Update workflows, fix docker

.github/workflows/docker.yml

@@ -1,32 +1,64 @@
+---
 name: Docker test and publish
 
 on:
   push:
-    branches:
-      - main
+    tags:
+      - '*.*.*'
 
 jobs:
   build-and-publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     steps:
-      - uses: actions/checkout@master
-      - name: Set up Ruby 2.6
-        uses: actions/setup-ruby@v1
+      - name: Setup environment
+        run: |
+          if [[ "${{ secrets.DOCKERHUB_USERNAME }}" == '' ]] ; then
+            # defaults to ghcr.io
+            echo "REPOSITORY=${{ vars.REPOSITORY != '' && vars.REPOSITORY || github.repository }}" >> $GITHUB_ENV
+            echo "REGISTRY=${{ vars.REGISTRY != '' && vars.REGISTRY || 'ghcr.io' }}" >> $GITHUB_ENV
+            echo "REGISTRY_USERNAME=${{ vars.REGISTRY_USERNAME != '' && vars.REGISTRY_USERNAME || github.actor }}" >> $GITHUB_ENV
+            echo "REGISTRY_PASSWORD=${{ secrets.REGISTRY_PASSWORD != '' && secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+          else
+            echo "::warning title=deprecated::Project workflow called with deprecated action variables or secrets"
+            # legacy variable/secrets
+            echo "REPOSITORY=puppet/ezbake" >> $GITHUB_ENV
+            echo "REGISTRY=docker.io" >> $GITHUB_ENV
+            echo "REGISTRY_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV
+            echo "REGISTRY_PASSWORD=${{ secrets.DOCKERHUB_PASSWORD }}" >> $GITHUB_ENV
+          fi
+          echo "TAG_LATEST=${{ github.event_name == 'push' && 'true' || 'false' }}" >> $GITHUB_ENV
+
+      - name: Login to ${{ env.REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ env.REGISTRY_USERNAME }}
+          password: ${{ env.REGISTRY_PASSWORD }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 2.6.x
-      - run: gem install bundler
-      - name: Build container
-        env:
-          IS_LATEST: true
+          ruby-version: '3.2'
+
+      - name: Lint
         working-directory: docker
-        run: make lint build test
+        run: make lint
+
+      - name: Build
+        working-directory: docker
+        run: make build source_url=${{ github.server_url }}/${{ github.repository }}
+
+      - name: Test
+        working-directory: docker
+        run: make test
+
       - name: Publish container
-        env:
-          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-          DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
-          IS_LATEST: true
         working-directory: docker
-        run: |
-          docker login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_PASSWORD"
-          make publish
+        run: make publish

.github/workflows/mend.yaml

@@ -4,21 +4,28 @@ on:
   push:
     branches:
       - main
+
+env:
+  MEND_API_KEY: ${{ secrets.MEND_API_KEY }}
+  MEND_TOKEN: ${{ secrets.MEND_TOKEN }}
+  SERVICE_KEY: ${{ secrets.TWINGATE_PUBLIC_REPO_KEY }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.repository_owner == 'puppetlabs'
     steps:
     - name: connect_twingate
       uses: twingate/github-action@v1
       with:
-        service-key: ${{ secrets.TWINGATE_PUBLIC_REPO_KEY }}
+        service-key: ${{ env.SERVICE_KEY }}
     - name: checkout repo content
-      uses: actions/checkout@v2 # checkout the repository content to github runner.
+      uses: actions/checkout@v4 # checkout the repository content to github runner.
       with:
         fetch-depth: 1
     # install java which is required for mend and clojure
     - name: setup java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         distribution: temurin
         java-version: 17
@@ -45,8 +52,8 @@ jobs:
     - name: run mend
       run: env WS_INCLUDES=pom.xml java -jar wss-unified-agent.jar
       env:
-        WS_APIKEY: ${{ secrets.MEND_API_KEY }}
+        WS_APIKEY: ${{ env.MEND_API_KEY }}
         WS_WSS_URL: https://saas-eu.whitesourcesoftware.com/agent
-        WS_USERKEY: ${{ secrets.MEND_TOKEN }}
+        WS_USERKEY: ${{ env.MEND_TOKEN }}
         WS_PRODUCTNAME: Puppet Enterprise
         WS_PROJECTNAME: ${{ github.event.repository.name }}

