migrate base-image build for cc-job-image to github actions

gardener · Jan 27, 2025 · a162b39 · a162b39
1 parent e221efa
commit a162b39
Show file tree

Hide file tree

Showing 5 changed files with 249 additions and 0 deletions.
diff --git a/.github/actions/setup-git-identity/action.yaml b/.github/actions/setup-git-identity/action.yaml
@@ -0,0 +1,20 @@
+name: Setup Git Identity
+description: Configures the Git user identity for commits
+inputs:
+  user_name:
+    description: The Git user name
+    required: false
+    default: Gardener-CICD Bot
+  user_email:
+    description: The Git user email
+    required: false
+    default: [email protected]
+runs:
+  using: composite
+  steps:
+    - name: Set Git user identity
+      shell: bash
+      run: |
+        git config --global --add safe.directory $PWD
+        git config --global user.name "${{ inputs.user_name }}"
+        git config --global user.email "${{ inputs.user_email }}"
diff --git a/.github/workflows/cc-job-image-base.yaml b/.github/workflows/cc-job-image-base.yaml
@@ -0,0 +1,160 @@
+name: Build CC-Job-Image-Base
+run-name: Building CC-Job-Image-Base
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    environment: build
+    permissions:
+      contents: read
+      packages: write
+    env:
+      platforms: linux/amd64,linux/arm64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Docker-Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ env.platforms }}
+
+      - name: docker-auth
+        uses: docker/login-action@v3
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+
+      - name: Read Version
+        id: read_version
+        run: |
+          version=$(cat JOB_IMAGE_BASE_VERSION)
+          echo "version=$version" >> $GITHUB_OUTPUT
+
+      - name: Build and Push Base Image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ghcr.io/${{ github.repository_owner }}/cc-utils/job-image-base:${{ steps.read_version.outputs.version }}
+          file: Dockerfile.job-image-base
+
+  update-dockerfile:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      docker_version: ${{ steps.get_docker_version.outputs.docker_version }}
+      buildx_version: ${{ steps.get_buildx_version.outputs.buildx_version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Git Identity
+        uses: ./.github/actions/setup-git-identity
+
+      - name: Get latest Docker version
+        id: get_docker_version
+        run: |
+          greatest_version=$(curl -sL https://download.docker.com/linux/static/stable/x86_64/ \
+            | cut -d\" -f2 \
+            | grep "docker-[[:digit:]]" \
+            | cut -d- -f2 \
+            | cut -d. -f1,2,3 \
+            | sort -Vr \
+            | head -1)
+          echo "docker_version=$greatest_version" >> $GITHUB_OUTPUT
+
+      - name: Get latest Buildx version
+        id: get_buildx_version
+        run: |
+          greatest_version=$(curl -sL https://api.github.com/repos/docker/buildx/releases \
+            -H 'Accept: application/json' \
+            | jq -r '.[].tag_name' \
+            | sort -Vr \
+            | head -1)
+          echo "buildx_version=$greatest_version" >> $GITHUB_OUTPUT
+
+      - name: Update Dockerfile with latest Versions
+        run: |
+          sed -i "s/DOCKER_VERSION=.*/DOCKER_VERSION=\
+          ${{ steps.get_docker_version.outputs.docker_version }}/" Dockerfile.job-image-base
+          sed -i "s/DOCKER_BUILDX_VERSION=.*/DOCKER_BUILDX_VERSION=\
+          ${{ steps.get_buildx_version.outputs.buildx_version }}/" \
+          Dockerfile.job-image-base
+
+      - name: Commit and Push Changes
+        run: |
+          git add Dockerfile.job-image-base
+          git commit -m "Update Dockerfile to use Docker \
+          ${{ steps.get_docker_version.outputs.docker_version }} and Buildx \
+          ${{ steps.get_buildx_version.outputs.buildx_version }}"
+          git checkout -b update-dockerfile
+          git push origin update-dockerfile --force
+
+      - name: Create Pull Request
+        run: |
+          gh pr create \
+            -B master \
+            -H update-dockerfile \
+            --title "Update Dockerfile with latest Docker and Buildx versions" \
+            --body "Updates the Dockerfile to use the latest versions:
+              - Docker: ${{ steps.get_docker_version.outputs.docker_version }}
+              - Buildx: ${{ steps.get_buildx_version.outputs.buildx_version }}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  update-base-image-version:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      new_version: ${{ steps.update_version.outputs.new_version }}
