_BASE_VERSION="0.8.15" + # ... + ``` + +1. Now run `./get_pkg_versions.sh`. It pulls the alpine image from the Dockerfile, prints it's digest and the latest packages it could find via `apk` inside that container and prints out the names and versions. + + Example output of `./get_pkg_versions.sh` for a new image, which is not yet pulled: + + ```plain + Unable to find image 'python:3.12.3-alpine3.18' locally + 3.12.3-alpine3.18: Pulling from library/python + 619be1103602: Pull complete + [...] + 0eb61f1af52e: Pull complete + Digest: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721 + Status: Downloaded newer image for python:3.12.3-alpine3.18 + [Script output starts here] + Checking 5/5 latest package versions on python:3.12.3-alpine3.18 + Image digest found: sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721 + --- + build-base-0.5-r3 + gcc-12.2.1_git20220924-r10 + git-2.40.1-r0 + openssh-keygen-9.3_p2-r1 + ruby-3.2.4-r0 + ``` + +1. Copy the package versions and update the respective `ENV` with it manually in the `Dockerfile`. You also might add the digest to the base image. + +1. Test building the image and you can commit it. diff --git a/get_pkg_versions.sh b/get_pkg_versions.sh new file mode 100755 index 0000000..87b772f --- /dev/null +++ b/get_pkg_versions.sh @@ -0,0 +1,15 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' + +IMAGE=$(grep -oP 'FROM \K.*alpine[^ ]+' Dockerfile) +PACKAGES=$(grep -oP '#.+depName=alpine.+/\K[^ ]+' Dockerfile) +# shellcheck disable=SC2086 +PACKAGES_NO_BR=$(echo ${PACKAGES} | tr -d '\n') +PACKAGES_VERSIONS=$(docker run --rm -t --entrypoint /bin/sh "$IMAGE" -c "apk --update --no-cache list $PACKAGES_NO_BR | cut -d ' ' -f 1 | grep -v '^fetch$'") +DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE" | cut -d '@' -f2) + +echo "Checking $(echo "$PACKAGES" | wc -l)/$(echo "$PACKAGES_VERSIONS" | wc -l) latest package versions on $IMAGE" +echo "Image digest found: $DIGEST" +echo "---" +echo "$PACKAGES_VERSIONS" From 73f802fab09b00458d1e1e59ec58009fd60ae45a Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 27 Jun 2024 07:02:22 +0000 Subject: [PATCH 15/31] Renovate: Update python:3.12.4-alpine3.20 Docker digest to ff870bf --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e988a6a..eb8de3d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.4-alpine3.20@sha256:dc095966439c68283a01dde5e5bc9819ba24b28037dddd64ea224bf7aafc0c82 +FROM python:3.12.4-alpine3.20@sha256:ff870bf7c2bb546419aaea570f0a1c28c8103b78743a2b8030e9e97391ddf81b # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" From 161a73e8e91a5d96b0e7e2601d4f00667e35cd3b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 3 Jul 2024 10:02:20 +0000 Subject: [PATCH 16/31] Renovate: Update all dependencies --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index eb8de3d..bf736f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.4-alpine3.20@sha256:ff870bf7c2bb546419aaea570f0a1c28c8103b78743a2b8030e9e97391ddf81b +FROM python:3.12.4-alpine3.20@sha256:d16d0127032bddebc11d8f5731c30b3f5af76cac58d8a0cb970a8e66a3044d13 # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" @@ -9,7 +9,7 @@ ENV RUBY_VERSION="3.3.3-r0" # renovate: datasource=repology depName=alpine_3_20/git versioning=loose ENV GIT_VERSION="2.45.2-r0" # renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose -ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r3" +ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4" # renovate: datasource=pypi depName=pre-commit versioning=pep440 ENV PRE_COMMIT_VERSION="3.7.1" From 24ee40e4be2456c7f31492b3f1f8753aed949ad1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 3 Jul 2024 16:31:05 +0000 Subject: [PATCH 17/31] Renovate: Update python:3.12.4-alpine3.20 Docker digest to b7662fc --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bf736f1..7d56d09 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.4-alpine3.20@sha256:d16d0127032bddebc11d8f5731c30b3f5af76cac58d8a0cb970a8e66a3044d13 +FROM python:3.12.4-alpine3.20@sha256:b7662fc33e07f05fb2f579c3634e1e4d2e30c02553397c6c24f775cb360dbc03 # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" From 424a53ef0293c44e4b79005bf229051f456bf573 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 3 Jul 2024 16:56:32 +0000 Subject: [PATCH 18/31] Renovate: Update pre-commit hook gitleaks/gitleaks to v8.18.4 --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 91c892e..9240805 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,7 +31,7 @@ repos: hooks: - id: shellcheck - repo: https://github.com/gitleaks/gitleaks - rev: v8.16.1 + rev: v8.18.4 hooks: - id: gitleaks - repo: local From 135f60659a5c09bee99aca9a262749c22e5e3ed0 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 10 Jul 2024 07:16:26 +0000 Subject: [PATCH 19/31] Renovate: Update woodpeckerci/plugin-docker-buildx Docker tag to v4.1.0 --- .woodpecker/.build.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.woodpecker/.build.yaml b/.woodpecker/.build.yaml index f59d616..06852cb 100644 --- a/.woodpecker/.build.yaml +++ b/.woodpecker/.build.yaml @@ -3,7 +3,7 @@ steps: when: - event: push branch: main - image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0 + image: woodpeckerci/plugin-docker-buildx:4.1.0@sha256:28c6bed43137343bd8fedd6477bd9c3cdc7e166c775c8a2a529bd6f96b52f22c pull: true settings: platforms: linux/amd64 @@ -21,7 +21,7 @@ steps: - event: push branch: exclude: ['main'] - image: woodpeckerci/plugin-docker-buildx:4.0.0@sha256:9d24b71c37d7a958d79252e608c4d1a04b02f2e74d4e26003b43e0830038bde0 + image: woodpeckerci/plugin-docker-buildx:4.1.0@sha256:28c6bed43137343bd8fedd6477bd9c3cdc7e166c775c8a2a529bd6f96b52f22c pull: true settings: platforms: linux/amd64 From 933ddf30d01fb4449b0a6ccd2af29f82a6699dac Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 11 Jul 2024 07:16:02 +0000 Subject: [PATCH 20/31] Renovate: Update python:3.12.4-alpine3.20 Docker digest to 0bd77ae --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7d56d09..f22a510 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.4-alpine3.20@sha256:b7662fc33e07f05fb2f579c3634e1e4d2e30c02553397c6c24f775cb360dbc03 +FROM python:3.12.4-alpine3.20@sha256:0bd77ae937dce9037e136ab35f41eaf9e012cfd741fc3c8dd4b3e2b63499f12c # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" From 46bff875b5ad667888c277a45f9b660937aaee76 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 15 Jul 2024 07:02:52 +0000 Subject: [PATCH 21/31] Renovate: Update woodpeckerci/plugin-git Docker digest to 1b6f184 --- .woodpecker/.test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.woodpecker/.test.yaml b/.woodpecker/.test.yaml index b63c742..e0ee445 100644 --- a/.woodpecker/.test.yaml +++ b/.woodpecker/.test.yaml @@ -16,7 +16,7 @@ steps: - echo 'found.' clone salt: - image: woodpeckerci/plugin-git@sha256:7af90de3a9aa5dc93cc0d5cd2e67e28cb237d4b8e891ccacfd9031f78f4b05a8 + image: woodpeckerci/plugin-git@sha256:1b6f1843af06b4d83e9f203cd80b92dffafa7692459479975ce1648f5ca68ee9 settings: remote: https://git.verdigado.com/verdigado-Privileged/Salt.git path: salt @@ -36,7 +36,7 @@ steps: - pre-commit run --all-files clone rocketchat2matrix: - image: woodpeckerci/plugin-git@sha256:7af90de3a9aa5dc93cc0d5cd2e67e28cb237d4b8e891ccacfd9031f78f4b05a8 + image: woodpeckerci/plugin-git@sha256:1b6f1843af06b4d83e9f203cd80b92dffafa7692459479975ce1648f5ca68ee9 settings: remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git path: rocketchat2matrix From f39fcf4d828f1d95001a3cb98f804c8d797f54b5 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 