Merge pull request #7 from k7hpn/release/1.2.0

k7hpn · web-flow · commit 369f5c2d6eea · 2022-12-13T12:58:20.000-07:00
Update to support docker-lock
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.0] - 2022-12-13
+
+### Added
+
+- Ability to use docker-lock for Dockerfile pinning
+
 ## [1.1.0] - 2021-12-02
 
 ### Added
@@ -30,7 +36,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `azure-pipelines-yml` to show how to call the script from Azure
 - GitHub workflow `build.yml` to show how to call the script as a GitHub Action
 
-[unreleased]: https://github.com/mcld/buildscript/compare/v1.1.0...HEAD
+[unreleased]: https://github.com/mcld/buildscript/compare/v1.2.0...HEAD
+[1.2.0]: https://github.com/mcld/buildscript/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/mcld/buildscript/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/mcld/buildscript/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/mcld/buildscript/releases/tag/v1.0.0
diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,9 @@
 # prepare base image
-FROM mcr.microsoft.com/dotnet/runtime:7.0@sha256:bc86158b6c02a0983e3377be0a71b17982ca5ccb00840b0c44abc4184f6326a7 AS base
+FROM mcr.microsoft.com/dotnet/runtime:7.0 AS base
 WORKDIR /app
 
 # get build image
-FROM mcr.microsoft.com/dotnet/sdk:7.0@sha256:a320a69c64e425e7eb42f8841d034fc3a4bb7a925ebb834c13680925c85e282c AS build
+FROM mcr.microsoft.com/dotnet/sdk:7.0 AS build
 WORKDIR /src
 
 # run dotnet restore
@@ -31,21 +31,21 @@ ARG IMAGE_VERSION=unknown
 
 # Configure image labels
 LABEL branch=$branch \
-    maintainer="Maricopa County Library District developers <development@mcldaz.org>" \
-    org.opencontainers.image.authors="Maricopa County Library District developers <development@mcldaz.org>" \
-    org.opencontainers.image.created=$IMAGE_CREATED \
-    org.opencontainers.image.description="Build script test project" \
-    org.opencontainers.image.licenses="MIT" \
-    org.opencontainers.image.revision=$IMAGE_REVISION \
-    org.opencontainers.image.source="https://github.com/MCLD/buildscript" \
-    org.opencontainers.image.title="Build script test project" \
-    org.opencontainers.image.vendor="Maricopa County Library District" \
-    org.opencontainers.image.version=$IMAGE_VERSION
+maintainer="Maricopa County Library District developers <development@mcldaz.org>" \
+org.opencontainers.image.authors="Maricopa County Library District developers <development@mcldaz.org>" \
+org.opencontainers.image.created=$IMAGE_CREATED \
+org.opencontainers.image.description="Build script test project" \
+org.opencontainers.image.licenses="MIT" \
+org.opencontainers.image.revision=$IMAGE_REVISION \
+org.opencontainers.image.source="https://github.com/MCLD/buildscript" \
+org.opencontainers.image.title="Build script test project" \
+org.opencontainers.image.vendor="Maricopa County Library District" \
+org.opencontainers.image.version=$IMAGE_VERSION
 
 # Default image environment variable settings
 ENV org.opencontainers.image.created=$IMAGE_CREATED \
-    org.opencontainers.image.revision=$IMAGE_REVISION \
-    org.opencontainers.image.version=$IMAGE_VERSION
+org.opencontainers.image.revision=$IMAGE_REVISION \
+org.opencontainers.image.version=$IMAGE_VERSION
 
 COPY --from=publish /app/publish .
 ENTRYPOINT ["dotnet", "buildscript.dll"]
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@ The `build.bash` script helps build Docker images and upload them to container r
 - Other branches go through the `build` stage in the `Dockerfile` but not further (and no image is uploaded).
 - Build environment information is brought in as container labels (Git commit id, build date, version) and you can easily add more.
 - Can push to a configured container registry (Docker Hub by default) as well as the GitHub Container registry.
+- Can utilize [docker-lock](https://github.com/safe-waters/docker-lock) to handle pinning of images in each `Dockerfile`
 
