From e2e73190fb61f950334eb0c467d26b779f9200f2 Mon Sep 17 00:00:00 2001 From: matttrach Date: Mon, 11 May 2026 15:05:37 -0500 Subject: [PATCH 1/4] feat: add and install nix as tool Signed-off-by: matttrach --- README.md | 1 + deps.yaml | 22 ++ dockerfiles/Dockerfile.nix | 230 ++++++++++++++++++ images-lock.yaml | 20 ++ internal/dockerfile/build.go | 12 +- internal/dockerfile/install.go | 6 + .../dockerfile/tmpl/curl_archive_script.tmpl | 56 +++++ 7 files changed, 344 insertions(+), 3 deletions(-) create mode 100644 dockerfiles/Dockerfile.nix create mode 100644 internal/dockerfile/tmpl/curl_archive_script.tmpl diff --git a/README.md b/README.md index 60629ce..4d8c1c7 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ Images are published to `ghcr.io/rancher/ci-image/`, each tagged independe | `node22` | none | CI image with Node 22 toolchain | | `node24` | none | CI image with Node 24 toolchain | | `charts` | none | Rancher charts build environment | +| `nix` | none | Nix environment | ## Changelog diff --git a/deps.yaml b/deps.yaml index 1cdbfbe..5cfa199 100644 --- a/deps.yaml +++ b/deps.yaml @@ -64,6 +64,15 @@ images: - ob-charts-tool - oras + - name: nix + description: "Nix environment" + base: "registry.suse.com/bci/bci-base:15.7@sha256:3292c81fb9e40b60903e6c88fac34e955b6d5b3acd3eb055d02d5c1538a72aea" + packages: + - sudo + tools: + - nix + - goreleaser + packages: - gettext-runtime - ca-certificates @@ -191,3 +200,16 @@ tools: release: download_template: "ob-charts-tool_{os}_{arch}" checksum_template: "ob-charts-tool_{version|trimprefix:v}_checksums.txt" + + - name: nix + source: "https://releases.nixos.org/nix" + mode: static + version: 2.34.5 + checksums: + linux/amd64: "0a0462692a10ff1eb8a608f713f38d1f25a208ad55963a9c00b239da398de5a1" + linux/arm64: "771e4b6f719243b9481f19eaedfbbbacc2f4a0282d6e043df4f33bb449ea3c57" + release: + download_template: "{source}/nix-{version}/nix-{version}-{arch|replace:amd64=x86_64|replace:arm64=aarch64}-{os}.tar.xz" + extract: "nix-{version}-{arch|replace:amd64=x86_64|replace:arm64=aarch64}-{os}/install" + install: + method: curl diff --git a/dockerfiles/Dockerfile.nix b/dockerfiles/Dockerfile.nix new file mode 100644 index 0000000..d20933d --- /dev/null +++ b/dockerfiles/Dockerfile.nix @@ -0,0 +1,230 @@ +FROM registry.suse.com/bci/bci-base:15.7@sha256:3292c81fb9e40b60903e6c88fac34e955b6d5b3acd3eb055d02d5c1538a72aea + +LABEL org.opencontainers.image.source="https://github.com/rancher/ci-image" \ + org.opencontainers.image.title="Rancher nix CI image" \ + org.opencontainers.image.description="Nix environment" + +ARG TARGETARCH +ENV ARCH=$TARGETARCH +ENV GH_TELEMETRY=false +ENV DO_NOT_TRACK=true +ENV PATH="/var/ci-tools/active:${PATH}" + +RUN zypper -n refresh && \ + zypper -n install \ + gettext-runtime \ + ca-certificates \ + docker \ + gawk \ + git-core \ + gzip \ + jq \ + make \ + tar \ + unzip \ + zstd \ + wget \ + sudo \ + && \ + zypper -n clean -a && \ + rm -rf /var/log/{lastlog,tallylog,zypper.log,zypp/history,YaST2} + +# cosign v3.0.6 +RUN case "${ARCH}" in \ + amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ + arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://github.com/sigstore/cosign/releases/download/v3.0.6/cosign-linux-amd64" ;; \ + arm64) DOWNLOAD_URL="https://github.com/sigstore/cosign/releases/download/v3.0.6/cosign-linux-arm64" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_DIR}/cosign" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_DIR}/cosign" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + install "${TMP_DIR}/cosign" "/usr/local/bin/cosign" && \ + rm -rf "${TMP_DIR}" + +# gh v2.89.0 +RUN case "${ARCH}" in \ + amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ + arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/gh.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://github.com/cli/cli/releases/download/v2.89.0/gh_2.89.0_linux_amd64.tar.gz"; EXTRACT="gh_2.89.0_linux_amd64/bin/gh" ;; \ + arm64) DOWNLOAD_URL="https://github.com/cli/cli/releases/download/v2.89.0/gh_2.89.0_linux_arm64.tar.gz"; EXTRACT="gh_2.89.0_linux_arm64/bin/gh" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/gh" && \ + rm -rf "${TMP_DIR}" + +# helmv3 v3.20.2 +RUN case "${ARCH}" in \ + amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ + arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/helmv3.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://get.helm.sh/helm-v3.20.2-linux-amd64.tar.gz"; EXTRACT="linux-amd64/helm" ;; \ + arm64) DOWNLOAD_URL="https://get.helm.sh/helm-v3.20.2-linux-arm64.tar.gz"; EXTRACT="linux-arm64/helm" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/helmv3" && \ + rm -rf "${TMP_DIR}" + +# helmv4 v4.1.4 +RUN case "${ARCH}" in \ + amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ + arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/helmv4.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://get.helm.sh/helm-v4.1.4-linux-amd64.tar.gz"; EXTRACT="linux-amd64/helm" ;; \ + arm64) DOWNLOAD_URL="https://get.helm.sh/helm-v4.1.4-linux-arm64.tar.gz"; EXTRACT="linux-arm64/helm" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/helmv4" && \ + rm -rf "${TMP_DIR}" + +# slsactl v0.1.30 +RUN case "${ARCH}" in \ + amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ + arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/slsactl.