.github/workflows/pr.yml

@@ -1,21 +1,21 @@
 name: PR testing
 
-on: [push, pull_request]
+on: [pull_request]
 
 jobs:
   test:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [ '8', '11' ]
+        java: [ '8', '11', '17' ]
     env:
       LEIN_HOME: local
 
     name: Java ${{ matrix.java }} tests
     steps:
       - uses: actions/checkout@master
       - name: setup java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}

CHANGELOG.md

@@ -4,6 +4,7 @@ This changelog adheres to [Keep a CHANGELOG](http://keepachangelog.com/).
 
 ## [Unreleased]
 Bugfix:
+  * Fix docker image build, test, and publish
   * Fix java dependency on SLES 15 when building Puppet Platform 7
 
 ## [2.5.5]

docker/Gemfile

@@ -3,5 +3,5 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org"
 gem 'rspec'
 gem 'pupperware',
     :git => 'https://github.com/puppetlabs/pupperware.git',
-    :branch => 'master',
+    :branch => 'main',
     :glob => 'gem/*.gemspec'

docker/Makefile

@@ -1,62 +1,67 @@
-NAMESPACE ?= puppet
-git_describe = $(shell git describe)
+REGISTRY ?= docker.io
+REPOSITORY ?= puppet/ezbake
+
+source_url := https://github.com/puppetlabs/ezbake
 vcs_ref := $(shell git rev-parse HEAD)
 build_date := $(shell date -u +%FT%T)
 hadolint_available := $(shell hadolint --help > /dev/null 2>&1; echo $$?)
-hadolint_command := hadolint --ignore DL3008 --ignore DL3018 --ignore DL3028 --ignore DL4000 --ignore DL4001
+hadolint_command := hadolint --ignore DL3008 --ignore DL3018 --ignore DL3028 --ignore DL3033 --ignore DL4000 --ignore DL4001
 hadolint_container := hadolint/hadolint:latest
 export BUNDLE_PATH = $(PWD)/.bundle/gems
 export BUNDLE_BIN = $(PWD)/.bundle/bin
 export GEMFILE = $(PWD)/Gemfile
 
-version ?= $(shell echo $(git_describe) | sed 's/-.*//')
+version := $(shell sed -rn 's~.*defproject .*"([^"]+)"~\1~p' ../project.clj)
 dockerfile := Dockerfile
 
-prep:
-	@git fetch --unshallow 2> /dev/null ||:
-	@git fetch origin 'refs/tags/*:refs/tags/*'
-
 lint:
+	$(info -> $@ Dockerfile)
 ifeq ($(hadolint_available),0)
 	@$(hadolint_command) ezbake/$(dockerfile)
 else
-	@docker pull $(hadolint_container)
 	@docker run --rm -v $(PWD)/ezbake/$(dockerfile):/Dockerfile -i $(hadolint_container) $(hadolint_command) Dockerfile
 endif
 
-build: prep
+build:
+	$(info -> $@ verison $(version) [$(build_date) $(source_url) $(vcs_ref)])
 	@docker build \
 		--pull \
 		--build-arg vcs_ref=$(vcs_ref) \
 		--build-arg build_date=$(build_date) \
 		--build-arg version=$(version) \
+		--build-arg source_url=$(source_url) \
 		--file ezbake/$(dockerfile) \
-		--tag $(NAMESPACE)/ezbake:$(version) $(PWD)/..
-ifeq ($(IS_LATEST),true)
-	@docker tag $(NAMESPACE)/ezbake:$(version) $(NAMESPACE)/ezbake:latest
-endif
+		--tag $(REPOSITORY):$(version) \
+		$(if $(findstring true,$(TAG_LATEST)),--tag $(REPOSITORY):latest,) \
+		$(PWD)/..
 
