diff --git a/README.md b/README.md index 7d8e6d0..ff340cb 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ Images are published to `ghcr.io/rancher/ci-image/`, each tagged independe | `node22` | none | CI image with Node 22 toolchain | | `node24` | none | CI image with Node 24 toolchain | | `charts` | none | Rancher charts build environment | +| `nix` | none | Nix environment | ## Changelog diff --git a/deps.yaml b/deps.yaml index f2e5d8d..63d431d 100644 --- a/deps.yaml +++ b/deps.yaml @@ -64,6 +64,16 @@ images: - ob-charts-tool - oras + - name: nix + description: "Nix environment" + base: "registry.suse.com/bci/bci-base:15.7@sha256:3292c81fb9e40b60903e6c88fac34e955b6d5b3acd3eb055d02d5c1538a72aea" + packages: + - sudo + - vim + tools: + - nix + - goreleaser + packages: - gettext-runtime - ca-certificates @@ -200,3 +210,15 @@ tools: release: download_template: "ob-charts-tool_{os}_{arch}" checksum_template: "ob-charts-tool_{version|trimprefix:v}_checksums.txt" + + - name: nix + source: "https://releases.nixos.org/nix" + mode: static + version: 2.34.7 + checksums: + linux/amd64: "eafe5042404e818505e28c5ca3d0885f3ec45c31f955489a25bb38258f87560e" + linux/arm64: "f1cee64ae7a02330c6421924c28f597c41813f2214ff108622087d8056378b08" + release: + download_template: "{source}/nix-{version}/nix-{version}-{arch|replace:amd64=x86_64|replace:arm64=aarch64}-{os}.tar.xz" + extract: "nix-{version}-{arch|replace:amd64=x86_64|replace:arm64=aarch64}-{os}/install" + install_to_path: false diff --git a/dockerfiles/Dockerfile.charts b/dockerfiles/Dockerfile.charts index f30e05c..c36f873 100644 --- a/dockerfiles/Dockerfile.charts +++ b/dockerfiles/Dockerfile.charts @@ -40,6 +40,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -57,6 +58,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -76,6 +78,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -95,6 +98,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -114,6 +118,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ @@ -150,6 +155,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # golangci-lint v2.11.4 +ENV golangci-lint_version="v2.11.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="200c5b7503f67b59a6743ccf32133026c174e272b930ee79aa2aa6f37aca7ef1" ;; \ arm64) CHECKSUM="3bcfa2e6f3d32b2bf5cd75eaa876447507025e0303698633f722a05331988db4" ;; \ @@ -169,6 +175,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # goreleaser v2.15.2 +ENV goreleaser_version="v2.15.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ @@ -188,6 +195,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # charts-build-scripts v1.9.20 +ENV charts-build-scripts_version="v1.9.20" RUN case "${ARCH}" in \ amd64) CHECKSUM="4935603ca72fff6599bc02a7d251f8bc030d6bf9681e5dccea2c7a3ae2d51b01" ;; \ arm64) CHECKSUM="99670273988d91932b3c2f4fc97a55657d518929e8d80d9e164d2ce5bfa23f73" ;; \ @@ -205,6 +213,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # ob-charts-tool v0.5.0 +ENV ob-charts-tool_version="v0.5.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="7387439e73e5f48a13f8f1f0800023d255f086562293bc17affb7535a093887d" ;; \ arm64) CHECKSUM="892163556c58e2349d7209f51b9fbe44745bd99d5dec086fdb0888d6095228f0" ;; \ @@ -222,6 +231,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # oras v1.3.1 +ENV oras_version="v1.3.1" RUN case "${ARCH}" in \ amd64) CHECKSUM="d52c4af76ce6a3ceb8579e51fb751a43ac051cca67f965f973a0b0e897a2bb86" ;; \ arm64) CHECKSUM="79946ad57d732836f9242f903f476b6fa484c451d659f121bce54d931ab2a044" ;; \ diff --git a/dockerfiles/Dockerfile.go1.25 b/dockerfiles/Dockerfile.go1.25 index 2b1aaa6..25bd2c4 100644 --- a/dockerfiles/Dockerfile.go1.25 +++ b/dockerfiles/Dockerfile.go1.25 @@ -40,6 +40,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -57,6 +58,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -76,6 +78,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -95,6 +98,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -114,6 +118,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ @@ -150,6 +155,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # golangci-lint v2.11.4 +ENV golangci-lint_version="v2.11.