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://github.com/rancherlabs/slsactl/releases/download/v0.1.30/slsactl_0.1.30_linux_amd64.tar.gz"; EXTRACT="slsactl" ;; \ + arm64) DOWNLOAD_URL="https://github.com/rancherlabs/slsactl/releases/download/v0.1.30/slsactl_0.1.30_linux_arm64.tar.gz"; EXTRACT="slsactl" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/slsactl" && \ + rm -rf "${TMP_DIR}" + +# nix 2.34.5 +RUN set -e; \ + case "${ARCH}" in \ + amd64) \ + url="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-x86_64-linux.tar.xz"; \ + sha256="0a0462692a10ff1eb8a608f713f38d1f25a208ad55963a9c00b239da398de5a1"; \ + extract="nix-2.34.5-x86_64-linux/install" \ + ;; \ + arm64) \ + url="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-aarch64-linux.tar.xz"; \ + sha256="771e4b6f719243b9481f19eaedfbbbacc2f4a0282d6e043df4f33bb449ea3c57"; \ + extract="nix-2.34.5-aarch64-linux/install" \ + ;; \ + *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ + esac; \ + export TMP_DIR="/tmp/extract_nix"; \ + export TMP_FILE="${TMP_DIR}/nix.tar.xz"; \ + mkdir -p "${TMP_DIR}"; \ + echo "Downloading nix archive from ${url}..."; \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${url}" > "${TMP_FILE}"; \ + printf "%s %s\n" "${sha256}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256"; \ + sha256sum -c "${TMP_DIR}/checksum.sha256"; \ + tar xJf "${TMP_FILE}" -C "${TMP_DIR}"; +RUN useradd -m suse; \ + if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi; \ + echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers; +RUN if [ "nix" = "nix" ]; then \ + TMP_DIR="/tmp/extract_nix"; \ + sudo mkdir -p /etc/nix && \ + printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \ + sudo chown -R suse:users /etc/nix; \ + sudo chown -R suse:users "${TMP_DIR}"; \ + sudo mkdir -p /nix && \ + sudo chown -R suse:users /nix; \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh; \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local; \ + fi; +USER suse +WORKDIR /home/suse +ENV USER=suse +RUN set -e; \ + case "${ARCH}" in \ + amd64) \ + url="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-x86_64-linux.tar.xz"; \ + sha256="0a0462692a10ff1eb8a608f713f38d1f25a208ad55963a9c00b239da398de5a1"; \ + extract="nix-2.34.5-x86_64-linux/install" \ + ;; \ + arm64) \ + url="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-aarch64-linux.tar.xz"; \ + sha256="771e4b6f719243b9481f19eaedfbbbacc2f4a0282d6e043df4f33bb449ea3c57"; \ + extract="nix-2.34.5-aarch64-linux/install" \ + ;; \ + *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ + esac; \ + if [ "nix" = "nix" ]; then \ + TMP_DIR="/tmp/extract_nix"; \ + ${TMP_DIR}/${extract} --no-daemon; \ + else \ + TMP_DIR="/tmp/extract_nix"; \ + ${TMP_DIR}/${extract}; \ + fi; +USER root +ENV USER=root + +# goreleaser v2.15.2 +RUN case "${ARCH}" in \ + amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ + arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export TMP_DIR=$(mktemp -d) && \ + export TMP_FILE="${TMP_DIR}/goreleaser.tar.gz" && \ + case "${ARCH}" in \ + amd64) DOWNLOAD_URL="https://github.com/goreleaser/goreleaser/releases/download/v2.15.2/goreleaser_Linux_x86_64.tar.gz"; EXTRACT="goreleaser" ;; \ + arm64) DOWNLOAD_URL="https://github.com/goreleaser/goreleaser/releases/download/v2.15.2/goreleaser_Linux_arm64.tar.gz"; EXTRACT="goreleaser" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256" && \ + sha256sum -c "${TMP_DIR}/checksum.sha256" && \ + tar xzf "${TMP_FILE}" -C "${TMP_DIR}" && \ + install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/goreleaser" && \ + rm -rf "${TMP_DIR}" + +# Family selectors — copy scripts and set up manifest + active symlinks. +# /var/ci-tools/active is on PATH ahead of /usr/local/bin; runner can update +# the active symlink with: ci-select or select- +COPY dockerfiles/scripts/select-helm.sh /usr/local/bin/select-helm +COPY dockerfiles/scripts/ci-select.sh /usr/local/bin/ci-select +RUN chmod +x /usr/local/bin/select-helm && chmod +x /usr/local/bin/ci-select + +# Create a new group with GID 121 and a new user with UID 1001, add the user +# to the group, create a home directory for the user. +# Also set up CI tool family infrastructure (requires runner group to exist). +RUN groupadd -g 121 runner && useradd -u 1001 -g 121 -m runner \ + && mkdir -p /var/ci-tools/active \ + && mkdir -p /usr/local/share/ci-tools/families/helm \ + && touch /usr/local/share/ci-tools/families/helm/helmv3 \ + && touch /usr/local/share/ci-tools/families/helm/helmv4 \ + && ln -sf helmv4 /usr/local/share/ci-tools/families/helm/default \ + && ln -sf /usr/local/bin/helmv4 /var/ci-tools/active/helm \ + && chown -R root:runner /var/ci-tools \ + && chmod 2775 /var/ci-tools/active + +# We trust our base image and the repos that are pulled in workflows. Otherwise +# each workflow that uses our base images would have to add the step below. +RUN git config --system --add safe.directory '*' diff --git a/images-lock.yaml b/images-lock.yaml index cea6dbf..cf85e7d 100644 --- a/images-lock.yaml +++ b/images-lock.yaml @@ -10,6 +10,7 @@ images: - node22 - node24 - charts + - nix packages: - gettext-runtime - ca-certificates @@ -32,6 +33,7 @@ tools: govulncheck: v1.2.0 helmv3: v3.20.2 helmv4: v4.1.4 + nix: 2.34.5 ob-charts-tool: v0.4.1 oras: v1.3.1 slsactl: v0.1.30 @@ -108,6 +110,24 @@ configs: helm: helmv4 go_version: 1.26.2 description: CI image with Go 1.26 toolchain + nix: + base: registry.suse.com/bci/bci-base:15.7@sha256:3292c81fb9e40b60903e6c88fac34e955b6d5b3acd3eb055d02d5c1538a72aea + platforms: + - linux/amd64 + - linux/arm64 + packages: + - sudo + tools: + - cosign + - gh + - goreleaser + - helmv3 + - helmv4 + - nix + - slsactl + family_selectors: + helm: helmv4 + description: Nix environment node22: base: registry.suse.com/bci/nodejs:22.22.2@sha256:b81c6b8ffd79f8007c621b6ad21d8aa195fb3c6c8024ac6a04923227d9a18a81 platforms: diff --git a/internal/dockerfile/build.go b/internal/dockerfile/build.go index 2d481b3..89893a6 100644 --- a/internal/dockerfile/build.go +++ b/internal/dockerfile/build.go @@ -166,7 +166,7 @@ func buildCurlInstall(t config.Tool, imgPlatforms map[string]bool) (CurlInstall, } // Format is uniform across platforms — derive from the first rendered URL. - format, ext := detectFormat(platforms[0].DownloadURL) + format, ext := detectFormat(platforms[0].DownloadURL, platforms[0].Extract) return CurlInstall{ Name: t.Name, @@ -190,14 +190,20 @@ func buildGoInstall(t config.Tool) (GoInstall, error) { return GoInstall{Package: pkg}, nil } -// detectFormat classifies a rendered download URL as "archive", "gzip", or "binary", +// detectFormat classifies a rendered download URL as "archive", "archive_script", "gzip", "script", or "binary", // and returns the archive extension (non-empty only for "archive"). -func detectFormat(url string) (format, ext string) { +func detectFormat(url, extract string) (format, ext string) { if ext = archiveExt(url); ext != "" { + if strings.HasSuffix(extract, "install") || strings.HasSuffix(extract, ".sh") { + return "archive_script", ext + } return "archive", ext } if isGzipBinaryURL(url) { return "gzip", "" } + if isScriptURL(url) { + return "script", "" + } return "binary", "" } diff --git a/internal/dockerfile/install.go b/internal/dockerfile/install.go index 912a8be..d9a6832 100644 --- a/internal/dockerfile/install.go +++ b/internal/dockerfile/install.go @@ -45,3 +45,9 @@ func isGzipBinaryURL(url string) bool { u := urlExt(url) return strings.HasSuffix(u, ".gz") && !strings.HasSuffix(u, ".tar.gz") } + +// isScriptURL reports whether url is an installation script. +func isScriptURL(url string) bool { + u := urlExt(url) + return strings.HasSuffix(u, ".sh") || strings.HasSuffix(u, "/install") +} diff --git a/internal/dockerfile/tmpl/curl_archive_script.tmpl b/internal/dockerfile/tmpl/curl_archive_script.tmpl new file mode 100644 index 0000000..1318203 --- /dev/null +++ b/internal/dockerfile/tmpl/curl_archive_script.tmpl @@ -0,0 +1,56 @@ +RUN set -e; \ + case "${ARCH}" in \ +{{- range .Platforms}} + {{.Arch}}) \ + url="{{.DownloadURL}}"; \ + sha256="{{.Checksum}}"; \ + extract="{{.Extract}}" \ + ;; \ +{{- end}} + *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ + esac; \ + export TMP_DIR="/tmp/extract_{{.Name}}"; \ + export TMP_FILE="${TMP_DIR}/{{.Name}}{{.ArchiveExt}}"; \ + mkdir -p "${TMP_DIR}"; \ + echo "Downloading {{.Name}} archive from ${url}..."; \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${url}" > "${TMP_FILE}"; \ + printf "%s %s\n" "${sha256}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256"; \ + sha256sum -c "${TMP_DIR}/checksum.sha256"; \ + {{extractCmd .ArchiveExt}}; +RUN useradd -m suse; \ + if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi; \ + echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers; +RUN if [ "{{.Name}}" = "nix" ]; then \ + TMP_DIR="/tmp/extract_{{.Name}}"; \ + sudo mkdir -p /etc/nix && \ + printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \ + sudo chown -R suse:users /etc/nix; \ + sudo chown -R suse:users "${TMP_DIR}"; \ + sudo mkdir -p /nix && \ + sudo chown -R suse:users /nix; \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh; \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local; \ + fi; +USER suse +WORKDIR /home/suse +ENV USER=suse +RUN set -e; \ + case "${ARCH}" in \ +{{- range .Platforms}} + {{.Arch}}) \ + url="{{.DownloadURL}}"; \ + sha256="{{.Checksum}}"; \ + extract="{{.Extract}}" \ + ;; \ +{{- end}} + *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ + esac; \ + if [ "{{.Name}}" = "nix" ]; then \ + TMP_DIR="/tmp/extract_{{.Name}}"; \ + ${TMP_DIR}/${extract} --no-daemon; \ + else \ + TMP_DIR="/tmp/extract_{{.Name}}"; \ + ${TMP_DIR}/${extract}; \ + fi; +USER root +ENV USER=root From 1f830f608791b11dcc0064db8d664151d89c0bb7 Mon Sep 17 00:00:00 2001 From: matttrach Date: Tue, 12 May 2026 16:41:43 -0500 Subject: [PATCH 2/4] fix: adjust to new hook system Signed-off-by: matttrach --- deps.yaml | 4 +- dockerfiles/Dockerfile.nix | 119 +++++++++--------- images-lock.yaml | 2 + internal/dockerfile/build.go | 2 +- .../dockerfile/tmpl/curl_archive_script.tmpl | 56 --------- internal/dockerfile/tmpl/nix-post.tmpl | 21 ++++ internal/dockerfile/tmpl/nix-pre.tmpl | 14 +++ 7 files changed, 102 insertions(+), 116 deletions(-) delete mode 100644 internal/dockerfile/tmpl/curl_archive_script.tmpl create mode 100644 internal/dockerfile/tmpl/nix-post.tmpl create mode 100644 internal/dockerfile/tmpl/nix-pre.tmpl diff --git a/deps.yaml b/deps.yaml index 5cfa199..3d31ecc 100644 --- a/deps.yaml +++ b/deps.yaml @@ -69,6 +69,7 @@ images: base: "registry.suse.com/bci/bci-base:15.7@sha256:3292c81fb9e40b60903e6c88fac34e955b6d5b3acd3eb055d02d5c1538a72aea" packages: - sudo + - vim tools: - nix - goreleaser @@ -211,5 +212,4 @@ tools: release: download_template: "{source}/nix-{version}/nix-{version}-{arch|replace:amd64=x86_64|replace:arm64=aarch64}-{os}.tar.xz" extract: "nix-{version}-{arch|replace:amd64=x86_64|replace:arm64=aarch64}-{os}/install" - install: - method: curl + install_to_path: false diff --git a/dockerfiles/Dockerfile.nix b/dockerfiles/Dockerfile.nix index d20933d..c7abfd6 100644 --- a/dockerfiles/Dockerfile.nix +++ b/dockerfiles/Dockerfile.nix @@ -25,10 +25,20 @@ RUN zypper -n refresh && \ zstd \ wget \ sudo \ + vim \ && \ zypper -n clean -a && \ rm -rf /var/log/{lastlog,tallylog,zypper.log,zypp/history,YaST2} +# Create runner group (GID 121) and user (UID 1001) early for use in tool installations. +# /var/ci-tools/ is set up with setgid (2755) so subdirectories inherit the runner group. +# This allows any user added to the runner group to access tools extracted to /var/ci-tools/. +RUN groupadd -g 121 runner && \ + useradd -u 1001 -g 121 -m runner && \ + mkdir -p /var/ci-tools && \ + chown root:runner /var/ci-tools && \ + chmod 2755 /var/ci-tools + # cosign v3.0.6 RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ @@ -123,66 +133,63 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # nix 2.34.5 -RUN set -e; \ + +# Pre-install setup for nix +# Create unprivileged user for Nix installation +RUN useradd -m suse && \ + if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi && \ + echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Add suse user to runner group and create /etc/nix directory and configuration +RUN usermod -a -G runner suse && \ + sudo mkdir -p /etc/nix && \ + printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \ + sudo chown -R suse:runner /etc/nix && \ + sudo mkdir -p /nix && \ + sudo chown -R suse:runner /nix && \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh && \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local + +RUN case "${ARCH}" in \ + amd64) CHECKSUM="0a0462692a10ff1eb8a608f713f38d1f25a208ad55963a9c00b239da398de5a1" ;; \ + arm64) CHECKSUM="771e4b6f719243b9481f19eaedfbbbacc2f4a0282d6e043df4f33bb449ea3c57" ;; \ + *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ + esac && \ + export INSTALL_DIR="/var/ci-tools/nix" && \ + mkdir -p "${INSTALL_DIR}" && \ + export TMP_FILE="${INSTALL_DIR}/nix.tar.xz" && \ case "${ARCH}" in \ - amd64) \ - url="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-x86_64-linux.tar.xz"; \ - sha256="0a0462692a10ff1eb8a608f713f38d1f25a208ad55963a9c00b239da398de5a1"; \ - extract="nix-2.34.5-x86_64-linux/install" \ - ;; \ - arm64) \ - url="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-aarch64-linux.tar.xz"; \ - sha256="771e4b6f719243b9481f19eaedfbbbacc2f4a0282d6e043df4f33bb449ea3c57"; \ - extract="nix-2.34.5-aarch64-linux/install" \ - ;; \ - *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ - esac; \ - export TMP_DIR="/tmp/extract_nix"; \ - export TMP_FILE="${TMP_DIR}/nix.tar.xz"; \ - mkdir -p "${TMP_DIR}"; \ - echo "Downloading nix archive from ${url}..."; \ - curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${url}" > "${TMP_FILE}"; \ - printf "%s %s\n" "${sha256}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256"; \ - sha256sum -c "${TMP_DIR}/checksum.sha256"; \ - tar xJf "${TMP_FILE}" -C "${TMP_DIR}"; -RUN useradd -m suse; \ - if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi; \ - echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers; -RUN if [ "nix" = "nix" ]; then \ - TMP_DIR="/tmp/extract_nix"; \ - sudo mkdir -p /etc/nix && \ - printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \ - sudo chown -R suse:users /etc/nix; \ - sudo chown -R suse:users "${TMP_DIR}"; \ - sudo mkdir -p /nix && \ - sudo chown -R suse:users /nix; \ - echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh; \ - echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local; \ - fi; + amd64) DOWNLOAD_URL="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-x86_64-linux.tar.xz"; EXTRACT="nix-2.34.5-x86_64-linux/install" ;; \ + arm64) DOWNLOAD_URL="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-aarch64-linux.tar.xz"; EXTRACT="nix-2.34.5-aarch64-linux/install" ;; \ + esac && \ + curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ + printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${INSTALL_DIR}/checksum.sha256" && \ + sha256sum -c "${INSTALL_DIR}/checksum.sha256" && \ + cd "${INSTALL_DIR}" && \ + tar xf "${TMP_FILE}" && \ + chmod -R a+rX . && \ + rm "${TMP_FILE}" "${INSTALL_DIR}/checksum.sha256" + +# Post-install setup for nix +# Fix ownership and run Nix installer from the extracted archive +RUN set -e; \ + sudo chown -R suse:runner /var/ci-tools/nix + +# Switch to unprivileged user for installation USER suse WORKDIR /home/suse ENV USER=suse + RUN set -e; \ case "${ARCH}" in \ - amd64) \ - url="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-x86_64-linux.tar.xz"; \ - sha256="0a0462692a10ff1eb8a608f713f38d1f25a208ad55963a9c00b239da398de5a1"; \ - extract="nix-2.34.5-x86_64-linux/install" \ - ;; \ - arm64) \ - url="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-aarch64-linux.tar.xz"; \ - sha256="771e4b6f719243b9481f19eaedfbbbacc2f4a0282d6e043df4f33bb449ea3c57"; \ - extract="nix-2.34.5-aarch64-linux/install" \ - ;; \ + amd64) extract="nix-2.34.5-x86_64-linux/install" ;; \ + arm64) extract="nix-2.34.5-aarch64-linux/install" ;; \ *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ esac; \ - if [ "nix" = "nix" ]; then \ - TMP_DIR="/tmp/extract_nix"; \ - ${TMP_DIR}/${extract} --no-daemon; \ - else \ - TMP_DIR="/tmp/extract_nix"; \ - ${TMP_DIR}/${extract}; \ - fi; + cd /var/ci-tools/nix && \ + ./${extract} --no-daemon + +# Restore root user for remaining Dockerfile operations USER root ENV USER=root @@ -212,11 +219,9 @@ COPY dockerfiles/scripts/select-helm.sh /usr/local/bin/select-helm COPY dockerfiles/scripts/ci-select.sh /usr/local/bin/ci-select RUN chmod +x /usr/local/bin/select-helm && chmod +x /usr/local/bin/ci-select -# Create a new group with GID 121 and a new user with UID 1001, add the user -# to the group, create a home directory for the user. -# Also set up CI tool family infrastructure (requires runner group to exist). -RUN groupadd -g 121 runner && useradd -u 1001 -g 121 -m runner \ - && mkdir -p /var/ci-tools/active \ + +# Set up CI tool family infrastructure (runner user and group created earlier). +RUN mkdir -p /var/ci-tools/active \ && mkdir -p /usr/local/share/ci-tools/families/helm \ && touch /usr/local/share/ci-tools/families/helm/helmv3 \ && touch /usr/local/share/ci-tools/families/helm/helmv4 \ diff --git a/images-lock.yaml b/images-lock.yaml index 7b43b30..f7061bf 100644 --- a/images-lock.yaml +++ b/images-lock.yaml @@ -33,6 +33,7 @@ tools: govulncheck: v1.2.0 helmv3: v3.20.2 helmv4: v4.1.4 + nix: 2.34.5 ob-charts-tool: v0.5.0 oras: v1.3.1 slsactl: v0.1.30 @@ -116,6 +117,7 @@ configs: - linux/arm64 packages: - sudo + - vim tools: - cosign - gh diff --git a/internal/dockerfile/build.go b/internal/dockerfile/build.go index 0e033d3..6fd9901 100644 --- a/internal/dockerfile/build.go +++ b/internal/dockerfile/build.go @@ -198,7 +198,7 @@ func buildCurlInstall(t config.Tool, imgPlatforms map[string]bool) (CurlInstall, } // Format is uniform across platforms — derive from the first rendered URL. - format, ext := detectFormat(platforms[0].DownloadURL, platforms[0].Extract) + format, ext := detectFormat(platforms[0].DownloadURL) return CurlInstall{ Name: t.Name, diff --git a/internal/dockerfile/tmpl/curl_archive_script.tmpl b/internal/dockerfile/tmpl/curl_archive_script.tmpl deleted file mode 100644 index 1318203..0000000 --- a/internal/dockerfile/tmpl/curl_archive_script.tmpl +++ /dev/null @@ -1,56 +0,0 @@ -RUN set -e; \ - case "${ARCH}" in \ -{{- range .Platforms}} - {{.Arch}}) \ - url="{{.DownloadURL}}"; \ - sha256="{{.Checksum}}"; \ - extract="{{.Extract}}" \ - ;; \ -{{- end}} - *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ - esac; \ - export TMP_DIR="/tmp/extract_{{.Name}}"; \ - export TMP_FILE="${TMP_DIR}/{{.Name}}{{.ArchiveExt}}"; \ - mkdir -p "${TMP_DIR}"; \ - echo "Downloading {{.Name}} archive from ${url}..."; \ - curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${url}" > "${TMP_FILE}"; \ - printf "%s %s\n" "${sha256}" "${TMP_FILE}" > "${TMP_DIR}/checksum.sha256"; \ - sha256sum -c "${TMP_DIR}/checksum.sha256"; \ - {{extractCmd .ArchiveExt}}; -RUN useradd -m suse; \ - if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi; \ - echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers; -RUN if [ "{{.Name}}" = "nix" ]; then \ - TMP_DIR="/tmp/extract_{{.Name}}"; \ - sudo mkdir -p /etc/nix && \ - printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \ - sudo chown -R suse:users /etc/nix; \ - sudo chown -R suse:users "${TMP_DIR}"; \ - sudo mkdir -p /nix && \ - sudo chown -R suse:users /nix; \ - echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh; \ - echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local; \ - fi; -USER suse -WORKDIR /home/suse -ENV USER=suse -RUN set -e; \ - case "${ARCH}" in \ -{{- range .Platforms}} - {{.Arch}}) \ - url="{{.DownloadURL}}"; \ - sha256="{{.Checksum}}"; \ - extract="{{.Extract}}" \ - ;; \ -{{- end}} - *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ - esac; \ - if [ "{{.Name}}" = "nix" ]; then \ - TMP_DIR="/tmp/extract_{{.Name}}"; \ - ${TMP_DIR}/${extract} --no-daemon; \ - else \ - TMP_DIR="/tmp/extract_{{.Name}}"; \ - ${TMP_DIR}/${extract}; \ - fi; -USER root -ENV USER=root diff --git a/internal/dockerfile/tmpl/nix-post.tmpl b/internal/dockerfile/tmpl/nix-post.tmpl new file mode 100644 index 0000000..14b2073 --- /dev/null +++ b/internal/dockerfile/tmpl/nix-post.tmpl @@ -0,0 +1,21 @@ +# Fix ownership and run Nix installer from the extracted archive +RUN set -e; \ + sudo chown -R suse:runner /var/ci-tools/nix + +# Switch to unprivileged user for installation +USER suse +WORKDIR /home/suse +ENV USER=suse + +RUN set -e; \ + case "${ARCH}" in \ + amd64) extract="nix-2.34.5-x86_64-linux/install" ;; \ + arm64) extract="nix-2.34.5-aarch64-linux/install" ;; \ + *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ + esac; \ + cd /var/ci-tools/nix && \ + ./${extract} --no-daemon + +# Restore root user for remaining Dockerfile operations +USER root +ENV USER=root diff --git a/internal/dockerfile/tmpl/nix-pre.tmpl b/internal/dockerfile/tmpl/nix-pre.tmpl new file mode 100644 index 0000000..a423c92 --- /dev/null +++ b/internal/dockerfile/tmpl/nix-pre.tmpl @@ -0,0 +1,14 @@ +# Create unprivileged user for Nix installation +RUN useradd -m suse && \ + if [ ! -f /etc/sudoers ]; then touch /etc/sudoers; fi && \ + echo "suse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Add suse user to runner group and create /etc/nix directory and configuration +RUN usermod -a -G runner suse && \ + sudo mkdir -p /etc/nix && \ + printf "build-users-group =\nsandbox = false\nfilter-syscalls = false\n" > /etc/nix/nix.conf && \ + sudo chown -R suse:runner /etc/nix && \ + sudo mkdir -p /nix && \ + sudo chown -R suse:runner /nix && \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/profile.d/nix.sh && \ + echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local From e6891fd40c347ab7f04434b98238069d62f652d4 Mon Sep 17 00:00:00 2001 From: matttrach Date: Tue, 12 May 2026 16:48:08 -0500 Subject: [PATCH 3/4] fix: remove is script url function Signed-off-by: matttrach --- internal/dockerfile/install.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/internal/dockerfile/install.go b/internal/dockerfile/install.go index d9a6832..1619379 100644 --- a/internal/dockerfile/install.go +++ b/internal/dockerfile/install.go @@ -46,8 +46,3 @@ func isGzipBinaryURL(url string) bool { return strings.HasSuffix(u, ".gz") && !strings.HasSuffix(u, ".tar.gz") } -// isScriptURL reports whether url is an installation script. -func isScriptURL(url string) bool { - u := urlExt(url) - return strings.HasSuffix(u, ".sh") || strings.HasSuffix(u, "/install") -} From 56552010d43672b638ad769830a574471aa7c23c Mon Sep 17 00:00:00 2001 From: matttrach Date: Tue, 12 May 2026 17:57:58 -0500 Subject: [PATCH 4/4] fix: add version variable in docker template Signed-off-by: matttrach --- deps.yaml | 6 +++--- dockerfiles/Dockerfile.charts | 10 ++++++++++ dockerfiles/Dockerfile.go1.25 | 9 +++++++++ dockerfiles/Dockerfile.go1.26 | 9 +++++++++ dockerfiles/Dockerfile.nix | 21 ++++++++++++++------- dockerfiles/Dockerfile.node22 | 5 +++++ dockerfiles/Dockerfile.node24 | 5 +++++ dockerfiles/Dockerfile.python3.11 | 5 +++++ dockerfiles/Dockerfile.python3.13 | 5 +++++ images-lock.yaml | 2 +- internal/dockerfile/tmpl/dockerfile.tmpl | 3 ++- internal/dockerfile/tmpl/nix-post.tmpl | 4 ++-- 12 files changed, 70 insertions(+), 14 deletions(-) diff --git a/deps.yaml b/deps.yaml index 3d31ecc..d384f1f 100644 --- a/deps.yaml +++ b/deps.yaml @@ -205,10 +205,10 @@ tools: - name: nix source: "https://releases.nixos.org/nix" mode: static - version: 2.34.5 + version: 2.34.7 checksums: - linux/amd64: "0a0462692a10ff1eb8a608f713f38d1f25a208ad55963a9c00b239da398de5a1" - linux/arm64: "771e4b6f719243b9481f19eaedfbbbacc2f4a0282d6e043df4f33bb449ea3c57" + linux/amd64: "eafe5042404e818505e28c5ca3d0885f3ec45c31f955489a25bb38258f87560e" + linux/arm64: "f1cee64ae7a02330c6421924c28f597c41813f2214ff108622087d8056378b08" release: download_template: "{source}/nix-{version}/nix-{version}-{arch|replace:amd64=x86_64|replace:arm64=aarch64}-{os}.tar.xz" extract: "nix-{version}-{arch|replace:amd64=x86_64|replace:arm64=aarch64}-{os}/install" diff --git a/dockerfiles/Dockerfile.charts b/dockerfiles/Dockerfile.charts index 5513b10..7fa599c 100644 --- a/dockerfiles/Dockerfile.charts +++ b/dockerfiles/Dockerfile.charts @@ -40,6 +40,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -57,6 +58,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -76,6 +78,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -95,6 +98,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -114,6 +118,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ @@ -133,6 +138,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # golangci-lint v2.11.4 +ENV golangci-lint_version="v2.11.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="200c5b7503f67b59a6743ccf32133026c174e272b930ee79aa2aa6f37aca7ef1" ;; \ arm64) CHECKSUM="3bcfa2e6f3d32b2bf5cd75eaa876447507025e0303698633f722a05331988db4" ;; \ @@ -152,6 +158,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # goreleaser v2.15.2 +ENV goreleaser_version="v2.15.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ @@ -171,6 +178,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # charts-build-scripts v1.9.20 +ENV charts-build-scripts_version="v1.9.20" RUN case "${ARCH}" in \ amd64) CHECKSUM="4935603ca72fff6599bc02a7d251f8bc030d6bf9681e5dccea2c7a3ae2d51b01" ;; \ arm64) CHECKSUM="99670273988d91932b3c2f4fc97a55657d518929e8d80d9e164d2ce5bfa23f73" ;; \ @@ -188,6 +196,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # ob-charts-tool v0.5.0 +ENV ob-charts-tool_version="v0.5.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="7387439e73e5f48a13f8f1f0800023d255f086562293bc17affb7535a093887d" ;; \ arm64) CHECKSUM="892163556c58e2349d7209f51b9fbe44745bd99d5dec086fdb0888d6095228f0" ;; \ @@ -205,6 +214,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # oras v1.3.1 +ENV oras_version="v1.3.1" RUN case "${ARCH}" in \ amd64) CHECKSUM="d52c4af76ce6a3ceb8579e51fb751a43ac051cca67f965f973a0b0e897a2bb86" ;; \ arm64) CHECKSUM="79946ad57d732836f9242f903f476b6fa484c451d659f121bce54d931ab2a044" ;; \ diff --git a/dockerfiles/Dockerfile.go1.25 b/dockerfiles/Dockerfile.go1.25 index dfd9c77..26a174f 100644 --- a/dockerfiles/Dockerfile.go1.25 +++ b/dockerfiles/Dockerfile.go1.25 @@ -40,6 +40,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -57,6 +58,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -76,6 +78,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -95,6 +98,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -114,6 +118,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ @@ -133,6 +138,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # golangci-lint v2.11.4 +ENV golangci-lint_version="v2.11.