-test: prep
+test:
+	$(info -> $@ image with rspec)
 	@bundle install --path $$BUNDLE_PATH --gemfile $$GEMFILE
-	@PUPPET_TEST_DOCKER_IMAGE=$(NAMESPACE)/ezbake:$(version) \
-		bundle exec --gemfile $$GEMFILE rspec spec
+	@PUPPET_TEST_DOCKER_IMAGE=$(REPOSITORY):$(version) \
+		bundle exec --gemfile $$GEMFILE rspec --format documentation spec
 
-push-image: prep
-	@docker push $(NAMESPACE)/ezbake:$(version)
-ifeq ($(IS_LATEST),true)
-	@docker push $(NAMESPACE)/ezbake:latest
+push-image:
+	$(info -> $@ to $(REGISTRY)/$(REPOSITORY))
+	@docker tag $(REPOSITORY):$(version) $(REGISTRY)/$(REPOSITORY):$(version)
+	@docker push $(REGISTRY)/$(REPOSITORY):$(version)
+ifeq ($(TAG_LATEST),true)
+	@docker tag $(REPOSITORY):latest $(REGISTRY)/$(REPOSITORY):latest
+	@docker push $(REGISTRY)/$(REPOSITORY):latest
 endif
 
 push-readme:
-	@docker pull sheogorath/readme-to-dockerhub
-	@docker run --rm \
-		-v $(PWD)/README.md:/data/README.md \
-		-e DOCKERHUB_USERNAME="$(DOCKERHUB_USERNAME)" \
-		-e DOCKERHUB_PASSWORD="$(DOCKERHUB_PASSWORD)" \
-		-e DOCKERHUB_REPO_PREFIX=puppet \
-		-e DOCKERHUB_REPO_NAME=ezbake \
-		sheogorath/readme-to-dockerhub
+ifeq ($(REGISTRY),docker.io)
+	$(info -> $@ to $(REGISTRY)/$(REPOSITORY))
+	@docker run -v $(PWD):/workspace \
+		-e DOCKERHUB_USERNAME="$(REGISTRY_USERNAME)" \
+		-e DOCKERHUB_PASSWORD="$(REGISTRY_PASSWORD)" \
+		-e DOCKERHUB_REPOSITORY=$(REPOSITORY) \
+		-e README_FILEPATH='/workspace/README.md' \
+		peterevans/dockerhub-description:3
+endif
 
 publish: push-image push-readme
+	$(info -> $@ to $(REGISTRY))
 
-.PHONY: prep lint build test publish push-image push-readme
+.PHONY: lint build test publish push-image push-readme

docker/README.md

@@ -95,6 +95,9 @@ This container assumes that the code you're building will be in `/workspace`. Th
 will be copied into `/output` before the container terminates, and if you're building a
 custom ezbake that will be cloned into `/ezbake`.
 
+If `/repo` is volume mapped, lein will automatically be configured to it as the local-repo.
+Useful for saving the maven repository cache between builds.
+
 1. Run from a remotely accessible repo (github, gitlab, etc)
 
 This is by far the fastest build option, but does require the extra step of committing and pushing your code
@@ -133,4 +136,4 @@ working directory), but it still takes significantly more than the builds from r
     docker run --rm --volume $(PWD)/output:/output --volume $(PWD)/src:/workspace/src --volume $(PWD)/project.clj:/workspace/project.clj --volume $(PWD)/resources:/workspace/resources --volume $(PWD)/.git:/workspace/.git puppet/ezbake
     ```
 
-[1]: https://github.com/puppetlabs/ezbake/blob/master/docker/ezbake/Dockerfile
+[1]: https://github.com/puppetlabs/ezbake/blob/main/docker/ezbake/Dockerfile

docker/ezbake/Dockerfile

@@ -1,61 +1,46 @@
-FROM centos:7 as build
-ARG ruby_major_ver=2.6
-ARG ruby_patch_ver=2
-ENV ruby_ver="$ruby_major_ver.$ruby_patch_ver"
+FROM ruby:3.2-slim-bookworm
 
-RUN yum -y groupinstall "Development Tools" && \
-    yum -y install wget openssl-devel
-
-RUN wget "http://cache.ruby-lang.org/pub/ruby/$ruby_major_ver/ruby-$ruby_ver.tar.gz" && \
-    tar xf "ruby-$ruby_ver.tar.gz"
-
-WORKDIR /ruby-$ruby_ver
-RUN ./configure && \
-    make && \
-    make install
-
-FROM centos:7
-
-ARG sles_12_mirror=http://osmirror.delivery.puppetlabs.net/sles-12-sp2-x86_64/RPMS.os
-ARG version="2.0.4"
+ARG version
 ARG vcs_ref
 ARG build_date
+ARG source_url
 
