[nc] test new build and release capabilities

Signed-off-by: Nic Cheneweth <[email protected]>

.github/actions/before-publish/action.yaml

@@ -39,3 +39,10 @@ runs:
       with:
         op-value: empc-lab/svc-cosign-private-key/notesPlain
         out-file: cosign.key
+
+    - name: generate release notess
+      shell: bash
+      run: |
+        cat tpl/release-notes.tpl > release-notes.md
+        cat ${{ inputs.instance }} >> release-notes.md
+        echo "</details>" >> release-notes.md

.github/workflows/development-build.yaml

@@ -12,22 +12,22 @@ on:
 
 jobs:
 
-  alpine-dev-release:
-    name: development build and release of alpine image
-    uses: ThoughtWorks-DPS/gha-tools-action/.github/workflows/job-container-dev-release.yaml@main
-    secrets:
-      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-    with:
-      image: twdps/gha-container-base-image
-      opencontainer-labels: true
-      before-static-analysis: true
-      snyk-scan: true
-      snyk-severity-threshold: medium
-      snyk-organization: twdps
-      bats-test: true
-      bats-run-container-name: gha-container-base-image
-      bats-entry-point: /bin/ash
-      bats-test-path: test/gha-container-base-image.bats
+  # alpine-dev-release:
+  #   name: development build and release of alpine image
+  #   uses: ThoughtWorks-DPS/gha-tools-action/.github/workflows/job-container-dev-release.yaml@main
+  #   secrets:
+  #     OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+  #   with:
+  #     image: twdps/gha-container-base-image
+  #     opencontainer-labels: true
+  #     before-static-analysis: true
+  #     snyk-scan: true
+  #     snyk-severity-threshold: medium
+  #     snyk-organization: twdps
+  #     bats-test: true
+  #     bats-run-container-name: gha-container-base-image
+  #     bats-entry-point: /bin/ash
+  #     bats-test-path: test/gha-container-base-image.bats
 
   ubuntu-22-dev-release:
     name: development build and release of ubuntu.2204 image
@@ -37,7 +37,7 @@ jobs:
     with:
       dockerfile: Dockerfile.ubuntu.22
       image: twdps/gha-container-base-image
-      tag-annotation: ubuntu-22.
+      tag-annotation: 22.04-
       opencontainer-labels: true
       before-static-analysis: true
       snyk-scan: true
@@ -48,21 +48,21 @@ jobs:
       bats-entry-point: /bin/bash
       bats-test-path: test/gha-container-base-image-ubuntu-22.bats
 
-  ubuntu-24-dev-release:
-    name: development build and release of ubuntu.2404 image
-    uses: ThoughtWorks-DPS/gha-tools-action/.github/workflows/job-container-dev-release.yaml@main
-    secrets:
-      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-    with:
-      dockerfile: Dockerfile.ubuntu.24
-      image: twdps/gha-container-base-image
-      tag-annotation: ubuntu-24.
-      opencontainer-labels: true
-      before-static-analysis: true
-      snyk-scan: true
-      snyk-severity-threshold: medium
-      snyk-organization: twdps
-      bats-test: true
-      bats-run-container-name: gha-container-base-image
-      bats-entry-point: /bin/bash
-      bats-test-path: test/gha-container-base-image-ubuntu-24.bats
+  # ubuntu-24-dev-release:
+  #   name: development build and release of ubuntu.2404 image
+  #   uses: ThoughtWorks-DPS/gha-tools-action/.github/workflows/job-container-dev-release.yaml@main
+  #   secrets:
+  #     OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+  #   with:
+  #     dockerfile: Dockerfile.ubuntu.24
+  #     image: twdps/gha-container-base-image
+  #     tag-annotation: ubuntu-24.
+  #     opencontainer-labels: true
+  #     before-static-analysis: true
+  #     snyk-scan: true
+  #     snyk-severity-threshold: medium
+  #     snyk-organization: twdps
+  #     bats-test: true
+  #     bats-run-container-name: gha-container-base-image
+  #     bats-entry-point: /bin/bash
+  #     bats-test-path: test/gha-container-base-image-ubuntu-24.bats

.github/workflows/publish.yaml

@@ -12,18 +12,18 @@ on:
 
 jobs:
 
