Merge pull request #37 from LaurentGoderre/version-auto-detect

Make the notary version detectable
docker · Aug 23, 2024 · 4fc4c25 · 4fc4c25
2 parents d1a94cf + cf64d96
commit 4fc4c25
Show file tree

Hide file tree

Showing 8 changed files with 89 additions and 93 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,10 +10,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - run: |
-          docker build notary-builder --tag notary:builder
-          tag="$(docker run --rm notary:builder sh -c 'echo $TAG' | awk '{gsub(/^v/, ""); print}')"
-          docker tag notary:builder "notary:${tag}-builder"
       - run: docker build notary-server --tag notary:server
       - run: docker build notary-signer --tag notary:signer
       - uses: actions/checkout@v3 # clone Notary upstream repo (used for generating necessary certificates to test against)

diff --git a/.gitignore b/.gitignore
@@ -1,2 +1 @@
 .jq-template.awk
-.template-helper-functions.jq
diff --git a/Dockerfile-builder.template b/Dockerfile-builder.template
diff --git a/Dockerfile.template b/Dockerfile.template
@@ -1,3 +1,31 @@
+FROM golang:1.19-alpine{{ .alpine }} AS build
+
+RUN apk add --no-cache git make
+
+ENV NOTARYPKG github.com/theupdateframework/notary
+ENV TAG v{{ .version }}
+
+ENV GOFLAGS -mod=vendor
+
+WORKDIR /go/src/$NOTARYPKG
+RUN set -eux; \
+	git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+	echo "${TAG//v/}" > NOTARY_VERSION; \
+# https://github.com/notaryproject/notary/pull/1635
+	git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
+	git -c user.name=foo -c [email protected] cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
+# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
+	go get github.com/dvsekhvalnov/[email protected]; \
+	go mod vendor; \
+# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+	sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
+	make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
+	cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
+	/notary-server --version; \
+	/notary-signer --version;
+
 FROM alpine:{{ .alpine }}
 
 RUN adduser -D -H -g "" notary
@@ -12,7 +40,7 @@ ENV INSTALLDIR /notary/{{ env.variant }}
 ENV PATH=$PATH:${INSTALLDIR}
 WORKDIR ${INSTALLDIR}
 
-COPY --from=notary:{{ .version }}-builder /notary-{{ env.variant }} /notary.spdx.json ./
+COPY --from=build /notary-{{ env.variant }} ./
 RUN ./notary-{{ env.variant }} --version
 
 COPY ./{{ env.variant }}-config.json .

diff --git a/apply-templates.sh b/apply-templates.sh
@@ -13,14 +13,6 @@ elif [ "$BASH_SOURCE" -nt "$jqt" ]; then
 	wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk'
 fi
 
-jqf='.template-helper-functions.jq'
-if [ -n "${BASHBREW_SCRIPTS:-}" ]; then
-	jqf="$BASHBREW_SCRIPTS/template-helper-functions.jq"
-elif [ "$BASH_SOURCE" -nt "$jqf" ]; then
-	wget -qO "$jqf" 'https://github.com/docker-library/bashbrew/raw/master/scripts/template-helper-functions.jq'
-fi
-
-
 generated_warning() {
 	cat <<-EOH
 		#
@@ -34,21 +26,15 @@ generated_warning() {
 
 export version=latest
 
-for variant in builder signer server; do
+for variant in signer server; do
 	export variant
 
 	dockerfile=
 	dest="notary-$variant/Dockerfile"
 
 	rm "$dest"
 
-	case "$variant" in
-		builder)
-			dockerfile="Dockerfile-$variant.template"
-			;;
-		*)
-			dockerfile="Dockerfile.template"
-	esac
+	dockerfile="Dockerfile.template"
 
 	{
 		generated_warning

diff --git a/notary-builder/Dockerfile b/notary-builder/Dockerfile
diff --git a/notary-server/Dockerfile b/notary-server/Dockerfile
@@ -4,6 +4,34 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+FROM golang:1.19-alpine3.16 AS build
+
+RUN apk add --no-cache git make
+
+ENV NOTARYPKG github.com/theupdateframework/notary
+ENV TAG v0.7.0
+
+ENV GOFLAGS -mod=vendor
+
+WORKDIR /go/src/$NOTARYPKG
+RUN set -eux; \
+	git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+	echo "${TAG//v/}" > NOTARY_VERSION; \
+# https://github.com/notaryproject/notary/pull/1635
+	git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
+	git -c user.name=foo -c [email protected] cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
+# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
+	go get github.com/dvsekhvalnov/[email protected]; \
+	go mod vendor; \
+# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+	sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
+	make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
+	cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
+	/notary-server --version; \
+	/notary-signer --version;
+
 FROM alpine:3.16
 
 RUN adduser -D -H -g "" notary
@@ -13,7 +41,7 @@ ENV INSTALLDIR /notary/server
 ENV PATH=$PATH:${INSTALLDIR}
 WORKDIR ${INSTALLDIR}
 
-COPY --from=notary:0.7.0-builder /notary-server /notary.spdx.json ./
+COPY --from=build /notary-server ./
 RUN ./notary-server --version
 
 COPY ./server-config.json .

diff --git a/notary-signer/Dockerfile b/notary-signer/Dockerfile
@@ -4,6 +4,34 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
+FROM golang:1.19-alpine3.16 AS build
+
+RUN apk add --no-cache git make
+
+ENV NOTARYPKG github.com/theupdateframework/notary
+ENV TAG v0.7.0
+
+ENV GOFLAGS -mod=vendor
+
+WORKDIR /go/src/$NOTARYPKG
+RUN set -eux; \
+	git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+	echo "${TAG//v/}" > NOTARY_VERSION; \
+# https://github.com/notaryproject/notary/pull/1635
+	git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
+	git -c user.name=foo -c [email protected] cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
+# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
+	go get github.com/dvsekhvalnov/[email protected]; \
+	go mod vendor; \
+# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+	sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
+	make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
+	cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
+	/notary-server --version; \
+	/notary-signer --version;
+
 FROM alpine:3.16
 
 RUN adduser -D -H -g "" notary
@@ -14,7 +42,7 @@ ENV INSTALLDIR /notary/signer
 ENV PATH=$PATH:${INSTALLDIR}
 WORKDIR ${INSTALLDIR}
 
-COPY --from=notary:0.7.0-builder /notary-signer /notary.spdx.json ./
+COPY --from=build /notary-signer ./
 RUN ./notary-signer --version
 
 COPY ./signer-config.json .