 **You only need `build.bash`, the rest of this project is testing and examples.**
 
@@ -33,6 +34,7 @@ Environment variables (all are optional):
 - `CR_OWNER` - owner of the container registry
 - `CR_PASSWORD` - password to log into the container registry
 - `CR_USER` - username to log in to the container registry
+- `DOCKER_LOCK_VERSION` - a version of docker-lock to use (e.g. 0.8.10), can also be specified in `docker-lock-version.txt`
 - `GHCR_OWNER` - owner of the GitHub Container Registry (defaults to `GHCR_USER`)
 - `GHCR_PAT` - GitHub Container Registry Personal Access Token
 - `GHCR_USER` - username to log in to the GitHub Container Registry
@@ -64,6 +66,7 @@ See [this sample Dockerfile](https://github.com/mcld/buildscript/blob/main/Docke
   - `CR_OWNER` - container registry repository (username or organization).
   - `CR_PASSWORD` - container registration password or Personal Access Token.
   - `CR_USER` - container registry username for authentication.
+  - `DOCKER_LOCK_VERSION` - a version of docker-lock to use (e.g. 0.8.10), can also be specified in `docker-lock-version.txt`
   - `GHCR_OWNER` - GitHub Container Registry repository (username or organization name).
   - `GHCR_PAT` - GitHub Personal Access Token.
   - `GHCR_USER` - username associated with the GitHub Personal Access Token (for authentication).
diff --git a/build.bash b/build.bash
@@ -12,8 +12,6 @@
 set -Eeuo pipefail
 trap cleanup SIGINT SIGTERM ERR EXIT
 
-script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd -P)
-
 usage() {
   cat <<EOF
 Usage: $(basename "${BASH_SOURCE[0]}") [-h] [-v] [-df Dockerfile] [-p] [Docker tag]
@@ -34,11 +32,13 @@ Environment variables:
 - CR_OWNER - optional - owner of the container registry
 - CR_PASSWORD - optional - password to log into the container registry
 - CR_USER - optional - username to log in to the container registry
+- DOCKER_LOCK_VERSION - optional - a version of docker-lock to use (e.g. 0.8.10), can also be
+                                   specified in docker-lock-version.txt
 - GHCR_OWNER - optional - owner of the GitHub Container Registry (defaults to GHCR_USER)
 - GHCR_PAT - optional - GitHub Container Registry Personal Access Token
 - GHCR_USER - optional - username to log in to the GitHub Container Registry
 
-Version 1.1.0 released 2021-12-02
+Version 1.2.0 released 2022-12-13
 EOF
   exit
 }
@@ -70,27 +70,27 @@ die() {
 parse_params() {
   dockerfile=''
   publish=0
-
+  
   while :; do
     case "${1-}" in
-    -h | --help) usage ;;
-    -v | --verbose) set -x ;;
-    --no-color) NO_COLOR=1 ;;
-    -df | --dockerfile)
-      dockerfile="${2-}"
-      shift
+      -h | --help) usage ;;
+      -v | --verbose) set -x ;;
+      --no-color) NO_COLOR=1 ;;
+      -df | --dockerfile)
+        dockerfile="${2-}"
+        shift
       ;;
-    -p | --publish)
-      publish=1
+      -p | --publish)
+        publish=1
       ;;
-    -?*) die "Unknown option: $1" ;;
-    *) break ;;
+      -?*) die "Unknown option: $1" ;;
+      *) break ;;
     esac
     shift
   done
-
+  
   readonly dockertag="${1-}"
-
+  
   return 0
 }
 
@@ -110,6 +110,37 @@ BLD_RELEASE_VERSION=''
 
 readonly BLD_STARTAT=$SECONDS
 
+SYSARCH=$(arch)
+readonly SYSARCH
+
+if [[ ${SYSARCH} = "i386" ]]; then
+  readonly ARCH="x86_32"
+  elif [[ ${SYSARCH} = "aarch64" ]]; then
+  readonly ARCH="armv7"
+else
+  readonly ARCH=${SYSARCH}
+fi
+
+OS=$(uname -s)
+readonly OS
+
+if [[ -z ${DOCKER_LOCK_VERSION-} && -f "docker-lock-version.txt" ]]; then
+  BLD_DOCKER_LOCK_VERSION=$(cat docker-lock-version.txt)
+  readonly BLD_DOCKER_LOCK_VERSION
+else
+  BLD_DOCKER_LOCK_VERSION=${DOCKER_LOCK_VERSION-}
+  readonly BLD_DOCKER_LOCK_VERSION
+fi
+
+if [[ -n ${BLD_DOCKER_LOCK_VERSION-} && -f "docker-lock.json" ]]; then
+  readonly DOCKER_LOCK_URL="https://github.com/safe-waters/docker-lock/releases/download/v${BLD_DOCKER_LOCK_VERSION}/docker-lock_${BLD_DOCKER_LOCK_VERSION}_${OS}_${ARCH}.tar.gz"
+  msg "${BLUE}===${NOFORMAT} Using docker-lock.json version ${BLD_DOCKER_LOCK_VERSION} to pin Dockerfile(s)"
+  mkdir -p ".docker/cli-plugins"
+  curl -fsSL "${DOCKER_LOCK_URL}" | tar -xz -C ".docker/cli-plugins" "docker-lock"
+  chmod +x ".docker/cli-plugins/docker-lock"
+  .docker/cli-plugins/docker-lock lock rewrite
+fi
+
 # Try getting branch from Azure DevOps
 readonly AZURE_BRANCH=${BUILD_SOURCEBRANCH-}
 BLD_BRANCH=''
@@ -128,13 +159,13 @@ if [[ -z ${BLD_BRANCH} ]]; then
 fi
 