24 Jul 2024 13:02:38 +0000 Subject: [PATCH 22/31] Renovate: Update all dependencies --- .woodpecker/.build.yaml | 4 ++-- .woodpecker/.test.yaml | 2 +- Dockerfile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.woodpecker/.build.yaml b/.woodpecker/.build.yaml index 06852cb..84a690a 100644 --- a/.woodpecker/.build.yaml +++ b/.woodpecker/.build.yaml @@ -3,7 +3,7 @@ steps: when: - event: push branch: main - image: woodpeckerci/plugin-docker-buildx:4.1.0@sha256:28c6bed43137343bd8fedd6477bd9c3cdc7e166c775c8a2a529bd6f96b52f22c + image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a pull: true settings: platforms: linux/amd64 @@ -21,7 +21,7 @@ steps: - event: push branch: exclude: ['main'] - image: woodpeckerci/plugin-docker-buildx:4.1.0@sha256:28c6bed43137343bd8fedd6477bd9c3cdc7e166c775c8a2a529bd6f96b52f22c + image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a pull: true settings: platforms: linux/amd64 diff --git a/.woodpecker/.test.yaml b/.woodpecker/.test.yaml index e0ee445..28999ed 100644 --- a/.woodpecker/.test.yaml +++ b/.woodpecker/.test.yaml @@ -7,7 +7,7 @@ variables: - &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}' steps: await-image: - image: alpine@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 + image: alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 environment: IMAGE: *image commands: diff --git a/Dockerfile b/Dockerfile index f22a510..ab864ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.4-alpine3.20@sha256:0bd77ae937dce9037e136ab35f41eaf9e012cfd741fc3c8dd4b3e2b63499f12c +FROM python:3.12.4-alpine3.20@sha256:7f15e22f496c65cffbbac5e30e7e98d60f3e3b9cc5ee5d51cf3c55ed604787c8 # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" From 980b4510ed2902a0830f132cd1a34b939aa40625 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 25 Jul 2024 14:23:03 +0000 Subject: [PATCH 23/31] Renovate: migrate config renovate.json --- renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 2cb753a..546cc45 100644 --- a/renovate.json +++ b/renovate.json @@ -8,7 +8,7 @@ { "groupName": "all dependencies", "groupSlug": "all", - "matchPackagePatterns": ["*"] + "matchPackageNames": ["/*/"] } ], "separateMajorMinor": false, From d44a4ef685b7b469d291ed2cd9107d8aa714781c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 26 Jul 2024 09:02:59 +0000 Subject: [PATCH 24/31] Renovate: Update woodpeckerci/plugin-git Docker digest to a878e6f --- .woodpecker/.test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.woodpecker/.test.yaml b/.woodpecker/.test.yaml index 28999ed..0aeb43d 100644 --- a/.woodpecker/.test.yaml +++ b/.woodpecker/.test.yaml @@ -16,7 +16,7 @@ steps: - echo 'found.' clone salt: - image: woodpeckerci/plugin-git@sha256:1b6f1843af06b4d83e9f203cd80b92dffafa7692459479975ce1648f5ca68ee9 + image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602 settings: remote: https://git.verdigado.com/verdigado-Privileged/Salt.git path: salt @@ -36,7 +36,7 @@ steps: - pre-commit run --all-files clone rocketchat2matrix: - image: woodpeckerci/plugin-git@sha256:1b6f1843af06b4d83e9f203cd80b92dffafa7692459479975ce1648f5ca68ee9 + image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602 settings: remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git path: rocketchat2matrix From cf383a999510ac9725cb18ded597c83315a126b7 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 29 Jul 2024 07:03:18 +0000 Subject: [PATCH 25/31] Renovate: Update dependency pre-commit to v3.8.