-  alpine-publish:
-    name: publish alpine image
-    uses: ThoughtWorks-DPS/gha-tools-action/.github/workflows/publish-container.yaml@main
-    secrets:
-      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-    with:
-      image: twdps/gha-container-base-image
-      sign-image: true
-      sbom: true
-      release-notes: true
-      release-message: New release Alpine ThoughtWorks-DPS/gha-container-base-image
-      before-publish: true
+  # alpine-publish:
+  #   name: publish alpine image
+  #   uses: ThoughtWorks-DPS/gha-tools-action/.github/workflows/publish-container.yaml@main
+  #   secrets:
+  #     OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+  #   with:
+  #     image: twdps/gha-container-base-image
+  #     sign-image: true
+  #     sbom: true
+  #     release-notes: true
+  #     release-message: New release Alpine ThoughtWorks-DPS/gha-container-base-image
+  #     before-publish: true
 
   ubuntu-22-publish:
     name: publish ubuntu.22 image
@@ -32,23 +32,25 @@ jobs:
       OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
     with:
       image: twdps/gha-container-base-image
-      tag-annotation: ubuntu-22.
+      tag-annotation: 22.04-
+      release-tag: 22.04
       sign-image: true
       sbom: true
       release-notes: true
-      release-message: New release Ubuntu.2204 ThoughtWorks-DPS/gha-container-base-image
+      release-body-path: release-notes.md
+      release-message: New release Ubuntu 22.04 ThoughtWorks-DPS/gha-container-base-image
       before-publish: true
 
-  ubuntu-24-publish:
-    name: publish ubuntu.24 image
-    uses: ThoughtWorks-DPS/gha-tools-action/.github/workflows/publish-container.yaml@main
-    secrets:
-      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
-    with:
-      image: twdps/gha-container-base-image
-      tag-annotation: ubuntu-24.
-      sign-image: true
-      sbom: true
-      release-notes: true
-      release-message: New release Ubuntu.2404 ThoughtWorks-DPS/gha-container-base-image
-      before-publish: true
+  # ubuntu-24-publish:
+  #   name: publish ubuntu.24 image
+  #   uses: ThoughtWorks-DPS/gha-tools-action/.github/workflows/publish-container.yaml@main
+  #   secrets:
+  #     OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+  #   with:
+  #     image: twdps/gha-container-base-image
+  #     tag-annotation: ubuntu-24.
+  #     sign-image: true
+  #     sbom: true
+  #     release-notes: true
+  #     release-message: New release Ubuntu.2404 ThoughtWorks-DPS/gha-container-base-image
+  #     before-publish: true

Dockerfile.ubuntu.22

@@ -11,82 +11,99 @@ LABEL org.opencontainers.image.title="gha-container-base-image" \
       org.opencontainers.image.created="CREATED" \
       org.opencontainers.image.version="VERSION"
 
-ENV DOCKER_VERSION=5:27.3.1-1~ubuntu.22.04~jammy
-ENV DOCKER_BUILDX_VERSION=0.17.1-1~ubuntu.22.04~jammy
-ENV DOCKER_COMPOSE_VERSION=2.29.7-1~ubuntu.22.04~jammy
-ENV CONTAINERD_VERSION=1.7.22-1
-ENV ONEPASSWORD_VERSION=2.30.0
-ENV VAULT_VERSION=1.18.0
-ENV TELLER_VERSION=1.5.6
-ENV BUILDEVENTS_VERSION=0.16.0
-ENV DEBIAN_FRONTEND=noninteractive
-
-ENV PATH=/home/circleci/bin:/home/circleci/.local/bin:$PATH \
-	  LANG=en_US.UTF-8 \
-	  LANGUAGE=en_US:en \
-	  LC_ALL=en_US.UTF-8
-
 SHELL ["/bin/bash", "-exo", "pipefail", "-c"]
 