+      current_version: ${{ steps.update_version.outputs.current_version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Git Identity
+        uses: ./.github/actions/setup-git-identity
+
+      - name: Update Base Image and Increment Version
+        id: update_version
+        run: |
+          current_version=$(cat JOB_IMAGE_BASE_VERSION)
+          sed -i "s|^ARG BASE_IMAGE=.*|ARG BASE_IMAGE=ghcr.io/${{ github.repository_owner }}\
+          /cc-utils/job-image-base:$current_version|" Dockerfile
+
+          new_version=$(echo $current_version | awk -F. '{printf "%d.%d.%d", $1, $2+1, $3}')
+          echo "new_version=$new_version" >> $GITHUB_OUTPUT
+          echo "current_version=$current_version" >> $GITHUB_OUTPUT
+          echo "$new_version" > JOB_IMAGE_BASE_VERSION
+
+      - name: Commit and Push Changes
+        run: |
+          git add Dockerfile JOB_IMAGE_BASE_VERSION
+          git commit -m "Update job-image to use job-image-base \
+          version ${{ steps.update_version.outputs.current_version }} \
+          and prepare for ${{ steps.update_version.outputs.new_version }}"
+          git checkout -b update-base-image
+          git push origin update-base-image --force
+
+      - name: Create Pull Request
+        run: |
+          gh pr create \
+            -B master \
+            -H update-base-image \
+            --title "Update job-image to use version ${{ steps.update_version.outputs.current_version }}" \
+            --body "Updates the job-image to use the latest job-image-base version:
+              - Base Image Version: ${{ steps.update_version.outputs.current_version }}.
+              - Also increments the version to ${{ steps.update_version.outputs.new_version }}."
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Dockerfile.job-image-base b/Dockerfile.job-image-base
@@ -0,0 +1,63 @@
+FROM alpine:3 AS builder
+
+COPY gardener-cicd-libs.apk-packages .
+COPY requirements.txt .
+
+RUN apk add --no-cache \
+  curl \
+&& cat gardener-cicd-libs.apk-packages | xargs apk add --no-cache \
+&& mkdir -p $HOME/.config/pip \
+&& echo -e "[global]\nbreak-system-packages = true" >> $HOME/.config/pip/pip.conf \
+&& pip3 install --upgrade --no-cache-dir \
+   pip \
+&& pip3 install --root /pkgs --upgrade --no-cache-dir \
+   $(grep -v '#' requirements.txt | grep -v 'gardener' | tr '\n' ' ')
+
+FROM alpine:3
+
+
+ARG DOCKER_CHANNEL=stable
+ARG DOCKER_VERSION=27.4.1
+ARG PATH=$PATH:/opt/docker
+ARG TARGETARCH
+
+ARG DOCKER_BUILDX_VERSION=v0.19.3
+
+COPY apk-packages.blacklist .
+COPY --from=builder /pkgs/usr /usr
+
+RUN if [ -z "${TARGETARCH}" ]; then TARGETARCH="amd64"; fi \
+&&  if [ "${TARGETARCH}" == "arm64" ]; then DOCKER_ARCH="aarch64"; \
+      elif [ "${TARGETARCH}" == "amd64" ]; then DOCKER_ARCH="x86_64"; fi \
+&& apk add --no-cache \
+  py3-pip \
+  curl \
+&& curl -L https://github.com/gardener/cc-utils/raw/master/gardener-cicd-libs.apk-packages \
+    | grep -v -f apk-packages.blacklist \
+    | xargs apk add --no-cache \
+&& mkdir -p $HOME/.config/pip \
+&& echo -e "[global]\nbreak-system-packages = true" >> $HOME/.config/pip/pip.conf \
+&& pip3 install --upgrade --no-cache-dir \
+   pip \
+&& echo "before docker" \
+&& curl -Lf \
+ "https://download.docker.com/linux/static/${DOCKER_CHANNEL}/${DOCKER_ARCH}/docker-${DOCKER_VERSION}.tgz" \
+ | tar zx -C /opt \
+&& mkdir -p /usr/lib/docker/cli-plugins \
+&& echo "before docker-buildx" \
+&& curl -Lo /usr/lib/docker/cli-plugins/docker-buildx \
+ https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-${TARGETARCH} \
+&& chmod +x /usr/lib/docker/cli-plugins/docker-buildx \
+&& echo "before first aia" \
+&&  curl http://aia.pki.co.sap.com/aia/SAP%20Global%20Root%20CA.crt -o \
+  /usr/local/share/ca-certificates/SAP_Global_Root_CA.crt \
+&& echo "before second aia" \
+&& curl http://aia.pki.co.sap.com/aia/SAPNetCA_G2.crt -o \
+    /usr/local/share/ca-certificates/SAPNetCA_G2.crt \
+&& curl -Lo /usr/local/share/ca-certificates/SAPNetCA_G2_2.crt \
+    http://aia.pki.co.sap.com/aia/SAPNetCA_G2_2.crt \
+&& update-ca-certificates \
+&& dos2unix /etc/ssl/certs/ca-certificates.crt \
+&& ln -sf /etc/ssl/certs/ca-certificates.crt "$(python3 -m certifi)" \
+&&  mkdir -p ~/.ssh \
+&& ssh-keyscan -H github.wdf.sap.corp github.com >> ~/.ssh/known_hosts
diff --git a/JOB_IMAGE_BASE_VERSION b/JOB_IMAGE_BASE_VERSION
@@ -0,0 +1 @@
+0.105.0
diff --git a/apk-packages.blacklist b/apk-packages.blacklist
@@ -0,0 +1,5 @@
+gcc
+libc-dev
+libffi-dev
+openssl-dev
+python3-dev