diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index bb39377..a42693c 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -6,7 +6,8 @@ on: permissions: contents: read packages: write - +env: + UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }} jobs: matrix: runs-on: ubuntu-22.04 diff --git a/.gitignore b/.gitignore index 5f3e5d6..dcee6f0 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ pkg.lock.bak metadata/ .env +.secrets diff --git a/docker-compose.yaml b/docker-compose.yaml index 5ad784b..cf526f5 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -6,6 +6,8 @@ services: context: . dockerfile: ${MAJOR_VERSION}/Dockerfile target: r + secrets: + - ubuntu_pro_token cache_from: # should speed up the build in CI, where we have a cold cache - ghcr.io/opensafely-core/base-docker:${BASE} - ghcr.io/opensafely-core/r:${MAJOR_VERSION} @@ -49,3 +51,7 @@ services: environment: HOSTPLATFORM: ${HOSTPLATFORM} HOSTUID: ${HOSTUID} + +secrets: + ubuntu_pro_token: + file: ${UBUNTU_PRO_TOKEN_FILE:-.secrets/ubuntu_pro_token} diff --git a/justfile b/justfile index e61e0d2..79922a1 100644 --- a/justfile +++ b/justfile @@ -1,11 +1,25 @@ set dotenv-load := true +export UBUNTU_PRO_TOKEN_FILE := env_var_or_default('UBUNTU_PRO_TOKEN_FILE', justfile_directory() + "/.secrets/ubuntu_pro_token") #enable modern docker build features export DOCKER_BUILDKIT := "1" export COMPOSE_DOCKER_CLI_BUILD := "1" + +ensure-pro-token: + #!/bin/bash + set -euo pipefail + token_file="{{ UBUNTU_PRO_TOKEN_FILE }}" + if test -z "${UBUNTU_PRO_TOKEN:-}"; then + echo "UBUNTU_PRO_TOKEN is required to create $token_file" >&2 + exit 1 + fi + mkdir -p "$(dirname "$token_file")" + umask 077 + printf '%s' "$UBUNTU_PRO_TOKEN" > "$token_file" + # build the R image locally -build version: +build version: ensure-pro-token #!/usr/bin/env bash set -euo pipefail @@ -42,7 +56,7 @@ add-package-v1 package repos="NULL": bash v1/scripts/add-package.sh {{ package }} {{ repos }} # r image containing rstudio-server -build-rstudio version: +build-rstudio version: ensure-pro-token docker compose --env-file {{ version }}/env build --pull rstudio # test the locally built image diff --git a/v1/Dockerfile b/v1/Dockerfile index 78bace0..9df1af2 100644 --- a/v1/Dockerfile +++ b/v1/Dockerfile @@ -9,6 +9,7 @@ COPY v1/dependencies.txt /root/dependencies.txt # add cran repo for R packages and install RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 \ + --mount=type=secret,id=ubuntu_pro_token,required=true \ echo "deb https://cloud.r-project.org/bin/linux/ubuntu focal-cran40/" > /etc/apt/sources.list.d/cran.list &&\ /usr/lib/apt/apt-helper download-file 'https://cloud.r-project.org/bin/linux/ubuntu/marutter_pubkey.asc' /etc/apt/trusted.gpg.d/cran_ubuntu_key.asc &&\ /root/docker-apt-install.sh /root/dependencies.txt @@ -24,7 +25,9 @@ FROM base-r as builder # install build time dependencies COPY v1/build-dependencies.txt /root/build-dependencies.txt -RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 /root/docker-apt-install.sh /root/build-dependencies.txt +RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 \ + --mount=type=secret,id=ubuntu_pro_token,required=true \ + /root/docker-apt-install.sh /root/build-dependencies.txt RUN mkdir -p /cache /renv/lib @@ -108,7 +111,9 @@ FROM r as rstudio # Install rstudio-server (and a few dependencies) COPY rstudio/rstudio-dependencies.txt /root/rstudio-dependencies.txt -RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 /root/docker-apt-install.sh /root/rstudio-dependencies.txt &&\ +RUN --mount=type=cache,target=/var/cache/apt,id=apt-2004 \ + --mount=type=secret,id=ubuntu_pro_token,required=true \ + /root/docker-apt-install.sh /root/rstudio-dependencies.txt &&\ test -f /var/cache/apt/"${RSTUDIO_DEB}" ||\ /usr/lib/apt/apt-helper download-file "${RSTUDIO_BASE_URL}${RSTUDIO_DEB}" /var/cache/apt/"${RSTUDIO_DEB}" &&\ apt-get install --no-install-recommends -y /var/cache/apt/"${RSTUDIO_DEB}"