 ENV LANG="en_US.utf8"
 ENV EZBAKE_ALLOW_UNREPRODUCIBLE_BUILDS=true
 ENV EZBAKE_NODEPLOY=true
-ENV EZBAKE_VERSION="$version"
 ENV GEM_SOURCE=https://rubygems.org
 ENV LEIN_PROFILES=ezbake
 
-LABEL org.label-schema.maintainer="Puppet Release Team <release@puppet.com>" \
-      org.label-schema.vendor="Puppet" \
-      org.label-schema.url="https://github.com/puppetlabs/ezbake" \
-      org.label-schema.name="ezbake" \
-      org.label-schema.license="Apache-2.0" \
-      org.label-schema.version="$EZBAKE_VERSION" \
-      org.label-schema.vcs-url="https://github.com/puppetlabs/ezbake" \
-      org.label-schema.vcs-ref="$vcs_ref" \
-      org.label-schema.build-date="$build_date" \
-      org.label-schema.schema-version="1.0" \
-      org.label-schema.dockerfile="/Dockerfile"
+LABEL org.opencontainers.image.title="ezbake" \
+      org.opencontainers.image.vendor="Puppet" \
+      org.opencontainers.image.url="$source_url" \
+      org.opencontainers.image.version="$version" \
+      org.opencontainers.image.source="$source_url" \
+      org.opencontainers.image.revision="$vcs_ref" \
+      org.opencontainers.image.created="$build_date" \
+      org.opencontainers.image.documentation="$source_url/docker/README.md" \
+      org.opencontainers.image.description="Build custom packages for projects using ezbake, including PuppetServer and PuppetDB" \
+      org.opencontainers.image.authors="Puppet Release Team <release@puppet.com>" \
+      org.opencontainers.image.licenses="Apache-2.0"
+
+RUN apt-get update -q && \
+    apt-get -y install --no-install-recommends build-essential rpm openjdk-17-jdk-headless git curl rsync && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
-COPY --from=build /usr/local/bin /usr/local/bin
-COPY --from=build /usr/local/include /usr/local/include
-COPY --from=build /usr/local/lib /usr/local/lib
-COPY --from=build /usr/local/share /usr/local/share
+RUN git config --global user.name "Puppet Release Team" && \
+    git config --global user.email "release@puppet.com" && \
+    git config --global advice.detachedHead false && \
+    git config --global --add safe.directory /workspace && \
+    git config --global --add safe.directory /ezbak
 
-RUN yum clean all && \
-    yum install --assumeyes rpm-build java-1.8.0-openjdk-devel git curl ruby ruby-devel gcc-c++ make zlib-devel && \
-    yum localinstall --assumeyes $sles_12_mirror/systemd-rpm-macros-3-8.374.noarch.rpm && \
-    git config --global user.name "Puppet Release Team" && \
-    git config --global user.email "release@puppet.com"
 RUN curl --output /usr/local/bin/lein https://raw.githubusercontent.com/technomancy/leiningen/stable/bin/lein && \
     chmod 0755 /usr/local/bin/lein && \
     /usr/local/bin/lein
+
 RUN gem install --no-doc bundler fpm && \
-    mkdir /workspace && \
-    mkdir /ezbake_src
+    mkdir /workspace /ezbake_src
+
 COPY docker/ezbake/docker-entrypoint.sh /
 RUN chmod +x /docker-entrypoint.sh
 
@@ -65,7 +50,15 @@ WORKDIR /ezbake_src
 RUN lein clean && lein install
 
 WORKDIR /
-
-ENTRYPOINT ["/docker-entrypoint.sh"] 
-
 COPY docker/ezbake/Dockerfile /
+RUN <<EOF
+{
+    echo "version=$version" ;
+    echo "vcs_ref=$vcs_ref" ;
+    echo "build_date=$build_date" ;
+    echo "source_url=$source_url" ;
+} > .docker_build_args
+rm -rf /ezbake_src
+EOF
+
+ENTRYPOINT ["/docker-entrypoint.sh"]