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="200c5b7503f67b59a6743ccf32133026c174e272b930ee79aa2aa6f37aca7ef1" ;; \ arm64) CHECKSUM="3bcfa2e6f3d32b2bf5cd75eaa876447507025e0303698633f722a05331988db4" ;; \ @@ -169,6 +175,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # goreleaser v2.15.2 +ENV goreleaser_version="v2.15.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ @@ -188,9 +195,11 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # govulncheck v1.2.0 +ENV govulncheck_version="v1.2.0" RUN go install golang.org/x/vuln/cmd/govulncheck@a8075323febce35764797d66a61fa9e19a8d9797 # oras v1.3.1 +ENV oras_version="v1.3.1" RUN case "${ARCH}" in \ amd64) CHECKSUM="d52c4af76ce6a3ceb8579e51fb751a43ac051cca67f965f973a0b0e897a2bb86" ;; \ arm64) CHECKSUM="79946ad57d732836f9242f903f476b6fa484c451d659f121bce54d931ab2a044" ;; \ diff --git a/dockerfiles/Dockerfile.go1.26 b/dockerfiles/Dockerfile.go1.26 index 91da42e..4718673 100644 --- a/dockerfiles/Dockerfile.go1.26 +++ b/dockerfiles/Dockerfile.go1.26 @@ -40,6 +40,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -57,6 +58,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -76,6 +78,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -95,6 +98,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -114,6 +118,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ @@ -150,6 +155,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # golangci-lint v2.11.4 +ENV golangci-lint_version="v2.11.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="200c5b7503f67b59a6743ccf32133026c174e272b930ee79aa2aa6f37aca7ef1" ;; \ arm64) CHECKSUM="3bcfa2e6f3d32b2bf5cd75eaa876447507025e0303698633f722a05331988db4" ;; \ @@ -169,6 +175,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # goreleaser v2.15.2 +ENV goreleaser_version="v2.15.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ @@ -188,9 +195,11 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # govulncheck v1.2.0 +ENV govulncheck_version="v1.2.0" RUN go install golang.org/x/vuln/cmd/govulncheck@a8075323febce35764797d66a61fa9e19a8d9797 # oras v1.3.1 +ENV oras_version="v1.3.1" RUN case "${ARCH}" in \ amd64) CHECKSUM="d52c4af76ce6a3ceb8579e51fb751a43ac051cca67f965f973a0b0e897a2bb86" ;; \ arm64) CHECKSUM="79946ad57d732836f9242f903f476b6fa484c451d659f121bce54d931ab2a044" ;; \ diff --git a/dockerfiles/Dockerfile.nix b/dockerfiles/Dockerfile.nix new file mode 100644 index 0000000..dd3e390 --- /dev/null +++ b/dockerfiles/Dockerfile.nix @@ -0,0 +1,242 @@ +FROM registry.suse.com/bci/bci-base:15.7@sha256:3292c81fb9e40b60903e6c88fac34e955b6d5b3acd3eb055d02d5c1538a72aea + +LABEL org.opencontainers.image.source="https://github.com/rancher/ci-image" \ + org.opencontainers.image.title="Rancher nix CI image" \ + org.opencontainers.image.description="Nix environment" + +ARG TARGETARCH +ENV ARCH=$TARGETARCH +ENV GH_TELEMETRY=false +ENV DO_NOT_TRACK=true +ENV PATH="/var/ci-tools/active:${PATH}" + +RUN zypper -n refresh && \ + zypper -n install \ + gettext-runtime \ + ca-certificates \ + docker \ + gawk \ + git-core \ + gzip \ + jq \ + make \ + tar \ + unzip \ + zstd \ + wget \ + sudo \ + vim \ + && \ + zypper -n clean -a && \ + rm -rf /var/log/{lastlog,tallylog,zypper.log,zypp/history,YaST2} + +# Create runner group (GID 121) and user (UID 1001) early for use in tool installations. +# /var/ci-tools/ is set up with setgid (2755) so subdirectories inherit the runner group. +# This allows any user added to the runner group to access tools extracted to /var/ci-tools/. +RUN groupadd -g 121 runner && \ + useradd -u 1001 -g 121 -m runner && \ + mkdir -p /var/ci-tools && \ + chown root:runner /var/ci-tools && \ + chmod 2755 /var/ci-tools + +# cosign v3.0.6 +ENV cosign_version="v3.0.6" +RUN case "${ARCH}" in \ + amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ + arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://github.com/sigstore/cosign/releases/download/v3.0.6/cosign-linux-amd64" ;; \ + arm64) DOWNLOAD_URL="https://github.com/sigstore/cosign/releases/download/v3.0.6/cosign-linux-arm64" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_DIR}/cosign" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_DIR}/cosign" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + install "${TMP_DIR}/cosign" "/usr/local/bin/cosign" && \ + rm -rf "${TMP_DIR}" + +# gh v2.89.0 +ENV gh_version="v2.89.0" +RUN case "${ARCH}" in \ + amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ + arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/gh.