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="200c5b7503f67b59a6743ccf32133026c174e272b930ee79aa2aa6f37aca7ef1" ;; \ arm64) CHECKSUM="3bcfa2e6f3d32b2bf5cd75eaa876447507025e0303698633f722a05331988db4" ;; \ @@ -152,6 +158,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # goreleaser v2.15.2 +ENV goreleaser_version="v2.15.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ @@ -171,9 +178,11 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # govulncheck v1.2.0 +ENV govulncheck_version="v1.2.0" RUN go install golang.org/x/vuln/cmd/govulncheck@a8075323febce35764797d66a61fa9e19a8d9797 # oras v1.3.1 +ENV oras_version="v1.3.1" RUN case "${ARCH}" in \ amd64) CHECKSUM="d52c4af76ce6a3ceb8579e51fb751a43ac051cca67f965f973a0b0e897a2bb86" ;; \ arm64) CHECKSUM="79946ad57d732836f9242f903f476b6fa484c451d659f121bce54d931ab2a044" ;; \ diff --git a/dockerfiles/Dockerfile.go1.26 b/dockerfiles/Dockerfile.go1.26 index 246cb83..136be4e 100644 --- a/dockerfiles/Dockerfile.go1.26 +++ b/dockerfiles/Dockerfile.go1.26 @@ -40,6 +40,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -57,6 +58,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -76,6 +78,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -95,6 +98,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -114,6 +118,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ @@ -133,6 +138,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # golangci-lint v2.11.4 +ENV golangci-lint_version="v2.11.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="200c5b7503f67b59a6743ccf32133026c174e272b930ee79aa2aa6f37aca7ef1" ;; \ arm64) CHECKSUM="3bcfa2e6f3d32b2bf5cd75eaa876447507025e0303698633f722a05331988db4" ;; \ @@ -152,6 +158,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # goreleaser v2.15.2 +ENV goreleaser_version="v2.15.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ @@ -171,9 +178,11 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # govulncheck v1.2.0 +ENV govulncheck_version="v1.2.0" RUN go install golang.org/x/vuln/cmd/govulncheck@a8075323febce35764797d66a61fa9e19a8d9797 # oras v1.3.1 +ENV oras_version="v1.3.1" RUN case "${ARCH}" in \ amd64) CHECKSUM="d52c4af76ce6a3ceb8579e51fb751a43ac051cca67f965f973a0b0e897a2bb86" ;; \ arm64) CHECKSUM="79946ad57d732836f9242f903f476b6fa484c451d659f121bce54d931ab2a044" ;; \ diff --git a/dockerfiles/Dockerfile.nix b/dockerfiles/Dockerfile.nix index c7abfd6..dd3e390 100644 --- a/dockerfiles/Dockerfile.nix +++ b/dockerfiles/Dockerfile.nix @@ -40,6 +40,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -57,6 +58,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -76,6 +78,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -95,6 +98,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -114,6 +118,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ @@ -132,7 +137,8 @@ RUN case "${ARCH}" in \ install "${TMP_DIR}/${EXTRACT}" "/usr/local/bin/slsactl" && \ rm -rf "${TMP_DIR}" -# nix 2.34.5 +# nix 2.34.7 +ENV nix_version="2.34.7" # Pre-install setup for nix # Create unprivileged user for Nix installation @@ -151,16 +157,16 @@ RUN usermod -a -G runner suse && \ echo 'source /home/suse/.nix-profile/etc/profile.d/nix.sh' > /etc/bash.bashrc.local RUN case "${ARCH}" in \ - amd64) CHECKSUM="0a0462692a10ff1eb8a608f713f38d1f25a208ad55963a9c00b239da398de5a1" ;; \ - arm64) CHECKSUM="771e4b6f719243b9481f19eaedfbbbacc2f4a0282d6e043df4f33bb449ea3c57" ;; \ + amd64) CHECKSUM="eafe5042404e818505e28c5ca3d0885f3ec45c31f955489a25bb38258f87560e" ;; \ + arm64) CHECKSUM="f1cee64ae7a02330c6421924c28f597c41813f2214ff108622087d8056378b08" ;; \ *) echo "Unsupported: ${ARCH}"; exit 1 ;; \ esac && \ export INSTALL_DIR="/var/ci-tools/nix" && \ mkdir -p "${INSTALL_DIR}" && \ export TMP_FILE="${INSTALL_DIR}/nix.tar.xz" && \ case "${ARCH}" in \ - amd64) DOWNLOAD_URL="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-x86_64-linux.tar.xz"; EXTRACT="nix-2.34.5-x86_64-linux/install" ;; \ - arm64) DOWNLOAD_URL="https://releases.nixos.org/nix/nix-2.34.5/nix-2.34.5-aarch64-linux.tar.xz"; EXTRACT="nix-2.34.5-aarch64-linux/install" ;; \ + amd64) DOWNLOAD_URL="https://releases.nixos.org/nix/nix-2.34.7/nix-2.34.7-x86_64-linux.tar.xz"; EXTRACT="nix-2.34.7-x86_64-linux/install" ;; \ + arm64) DOWNLOAD_URL="https://releases.nixos.org/nix/nix-2.34.7/nix-2.34.7-aarch64-linux.tar.xz"; EXTRACT="nix-2.34.7-aarch64-linux/install" ;; \ esac && \ curl -fsSL --retry 3 --retry-delay 5 --retry-all-errors "${DOWNLOAD_URL}" > "${TMP_FILE}" && \ printf "%s %s\n" "${CHECKSUM}" "${TMP_FILE}" > "${INSTALL_DIR}/checksum.sha256" && \ @@ -182,8 +188,8 @@ ENV USER=suse RUN set -e; \ case "${ARCH}" in \ - amd64) extract="nix-2.34.5-x86_64-linux/install" ;; \ - arm64) extract="nix-2.34.5-aarch64-linux/install" ;; \ + amd64) extract="nix-${nix_version}-x86_64-linux/install" ;; \ + arm64) extract="nix-${nix_version}-aarch64-linux/install" ;; \ *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ esac; \ cd /var/ci-tools/nix && \ @@ -194,6 +200,7 @@ USER root ENV USER=root # goreleaser v2.15.2 +ENV goreleaser_version="v2.15.