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ab864ac..79d909f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ ENV GIT_VERSION="2.45.2-r0" # renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4" # renovate: datasource=pypi depName=pre-commit versioning=pep440 -ENV PRE_COMMIT_VERSION="3.7.1" +ENV PRE_COMMIT_VERSION="3.8.0" RUN mkdir /data /tmp/pre-commit COPY .pre-commit-config.yaml /tmp/pre-commit From 51cd99622bbfdb48b2cedcc1fa6b9e6502c2fe32 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 13 Nov 2024 18:32:46 +0000 Subject: [PATCH 26/31] Renovate: Update all dependencies --- .pre-commit-config.yaml | 2 +- .woodpecker/.build.yaml | 4 ++-- .woodpecker/.test.yaml | 6 +++--- Dockerfile | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9240805..f265922 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: - id: check-added-large-files - id: check-case-conflict diff --git a/.woodpecker/.build.yaml b/.woodpecker/.build.yaml index 84a690a..52334e5 100644 --- a/.woodpecker/.build.yaml +++ b/.woodpecker/.build.yaml @@ -3,7 +3,7 @@ steps: when: - event: push branch: main - image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a + image: woodpeckerci/plugin-docker-buildx:5.0.0@sha256:0a8e69cad4a25d641bdb51daea53ce309692c7bda1193ae04a990bb88486edd8 pull: true settings: platforms: linux/amd64 @@ -21,7 +21,7 @@ steps: - event: push branch: exclude: ['main'] - image: woodpeckerci/plugin-docker-buildx:4.2.0@sha256:e3c7a04b5c1c679655a7f8de77721a39492019b4c372bea0e90ec3dd765e750a + image: woodpeckerci/plugin-docker-buildx:5.0.0@sha256:0a8e69cad4a25d641bdb51daea53ce309692c7bda1193ae04a990bb88486edd8 pull: true settings: platforms: linux/amd64 diff --git a/.woodpecker/.test.yaml b/.woodpecker/.test.yaml index 0aeb43d..cd3bcef 100644 --- a/.woodpecker/.test.yaml +++ b/.woodpecker/.test.yaml @@ -7,7 +7,7 @@ variables: - &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}' steps: await-image: - image: alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 + image: alpine@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a environment: IMAGE: *image commands: @@ -16,7 +16,7 @@ steps: - echo 'found.' clone salt: - image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602 + image: woodpeckerci/plugin-git@sha256:b6d40eaba0ee4274d11c96cc0e053557e6cb024fa56d26c25419c2b4dd6fbfe8 settings: remote: https://git.verdigado.com/verdigado-Privileged/Salt.git path: salt @@ -36,7 +36,7 @@ steps: - pre-commit run --all-files clone rocketchat2matrix: - image: woodpeckerci/plugin-git@sha256:a878e6f9674d44c0dc43dcb6d8b916507b21176ab44fac70567af96cb80de602 + image: woodpeckerci/plugin-git@sha256:b6d40eaba0ee4274d11c96cc0e053557e6cb024fa56d26c25419c2b4dd6fbfe8 settings: remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git path: rocketchat2matrix diff --git a/Dockerfile b/Dockerfile index 79d909f..f0d5c09 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.4-alpine3.20@sha256:7f15e22f496c65cffbbac5e30e7e98d60f3e3b9cc5ee5d51cf3c55ed604787c8 +FROM python:3.12.4-alpine3.20@sha256:63094abdaf49e046da9f6529ecd6ce4d853d9bfbf00a25c52bbbb68b3223b490 # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" @@ -11,7 +11,7 @@ ENV GIT_VERSION="2.45.2-r0" # renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4" # renovate: datasource=pypi depName=pre-commit versioning=pep440 -ENV PRE_COMMIT_VERSION="3.8.0" +ENV PRE_COMMIT_VERSION="4.0.1" RUN mkdir /data /tmp/pre-commit COPY .pre-commit-config.yaml /tmp/pre-commit From 4e4da163e5ee8fc6ff64357759b304f5628d6eec Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 9 Jan 2025 09:10:07 +0000 Subject: [PATCH 27/31] Renovate: Update alpine Docker digest to 56fa17d --- .woodpecker/.test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.woodpecker/.test.yaml b/.woodpecker/.test.yaml index cd3bcef..313991d 100644 --- a/.woodpecker/.test.yaml +++ b/.woodpecker/.test.yaml @@ -7,7 +7,7 @@ variables: - &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}' steps: await-image: - image: alpine@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a + image: alpine@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 environment: IMAGE: *image commands: From 2c8dc29beb12380867654bec1daa7dd1559c0f60 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 16 Jan 2025 09:09:39 +0000 Subject: [PATCH 28/31] Renovate: Update all non-major dependencies --- .pre-commit-config.yaml | 4 ++-- .woodpecker/.build.yaml | 4 ++-- Dockerfile | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f265922..ab2b957 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,7 +31,7 @@ repos: hooks: - id: shellcheck - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.23.1 hooks: - id: gitleaks - repo: local @@ -41,7 +41,7 @@ repos: entry: python build/check-ssh-keys.py language: python files: ^pillars/users/.+\.sls$ - additional_dependencies: ['pyyaml==6.0.1'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO + additional_dependencies: ['pyyaml==6.0.2'] # Renovate can't parse it, yet https://github.com/renovatebot/renovate/issues/20780 # TODO - id: prettier # Copied from https://github.com/pre-commit/mirrors-prettier/ instead of referencing it to not rely on their published Prettier versions name: Prettier diff --git a/.woodpecker/.build.yaml b/.woodpecker/.build.yaml index 52334e5..4596864 100644 --- a/.woodpecker/.build.yaml +++ b/.woodpecker/.build.yaml @@ -3,7 +3,7 @@ steps: when: - event: push branch: main - image: woodpeckerci/plugin-docker-buildx:5.0.0@sha256:0a8e69cad4a25d641bdb51daea53ce309692c7bda1193ae04a990bb88486edd8 + image: woodpeckerci/plugin-docker-buildx:5.1.0@sha256:f323e0b1133f71f6712e93753dfb2d6c0fb5ec1e41d8b99b1cb2ffeadfc15fd5 pull: true settings: platforms: linux/amd64 @@ -21,7 +21,7 @@ steps: - event: push branch: exclude: ['main'] - image: woodpeckerci/plugin-docker-buildx:5.0.0@sha256:0a8e69cad4a25d641bdb51daea53ce309692c7bda1193ae04a990bb88486edd8 + image: woodpeckerci/plugin-docker-buildx:5.1.0@sha256:f323e0b1133f71f6712e93753dfb2d6c0fb5ec1e41d8b99b1cb2ffeadfc15fd5 pull: true settings: platforms: linux/amd64 diff --git a/Dockerfile b/Dockerfile index f0d5c09..8891c57 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,13 @@ -FROM python:3.12.4-alpine3.20@sha256:63094abdaf49e046da9f6529ecd6ce4d853d9bfbf00a25c52bbbb68b3223b490 +FROM python:3.13.1-alpine3.20@sha256:9ab3b6ef4afb7582afaa84e97d40a36f192595bb0578561c282cecc22a45de49 # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" # renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose ENV GCC_VERSION="13.2.1_git20240309-r0" # renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose -ENV RUBY_VERSION="3.3.3-r0" +ENV RUBY_VERSION="3.3.6-r0" # renovate: datasource=repology depName=alpine_3_20/git versioning=loose -ENV GIT_VERSION="2.45.2-r0" +ENV GIT_VERSION="2.45.3-r0" # renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4" # renovate: datasource=pypi depName=pre-commit versioning=pep440 From aefada942048e7f51b7846324c09c7bbf8cdd218 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 13 May 2025 09:08:22 +0000 Subject: [PATCH 29/31] Renovate: Update all non-major dependencies --- .pre-commit-config.yaml | 2 +- Dockerfile | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ab2b957..04a1635 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,7 +31,7 @@ repos: hooks: - id: shellcheck - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.1 + rev: v8.26.0 hooks: - id: gitleaks - repo: local diff --git a/Dockerfile b/Dockerfile index 8891c57..c9c2201 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,17 @@ -FROM python:3.13.1-alpine3.20@sha256:9ab3b6ef4afb7582afaa84e97d40a36f192595bb0578561c282cecc22a45de49 +FROM python:3.13.3-alpine3.20@sha256:40a4559d3d6b2117b1fbe426f17d55b9100fa40609733a1d0c3f39e2151d4b33 # renovate: datasource=repology