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://github.com/cli/cli/releases/download/v2.89.0/gh_2.89.0_linux_amd64.tar.gz"; EXTRACT="gh_2.89.0_linux_amd64/bin/gh" ;; \ + arm64) DOWNLOAD_URL="https://github.com/cli/cli/releases/download/v2.89.0/gh_2.89.0_linux_arm64.tar.gz"; EXTRACT="gh_2.89.0_linux_arm64/bin/gh" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/gh" && \ + rm -rf "${TMP_DIR}" + +# helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" +RUN case "${ARCH}" in \ + amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ + arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/helmv3.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://get.helm.sh/helm-v3.20.2-linux-amd64.tar.gz"; EXTRACT="linux-amd64/helm" ;; \ + arm64) DOWNLOAD_URL="https://get.helm.sh/helm-v3.20.2-linux-arm64.tar.gz"; EXTRACT="linux-arm64/helm" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/helmv3" && \ + rm -rf "${TMP_DIR}" + +# helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" +RUN case "${ARCH}" in \ + amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ + arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/helmv4.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://get.helm.sh/helm-v4.1.4-linux-amd64.tar.gz"; EXTRACT="linux-amd64/helm" ;; \ + arm64) DOWNLOAD_URL="https://get.helm.sh/helm-v4.1.4-linux-arm64.tar.gz"; EXTRACT="linux-arm64/helm" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/helmv4" && \ + rm -rf "${TMP_DIR}" + +# slsactl v0.1.30 +ENV slsactl_version="v0.1.30" +RUN case "${ARCH}" in \ + amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ + arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/slsactl.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://github.com/rancherlabs/slsactl/releases/download/v0.1.30/slsactl_0.1.30_linux_amd64.tar.gz"; EXTRACT="slsactl" ;; \ + arm64) DOWNLOAD_URL="https://github.com/rancherlabs/slsactl/releases/download/v0.1.30/slsactl_0.1.30_linux_arm64.tar.gz"; EXTRACT="slsactl" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/slsactl" && \ + rm -rf "${TMP_DIR}" + +# nix 2.34.7 +ENV nix_version="2.34.7" + +# Pre-install setup for nix +# Create unprivileged user for Nix installation +RUN useradd -m suse && \ + if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi && \ + echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Add suse user to runner group and create /etc/nix directory and configuration +RUN usermod -a -G runner suse && \ + sudo mkdir -p /etc/nix && \ + printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \ + sudo chown -R suse:runner /etc/nix && \ + sudo mkdir -p /nix && \ + sudo chown -R suse:runner /nix && \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh && \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local + +RUN case "${ARCH}" in \ + amd64) CHECKSUM="eafe5042404e818505e28c5ca3d0885f3ec45c31f955489a25bb38258f87560e" ;; \ + arm64) CHECKSUM="f1cee64ae7a02330c6421924c28f597c41813f2214ff108622087d8056378b08" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export INSTALL_DIR="/var/ci-tools/nix" && \ + mkdir -p "${INSTALL_DIR}" && \ + export TMP_FILE="${INSTALL_DIR}/nix.tar.xz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://releases.nixos.org/nix/nix-2.34.7/nix-2.34.7-x86_64-linux.tar.xz"; EXTRACT="nix-2.34.7-x86_64-linux/install" ;; \ + arm64) DOWNLOAD_URL="https://releases.nixos.org/nix/nix-2.34.7/nix-2.34.7-aarch64-linux.tar.xz"; EXTRACT="nix-2.34.7-aarch64-linux/install" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${INSTALL_DIR}/checksum.sha256" && \ + sha256sum -c "${INSTALL_DIR}/checksum.sha256" && \ + cd "${INSTALL_DIR}" && \ + tar xf "${TMP_FILE}" && \ + chmod -R a+rX . && \ + rm "${TMP_FILE}" "${INSTALL_DIR}/checksum.sha256" + +# Post-install