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc" ;; \ arm64) CHECKSUM="5db66761a98f6693161e49e1a95d28d2673a892ba60cb4a5e16736cafd41c4c9" ;; \ diff --git a/dockerfiles/Dockerfile.node22 b/dockerfiles/Dockerfile.node22 index 9055365..5c71db0 100644 --- a/dockerfiles/Dockerfile.node22 +++ b/dockerfiles/Dockerfile.node22 @@ -38,6 +38,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -55,6 +56,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -74,6 +76,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -93,6 +96,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -112,6 +116,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ diff --git a/dockerfiles/Dockerfile.node24 b/dockerfiles/Dockerfile.node24 index 78cd1f5..63f2e72 100644 --- a/dockerfiles/Dockerfile.node24 +++ b/dockerfiles/Dockerfile.node24 @@ -38,6 +38,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -55,6 +56,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -74,6 +76,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -93,6 +96,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -112,6 +116,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ diff --git a/dockerfiles/Dockerfile.python3.11 b/dockerfiles/Dockerfile.python3.11 index b0ba50e..f0a4b88 100644 --- a/dockerfiles/Dockerfile.python3.11 +++ b/dockerfiles/Dockerfile.python3.11 @@ -38,6 +38,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -55,6 +56,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -74,6 +76,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -93,6 +96,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -112,6 +116,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ diff --git a/dockerfiles/Dockerfile.python3.13 b/dockerfiles/Dockerfile.python3.13 index d5fa8ad..8a6b94d 100644 --- a/dockerfiles/Dockerfile.python3.13 +++ b/dockerfiles/Dockerfile.python3.13 @@ -38,6 +38,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools # cosign v3.0.6 +ENV cosign_version="v3.0.6" RUN case "${ARCH}" in \ amd64) CHECKSUM="c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74" ;; \ arm64) CHECKSUM="bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8" ;; \ @@ -55,6 +56,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # gh v2.89.0 +ENV gh_version="v2.89.0" RUN case "${ARCH}" in \ amd64) CHECKSUM="d0422caade520530e76c1c558da47daebaa8e1203d6b7ff10ad7d6faba3490d8" ;; \ arm64) CHECKSUM="9e64a623dfc242990aa5d9b3f507111149c4282f66b68eaad1dc79eeb13b9ce5" ;; \ @@ -74,6 +76,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv3 v3.20.2 +ENV helmv3_version="v3.20.2" RUN case "${ARCH}" in \ amd64) CHECKSUM="258e830a9e613c8a7a302d6059b4bb3b9758f2f3e1bb8ea0d707ce10a9a72fea" ;; \ arm64) CHECKSUM="5ea2d6bc2cda3f8edf985e028809f5a9278f404fb8ab24044de9b7cb9b79a691" ;; \ @@ -93,6 +96,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # helmv4 v4.1.4 +ENV helmv4_version="v4.1.4" RUN case "${ARCH}" in \ amd64) CHECKSUM="70b2c30a19da4db264dfd68c8a3664e05093a361cefd89572ffb36f8abfa3d09" ;; \ arm64) CHECKSUM="13d03672be289045d2ff00e4e345d61de1c6f21c1257a45955a30e8ae036d8f1" ;; \ @@ -112,6 +116,7 @@ RUN case "${ARCH}" in \ rm -rf "${TMP_DIR}" # slsactl v0.1.30 +ENV slsactl_version="v0.1.30" RUN case "${ARCH}" in \ amd64) CHECKSUM="7ed4750766c135ddcae788d194d7ff59a57c6debdc722fd1e52c06460218f10a" ;; \ arm64) CHECKSUM="bbbe66089135c82526677177c080f5ca4911ad1989712596338c5acdae4bb383" ;; \ diff --git a/images-lock.yaml b/images-lock.yaml index f7061bf..c0d99ae 100644 --- a/images-lock.yaml +++ b/images-lock.yaml @@ -33,7 +33,7 @@ tools: govulncheck: v1.2.0 helmv3: v3.20.2 helmv4: v4.1.4 - nix: 2.34.5 + nix: 2.34.7 ob-charts-tool: v0.5.0 oras: v1.3.1 slsactl: v0.1.30 diff --git a/internal/dockerfile/tmpl/dockerfile.tmpl b/internal/dockerfile/tmpl/dockerfile.tmpl index 4e9d620..9f34324 100644 --- a/internal/dockerfile/tmpl/dockerfile.tmpl +++ b/internal/dockerfile/tmpl/dockerfile.tmpl @@ -22,6 +22,7 @@ RUN groupadd -g 121 runner && \ chmod 2755 /var/ci-tools {{range .Tools}}# {{.Name}} {{.Version}} +ENV {{.Name}}_version="{{.Version}}" {{.Setup.RenderPre}}{{.Install.Render}}{{.Setup.RenderPost}} {{end}}{{if .Selectors}}# Family selectors — copy scripts and set up manifest + active symlinks. @@ -45,4 +46,4 @@ RUN {{.SelectorSetupCmd}} {{if .HasAnyOfPackages "git" "git-core"}}# We trust our base image and the repos that are pulled in workflows. Otherwise # each workflow that uses our base images would have to add the step below. -RUN git config --system --add safe.directory '*'{{end}} \ No newline at end of file +RUN git config --system --add safe.directory '*'{{end}} diff --git a/internal/dockerfile/tmpl/nix-post.tmpl b/internal/dockerfile/tmpl/nix-post.tmpl index 14b2073..d6ec376 100644 --- a/internal/dockerfile/tmpl/nix-post.tmpl +++ b/internal/dockerfile/tmpl/nix-post.tmpl @@ -9,8 +9,8 @@ ENV USER=suse RUN set -e; \ case "${ARCH}" in \ - amd64) extract="nix-2.34.5-x86_64-linux/install" ;; \ - arm64) extract="nix-2.34.5-aarch64-linux/install" ;; \ + amd64) extract="nix-${nix_version}-x86_64-linux/install" ;; \ + arm64) extract="nix-${nix_version}-aarch64-linux/install" ;; \ *) echo "unsupported architecture: ${ARCH}" >&2; exit 1 ;; \ esac; \ cd /var/ci-tools/nix && \