-
Notifications
You must be signed in to change notification settings - Fork 1k
/
Dockerfile.updater-core
142 lines (117 loc) · 6.58 KB
/
Dockerfile.updater-core
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
FROM docker.io/library/ubuntu:22.04
ARG TARGETARCH
LABEL org.opencontainers.image.source="https://github.com/dependabot/dependabot-core"
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ENV DEBIAN_FRONTEND="noninteractive" \
LC_ALL="en_US.UTF-8" \
LANG="en_US.UTF-8"
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
# dev dependencies for CI
build-essential \
curl \
libgmp-dev \
# Compression libs
zlib1g-dev \
unzip \
zstd \
# VCS section
git \
git-lfs \
bzr \
mercurial \
# needed to sign commits
gnupg2 \
# Installs certs in dependabot-action and CLI
ca-certificates \
# used to check if a file is binary in the VendorUpdater
file \
# used by Ruby to parse YAML
libyaml-dev \
locales \
&& locale-gen en_US.UTF-8 \
&& rm -rf /var/lib/apt/lists/*
ARG USER_UID=1000
ARG USER_GID=$USER_UID
RUN if ! getent group "$USER_GID"; then groupadd --gid "$USER_GID" dependabot ; \
else GROUP_NAME=$(getent group $USER_GID | awk -F':' '{print $1}'); groupmod -n dependabot "$GROUP_NAME" ; fi \
&& useradd --uid "${USER_UID}" --gid "${USER_GID}" -m dependabot \
&& mkdir -p /opt && chown dependabot:dependabot /opt && chgrp dependabot /etc/ssl/certs && chmod g+w /etc/ssl/certs
USER dependabot
ENV DEPENDABOT_HOME="/home/dependabot"
WORKDIR $DEPENDABOT_HOME
COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME
# Install Ruby from official Docker image
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb`
COPY --from=docker.io/library/ruby:3.3.1-bookworm --chown=dependabot:dependabot /usr/local /usr/local
# We had to explicitly bump this as the bundled version `0.2.2` in ubuntu 22.04 has a bug.
# Once Ubuntu base image pulls in a new enough yaml version, we may not need to
# explicitly manage this. However, if we do opt to pull it back out, see all changes
# required in https://github.com/dependabot/dependabot-core/pull/7112
ARG LIBYAML_VERSION=0.2.5
RUN curl -sL https://pyyaml.org/download/libyaml/yaml-$LIBYAML_VERSION.tar.gz -o libyaml.tar.gz && \
mkdir -p $DEPENDABOT_HOME/src/libyaml && \
tar -xvf libyaml.tar.gz -C $DEPENDABOT_HOME/src/libyaml && \
rm libyaml.tar.gz
# For users to determine if dependabot is running
ENV DEPENDABOT=true
# Disable automatic pulling of files stored with Git LFS
# This avoids downloading large files not necessary for the dependabot scripts
ENV GIT_LFS_SKIP_SMUDGE=1
# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-${TARGETARCH}.tar.gz"
RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
COPY --chown=dependabot:dependabot omnibus omnibus
COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependabot-updater/
COPY --chown=dependabot:dependabot common/.bundle common/dependabot-common.gemspec common/
COPY --chown=dependabot:dependabot common/lib/dependabot.rb common/lib/dependabot.rb
COPY --chown=dependabot:dependabot bundler/.bundle bundler/dependabot-bundler.gemspec bundler/
COPY --chown=dependabot:dependabot cargo/.bundle cargo/dependabot-cargo.gemspec cargo/
COPY --chown=dependabot:dependabot composer/.bundle composer/dependabot-composer.gemspec composer/
COPY --chown=dependabot:dependabot devcontainers/.bundle devcontainers/dependabot-devcontainers.gemspec devcontainers/
COPY --chown=dependabot:dependabot docker/.bundle docker/dependabot-docker.gemspec docker/
COPY --chown=dependabot:dependabot dotnet_sdk/.bundle dotnet_sdk/dependabot-dotnet_sdk.gemspec dotnet_sdk/
COPY --chown=dependabot:dependabot elm/.bundle elm/dependabot-elm.gemspec elm/
COPY --chown=dependabot:dependabot git_submodules/.bundle git_submodules/dependabot-git_submodules.gemspec git_submodules/
COPY --chown=dependabot:dependabot github_actions/.bundle github_actions/dependabot-github_actions.gemspec github_actions/
COPY --chown=dependabot:dependabot go_modules/.bundle go_modules/dependabot-go_modules.gemspec go_modules/
COPY --chown=dependabot:dependabot gradle/.bundle gradle/dependabot-gradle.gemspec gradle/
COPY --chown=dependabot:dependabot hex/.bundle hex/dependabot-hex.gemspec hex/
COPY --chown=dependabot:dependabot maven/.bundle maven/dependabot-maven.gemspec maven/
COPY --chown=dependabot:dependabot npm_and_yarn/.bundle npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
COPY --chown=dependabot:dependabot nuget/.bundle nuget/dependabot-nuget.gemspec nuget/
COPY --chown=dependabot:dependabot pub/.bundle pub/dependabot-pub.gemspec pub/
COPY --chown=dependabot:dependabot python/.bundle python/dependabot-python.gemspec python/
COPY --chown=dependabot:dependabot silent/.bundle silent/dependabot-silent.gemspec silent/
COPY --chown=dependabot:dependabot swift/.bundle swift/dependabot-swift.gemspec swift/
COPY --chown=dependabot:dependabot terraform/.bundle terraform/dependabot-terraform.gemspec terraform/
# prevent having all the source in every ecosystem image
RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler silent swift devcontainers dotnet_sdk; do \
mkdir -p $ecosystem/lib/dependabot; \
touch $ecosystem/lib/dependabot/$ecosystem.rb; \
done
WORKDIR $DEPENDABOT_HOME/dependabot-updater
# RubyGems & Bundler should be bumped together following these steps:
# * Bump RubyGems version below. That will also automatically update the default Bundler version.
# * Regenerate `updater/Gemfile.lock` via `BUNDLE_GEMFILE=updater/Gemfile bundle lock --update --bundler`.
# * Regenerate `Gemfile.lock` via `bundle lock --update --bundler`.
#
# Note that RubyGems & Bundler versions are currently released in sync, but
# RubyGems version is one major ahead. So when bumping to RubyGems 3.y.z, Bundler
# version will jump to 2.y.z
ARG RUBYGEMS_VERSION=3.5.16
RUN gem update --system $RUBYGEMS_VERSION
RUN bundle config set --global build.psych --with-libyaml-source-dir=$DEPENDABOT_HOME/src/libyaml/yaml-$LIBYAML_VERSION && \
bundle config set --local path 'vendor' && \
bundle config set --local frozen 'true' && \
bundle config set --local without 'development' && \
bundle install && \
rm -rf ~/.bundle/cache
ENV PATH="$DEPENDABOT_HOME/bin:$PATH"
ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
# Make the build arg available inside the Dependabot container
ARG DEPENDABOT_UPDATER_VERSION=development
ENV DEPENDABOT_UPDATER_VERSION=$DEPENDABOT_UPDATER_VERSION
USER root
CMD ["bin/run"]