depName=alpine_3_20/build-base versioning=loose ENV BUILD_BASE_VERSION="0.5-r3" # renovate: datasource=repology depName=alpine_3_20/gcc versioning=loose -ENV GCC_VERSION="13.2.1_git20240309-r0" +ENV GCC_VERSION="13.2.1_git20240309-r1" # renovate: datasource=repology depName=alpine_3_20/ruby versioning=loose -ENV RUBY_VERSION="3.3.6-r0" +ENV RUBY_VERSION="3.3.8-r0" # renovate: datasource=repology depName=alpine_3_20/git versioning=loose ENV GIT_VERSION="2.45.3-r0" # renovate: datasource=repology depName=alpine_3_20/openssh-keygen versioning=loose -ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r4" +ENV OPENSSH_KEYGEN_VERSION="9.7_p1-r5" # renovate: datasource=pypi depName=pre-commit versioning=pep440 -ENV PRE_COMMIT_VERSION="4.0.1" +ENV PRE_COMMIT_VERSION="4.2.0" RUN mkdir /data /tmp/pre-commit COPY .pre-commit-config.yaml /tmp/pre-commit From 7149c415c2368a64782006b59a70186b2ed4b9d9 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 28 May 2025 13:53:39 +0000 Subject: [PATCH 30/31] Renovate: migrate config renovate.json --- renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 546cc45..f0fc161 100644 --- a/renovate.json +++ b/renovate.json @@ -15,7 +15,7 @@ "customManagers": [ { "customType": "regex", - "fileMatch": ["^Dockerfile$"], + "managerFilePatterns": ["/^Dockerfile$/"], "matchStrings": [ "#\\s*renovate:\\s*datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\sENV .*?_VERSION=\"(?.*)\"\\s" ], From e93d2c4166cf092cdf63c8a3c81761f089e1eca5 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 28 May 2025 14:01:49 +0000 Subject: [PATCH 31/31] Renovate: Update all dependencies --- .woodpecker/.build.yaml | 4 ++-- .woodpecker/.test.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.woodpecker/.build.yaml b/.woodpecker/.build.yaml index 4596864..d8ed153 100644 --- a/.woodpecker/.build.yaml +++ b/.woodpecker/.build.yaml @@ -3,7 +3,7 @@ steps: when: - event: push branch: main - image: woodpeckerci/plugin-docker-buildx:5.1.0@sha256:f323e0b1133f71f6712e93753dfb2d6c0fb5ec1e41d8b99b1cb2ffeadfc15fd5 + image: woodpeckerci/plugin-docker-buildx:6.0.1@sha256:d75734dc72e21033eb539a7e983acbfea5b84c260b78c07247b74d3067d66742 pull: true settings: platforms: linux/amd64 @@ -21,7 +21,7 @@ steps: - event: push branch: exclude: ['main'] - image: woodpeckerci/plugin-docker-buildx:5.1.0@sha256:f323e0b1133f71f6712e93753dfb2d6c0fb5ec1e41d8b99b1cb2ffeadfc15fd5 + image: woodpeckerci/plugin-docker-buildx:6.0.1@sha256:d75734dc72e21033eb539a7e983acbfea5b84c260b78c07247b74d3067d66742 pull: true settings: platforms: linux/amd64 diff --git a/.woodpecker/.test.yaml b/.woodpecker/.test.yaml index 313991d..083eaf9 100644 --- a/.woodpecker/.test.yaml +++ b/.woodpecker/.test.yaml @@ -7,7 +7,7 @@ variables: - &image 'git.verdigado.com/verdigado-images/container-pre-commit:${CI_COMMIT_SHA}' steps: await-image: - image: alpine@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 + image: alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c environment: IMAGE: *image commands: @@ -16,7 +16,7 @@ steps: - echo 'found.' clone salt: - image: woodpeckerci/plugin-git@sha256:b6d40eaba0ee4274d11c96cc0e053557e6cb024fa56d26c25419c2b4dd6fbfe8 + image: woodpeckerci/plugin-git@sha256:d619f364acd546134a9ba06d29a9cb55156eddfc21f60307f1fdcf4e0b2aafa6 settings: remote: https://git.verdigado.com/verdigado-Privileged/Salt.git path: salt @@ -36,7 +36,7 @@ steps: - pre-commit run --all-files clone rocketchat2matrix: - image: woodpeckerci/plugin-git@sha256:b6d40eaba0ee4274d11c96cc0e053557e6cb024fa56d26c25419c2b4dd6fbfe8 + image: woodpeckerci/plugin-git@sha256:d619f364acd546134a9ba06d29a9cb55156eddfc21f60307f1fdcf4e0b2aafa6 settings: remote: https://git.verdigado.com/NB-Public/rocketchat2matrix.git path: rocketchat2matrix