setup for nix +# Fix ownership and run Nix installer from the extracted archive +RUN set -e; \ + sudo chown -R suse:runner /var/ci-tools/nix + +# Switch to unprivileged user for installation +USER suse +WORKDIR /home/suse +ENV USER=suse + +RUN set -e; \ + case "${ARCH}" in \ + amd64) extract="nix-${nix_version}-x86_64-linux/install" ;; \ + arm64) extract="nix-${nix_version}-aarch64-linux/install" ;; \ + *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ + esac; \ + cd /var/ci-tools/nix && \ + ./${extract} --no-daemon + +# Restore root user for remaining Dockerfile operations +USER root +ENV USER=root + +# goreleaser v2.15.2 +ENV goreleaser_version="v2.15.2" +RUN case "${ARCH}" in \ + amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ + arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/goreleaser.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://github.com/goreleaser/goreleaser/releases/download/v2.15.2/goreleaser_Linux_x86_64.tar.gz"; EXTRACT="goreleaser" ;; \ + arm64) DOWNLOAD_URL="https://github.com/goreleaser/goreleaser/releases/download/v2.15.2/goreleaser_Linux_arm64.tar.gz"; EXTRACT="goreleaser" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/goreleaser" && \ + rm -rf "${TMP_DIR}" + +# Family selectors — copy scripts and set up manifest + active symlinks. +# /var/ci-tools/active is on PATH ahead of /usr/local/bin; runner can update +# the active symlink with: ci-select or select- +COPY dockerfiles/scripts/select-helm.sh /usr/local/bin/select-helm +COPY dockerfiles/scripts/ci-select.sh /usr/local/bin/ci-select +RUN chmod +x /usr/local/bin/select-helm && chmod +x /usr/local/bin/ci-select + + +# Set up CI tool family infrastructure (runner user and group created earlier). +RUN mkdir -p /var/ci-tools/active \ + && mkdir -p /usr/local/share/ci-tools/families/helm \ + && touch /usr/local/share/ci-tools/families/helm/helmv3 \ + && touch /usr/local/share/ci-tools/families/helm/helmv4 \ + && ln -sf helmv4 /usr/local/share/ci-tools/families/helm/default \ + && ln -sf /usr/local/bin/helmv4 /var/ci-tools/active/helm \ + && chown -R root:runner /var/ci-tools \ + && chmod 2775 /var/ci-tools/active + +# We trust our base image and the repos that are pulled in workflows. Otherwise +# each workflow that uses our base images would have to add the step below. +RUN git config --system --add safe.directory '*' diff --git a/dockerfiles/Dockerfile.node22 b/dockerfiles/Dockerfile.node22 index 24e94a8..a96982a 100644 --- a/dockerfiles/Dockerfile.node22 +++ b/dockerfiles/Dockerfile.node22 @@ -38,6 +38,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -55,6 +56,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -74,6 +76,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -93,6 +96,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -112,6 +116,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ diff --git a/dockerfiles/Dockerfile.node24 b/dockerfiles/Dockerfile.node24 index bda4676..6e0f123 100644 --- a/dockerfiles/Dockerfile.node24 +++ b/dockerfiles/Dockerfile.node24 @@ -38,6 +38,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -55,6 +56,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -74,6 +76,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -93,6 +96,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -112,6 +116,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ diff --git a/dockerfiles/Dockerfile.python3.11 b/dockerfiles/Dockerfile.python3.11 index 4e98c4f..b1993e9 100644 --- a/dockerfiles/Dockerfile.python3.11 +++ b/dockerfiles/Dockerfile.python3.11 @@ -38,6 +38,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -55,6 +56,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -74,6 +76,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -93,6 +96,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -112,6 +116,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ diff --git a/dockerfiles/Dockerfile.python3.13 b/dockerfiles/Dockerfile.python3.13 index 9e533cd..2a7f6b0 100644 --- a/dockerfiles/Dockerfile.python3.13 +++ b/dockerfiles/Dockerfile.python3.13 @@ -38,6 +38,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -55,6 +56,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -74,6 +76,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -93,6 +96,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -112,6 +116,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ diff --git a/images-lock.yaml b/images-lock.yaml index bea1419..ad33f15 100644 --- a/images-lock.yaml +++ b/images-lock.yaml @@ -10,6 +10,7 @@ images: - node22 - node24 - charts + - nix packages: - gettext-runtime - ca-certificates @@ -32,6 +33,7 @@ tools: govulncheck: v1.2.0 helmv3: v3.20.2 helmv4: v4.1.4 + nix: 2.34.7 ob-charts-tool: v0.5.0 oras: v1.3.1 slsactl: v0.1.30 @@ -112,6 +114,25 @@ configs: helm: helmv4 go_version: 1.26.2 description: CI image with Go 1.26 toolchain + nix: + base: registry.suse.com/bci/bci-base:15.7@sha256:3292c81fb9e40b60903e6c88fac34e955b6d5b3acd3eb055d02d5c1538a72aea + platforms: + - linux/amd64 + - linux/arm64 + packages: + - sudo + - vim + tools: + - cosign + - gh + - goreleaser + - helmv3 + - helmv4 + - nix + - slsactl + family_selectors: + helm: helmv4 + description: Nix environment node22: base: registry.suse.com/bci/nodejs:22.22.2@sha256:b81c6b8ffd79f8007c621b6ad21d8aa195fb3c6c8024ac6a04923227d9a18a81 platforms: diff --git a/internal/dockerfile/install.go b/internal/dockerfile/install.go index 912a8be..1619379 100644 --- a/internal/dockerfile/install.go +++ b/internal/dockerfile/install.go @@ -45,3 +45,4 @@ func isGzipBinaryURL(url string) bool { u := urlExt(url) return strings.HasSuffix(u, ".gz") && !strings.HasSuffix(u, ".tar.gz") } + diff --git a/internal/dockerfile/tmpl/dockerfile.tmpl b/internal/dockerfile/tmpl/dockerfile.tmpl index 4e9d620..9f34324 100644 --- a/internal/dockerfile/tmpl/dockerfile.tmpl +++ b/internal/dockerfile/tmpl/dockerfile.tmpl @@ -22,6 +22,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools {{range .Tools}}# {{.Name}} {{.Version}} +ENV {{.Name}}_version="{{.Version}}" {{.Setup.RenderPre}}{{.Install.Render}}{{.Setup.RenderPost}} {{end}}{{if .Selectors}}# Family selectors — copy scripts and set up manifest + active symlinks. @@ -45,4 +46,4 @@ RUN {{.SelectorSetupCmd}} {{if .HasAnyOfPackages "git" "git-core"}}# We trust our base image and the repos that are pulled in workflows. Otherwise # each workflow that uses our base images would have to add the step below. -RUN git config --system --add safe.directory '*'{{end}} \ No newline at end of file +RUN git config --system --add safe.directory '*'{{end}} diff --git a/internal/dockerfile/tmpl/nix-post.tmpl b/internal/dockerfile/tmpl/nix-post.tmpl new file mode 100644 index 0000000..d6ec376 --- /dev/null +++ b/internal/dockerfile/tmpl/nix-post.tmpl @@ -0,0 +1,21 @@ +# Fix ownership and run Nix installer from the extracted archive +RUN set -e; \ + sudo chown -R suse:runner /var/ci-tools/nix + +# Switch to unprivileged user for installation +USER suse +WORKDIR /home/suse +ENV USER=suse + +RUN set -e; \ + case "${ARCH}" in \ + amd64) extract="nix-${nix_version}-x86_64-linux/install" ;; \ + arm64) extract="nix-${nix_version}-aarch64-linux/install" ;; \ + *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ + esac; \ + cd /var/ci-tools/nix && \ + ./${extract} --no-daemon + +# Restore root user for remaining Dockerfile operations +USER root +ENV USER=root diff --git a/internal/dockerfile/tmpl/nix-pre.tmpl b/internal/dockerfile/tmpl/nix-pre.tmpl new file mode 100644 index 0000000..a423c92 --- /dev/null +++ b/internal/dockerfile/tmpl/nix-pre.tmpl @@ -0,0 +1,14 @@ +# Create unprivileged user for Nix installation +RUN useradd -m suse && \ + if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi && \ + echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Add suse user to runner group and create /etc/nix directory and configuration +RUN usermod -a -G runner suse && \ + sudo mkdir -p /etc/nix && \ + printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \ + sudo chown -R suse:runner /etc/nix && \ + sudo mkdir -p /nix && \ + sudo chown -R suse:runner /nix && \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh && \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local