-# hadolint ignore=DL4001,DL3004,DL3047,DL3027,DL3008,SC1091,SC2174
-RUN echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/90forceyes && \
-    echo 'DPkg::Options "--force-confnew";' >> /etc/apt/apt.conf.d/90forceyes && apt update && \
+ENV TELLER_VERSION=1.5.6
+ENV DEBIAN_FRONTEND=noninteractive \
+    TERM=dumb \
+    PAGER=cat \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US:en \
+    LC_ALL=en_US.UTF-8
+
+RUN echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/90circleci && \
+    echo 'DPkg::Options "--force-confnew";' >> /etc/apt/apt.conf.d/90circleci && apt-get update && \
+    apt-get install -y \
+            curl \
+            locales && \
+    locale-gen en_US.UTF-8 && \
+    rm -rf /var/lib/apt/lists/* && \
+    \
+    dockerizeArch=x86_64 && \
+    if uname -p | grep "arm64"; then \
+      dockerizeArch=arm64; \
+    fi && \
+    curl -sSL --fail --retry 3 --output /usr/local/bin/dockerize "https://github.com/powerman/dockerize/releases/download/v0.8.0/dockerize-linux-${dockerizeArch}" && \
+    chmod +x /usr/local/bin/dockerize && apt-get update && \
     apt-get install --no-install-recommends -y \
-            ca-certificates=20240203~22.04.1 \
-            locales=2.35-0ubuntu3.8 \
-            build-essential=12.9ubuntu3 \
-            software-properties-common=0.99.22.9 \
-            apt-transport-https=2.4.13 \
-            tzdata=2024a-0ubuntu0.22.04.1 \
-            lsb-release=11.1.0ubuntu4 \
-            gettext-base=0.21-4ubuntu4 \
-            gcc=4:11.2.0-1ubuntu1 \
-            g++=4:11.2.0-1ubuntu1 \
-            cmake=3.22.1-1ubuntu1.22.04.2 \
-            make=4.3-4.1build1 \
-            git=1:2.34.1-1ubuntu1.11 \
-            git-lfs=3.0.2-1ubuntu0.2 \
-            curl=7.81.0-1ubuntu1.18 \
-            libcurl4-openssl-dev=7.81.0-1ubuntu1.18 \
-            tar=1.34+dfsg-1ubuntu0.1.22.04.2 \
-            wget=1.21.2-2ubuntu1.1 \
-            unzip=6.0-26ubuntu3.2 \
-            gzip=1.10-4ubuntu4.1 \
-            zip=3.0-12build2 \
-            bzip2=1.0.8-5build1 \
-            jq=1.6-2.1ubuntu3 \
-            gnupg=2.2.27-3ubuntu2.1 \
-            gnupg-agent=2.2.27-3ubuntu2.1 && \
+            autoconf \
+            build-essential \
+            ca-certificates \
+            gettext-base \
+            apt-transport-https \
+            lsb-release \
+            libcurl4-openssl-dev \
+            libssl-dev \
+            software-properties-common \
+            gcc \
+            g++ \
+            cmake \
+            make \
+            lsof \
+            pkg-config \
+            retry \
+            file \
+            gnupg \
+            gnupg-agent \
+            jq \
+            tar \
+            tzdata \
+            unzip \
+            wget \
+            gzip \
+            bzip2 \
+            zip && \
+    add-apt-repository ppa:git-core/ppa && \
+    curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash && \
     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg && \
     echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
     mkdir -p -m 755 /etc/apt/keyrings && \
     wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null && \
     chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && \
     echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
-    apt-get update && \
+    wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg && \
+    echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list && apt-get update && \
     apt-get install --no-install-recommends -y \
-            gh=2.59.0 \
-            docker-ce=${DOCKER_VERSION} \
-            docker-ce-cli=${DOCKER_VERSION} \
-            containerd.io=${CONTAINERD_VERSION} \
-            docker-buildx-plugin=${DOCKER_BUILDX_VERSION} \
-            docker-compose-plugin=${DOCKER_COMPOSE_VERSION} && \
+            git \
+            git-lfs \
+            gh \
+            vault \
+            docker-ce \
+            docker-ce-cli \
+            containerd.io \
+            docker-buildx-plugin && \
+    setcap -r /usr/bin/vault && \
+    ONEPASSWORD_VERSION="$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')" && \
     curl -L https://cache.agilebits.com/dist/1P/op2/pkg/v${ONEPASSWORD_VERSION}/op_linux_amd64_v${ONEPASSWORD_VERSION}.zip -o op.zip && \
     unzip -o op.zip && mv op /usr/local/bin/op && \
     rm op.zip && rm op.sig && \
-    curl -SLO "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" > "vault_${VAULT_VERSION}_linux_amd64.zip" && \
-    unzip "vault_${VAULT_VERSION}_linux_amd64.zip" -d /usr/local/bin && \
-    rm "vault_${VAULT_VERSION}_linux_amd64.zip" && \
     curl -L https://github.com/tellerops/teller/releases/download/v${TELLER_VERSION}/teller_${TELLER_VERSION}_Linux_x86_64.tar.gz --output teller_${TELLER_VERSION}_Linux_x86_64.tar.gz && \
     tar -xzf teller_${TELLER_VERSION}_Linux_x86_64.tar.gz && \
     mv teller /usr/local/bin/teller && \
     rm teller_${TELLER_VERSION}_Linux_x86_64.tar.gz && \
-    curl -L -o buildevents https://github.com/honeycombio/buildevents/releases/download/v${BUILDEVENTS_VERSION}/buildevents-linux-amd64 && \
+    curl -L -o buildevents https://github.com/honeycombio/buildevents/releases/latest/download/buildevents-linux-amd64 && \
     chmod +x buildevents && \
     mv buildevents /usr/local/bin/buildevents && \
-    sed -i 's/^# *\(en_US.UTF-8\)/\1/' /etc/locale.gen && locale-gen && \
     mkdir /root/.gnupg && \
     bash -c "echo 'allow-loopback-pinentry' > /root/.gnupg/gpg-agent.conf" && \
     bash -c "echo 'pinentry-mode loopback' > /root/.gnupg/gpg.conf" && \
     chmod 700 /root/.gnupg && chmod 600 /root/.gnupg/* && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# easier view of key tool versions by outputing at end of build log
+RUN docker --version && \
+    gh --version && \
+    op --version && \
+    vault --version && \
+    teller version && \
+    buildevents -v