 if [[ $BLD_BRANCH = "develop"
-      || $BLD_BRANCH = "main"
-      || $BLD_BRANCH = "master"
-      || $BLD_BRANCH = "test" ]]; then
+    || $BLD_BRANCH = "main"
+    || $BLD_BRANCH = "master"
+  || $BLD_BRANCH = "test" ]]; then
   BLD_DOCKER_TAG=$BLD_BRANCH
   BLD_VERSION=${BLD_BRANCH}-${BLD_VERSION_DATE}
   BLD_PUSH=true
-elif [[ "$BLD_BRANCH" =~ release/([0-9]+\.[0-9]+\.[0-9]+.*) ]]; then
+  elif [[ "$BLD_BRANCH" =~ release/([0-9]+\.[0-9]+\.[0-9]+.*) ]]; then
   BLD_RELEASE_VERSION=${BASH_REMATCH[1]}
   BLD_DOCKER_TAG=v${BLD_RELEASE_VERSION}
   BLD_VERSION=v${BLD_RELEASE_VERSION}
@@ -201,12 +232,12 @@ if [[ $BLD_PUSH = true ]]; then
   --build-arg IMAGE_CREATED="$BLD_VERSION_DATE" \
   --build-arg IMAGE_REVISION="$BLD_COMMIT" \
   --build-arg IMAGE_VERSION="$BLD_VERSION" .
-
+  
   msg "${GREEN}===${NOFORMAT} Docker image built"
-
+  
   dockeruser=${CR_USER-}
   dockerpass=${CR_PASSWORD-}
-
+  
   if [[ -z $dockeruser || -z $dockerpass ]]; then
     msg "${ORANGE}===${NOFORMAT} Not pushing Docker image: username or password not specified"
   else
@@ -218,28 +249,28 @@ if [[ $BLD_PUSH = true ]]; then
       echo "$dockerpass" | \
       docker login -u "$dockeruser" --password-stdin "${CR_HOST-}" || exit $?
     fi
-
+    
     msg "${BLUE}===${NOFORMAT} Pushing image $BLD_FULL_DOCKER_IMAGE"
     docker push "$BLD_FULL_DOCKER_IMAGE"
-
+    
     if [[ $BLD_RELEASE = "true" ]]; then
       msg "${BLUE}===${NOFORMAT} Tagging and pushing $BLD_FULL_DOCKER_LATEST"
       docker tag "$BLD_FULL_DOCKER_IMAGE" "$BLD_FULL_DOCKER_LATEST"
       docker push "$BLD_FULL_DOCKER_LATEST"
     fi
-
+    
     msg "${GREEN}===${NOFORMAT} Docker image pushed"
-
+    
     msg "${BLUE}===${NOFORMAT} Executing logout"
     if [[ -z ${CR_HOST-} ]]; then
       docker logout
     else
       docker logout "${CR_HOST-}"
     fi
   fi
-
+  
   ghcruser=${GHCR_USER-}
-
+  
   if [[ -n $ghcruser ]]; then
     ghcrowner=${GHCR_OWNER-}
     if [[ -z $ghcrowner ]]; then
@@ -250,20 +281,20 @@ if [[ $BLD_PUSH = true ]]; then
     echo "$GHCR_PAT" | \
     docker login ghcr.io -u "${ghcruser}" --password-stdin || exit $?
     docker push "ghcr.io/${ghcrowner}/${BLD_DOCKER_IMAGE}"
-
+    
     if [[ $BLD_RELEASE = "true" ]]; then
       msg "${BLUE}===${NOFORMAT} Tagging and pushing ghcr.io/${ghcrowner}/${BLD_DOCKER_LATEST}"
       docker tag "${BLD_FULL_DOCKER_IMAGE}" "ghcr.io/${ghcrowner}/${BLD_DOCKER_LATEST}"
       docker push "ghcr.io/${ghcrowner}/${BLD_DOCKER_LATEST}"
     fi
-
+    
     docker logout ghcr.io
-
+    
     msg "${GREEN}===${NOFORMAT} Docker image pushed to ghcr.io"
   fi
-
+  
   # Perform release publish in the Docker machine if configuration is present
-
+  
   if [[ $BLD_RELEASE = "true" && -f "release-publish.bash" && publish -eq 1 ]]; then
     msg "${BLUE}===${NOFORMAT} Publishing release package for $BLD_RELEASE_VERSION"
     mkdir -p publish
