forked from amaybaum-dev/dependabot-core
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile.updater-core
129 lines (106 loc) · 5.91 KB
/
Dockerfile.updater-core
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
FROM ubuntu:22.04
LABEL org.opencontainers.image.source="https://github.com/dependabot/dependabot-core"
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ENV DEBIAN_FRONTEND="noninteractive" \
LC_ALL="en_US.UTF-8" \
LANG="en_US.UTF-8"
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
# dev dependencies for CI
build-essential \
curl \
libgmp-dev \
# Compression libs
zlib1g-dev \
unzip \
zstd \
# VCS section
git \
git-lfs \
bzr \
mercurial \
# needed to sign commits
gnupg2 \
# Installs certs in dependabot-action and CLI
ca-certificates \
# used to check if a file is binary in the VendorUpdater
file \
# used by Ruby to parse YAML
libyaml-dev \
locales \
&& locale-gen en_US.UTF-8 \
&& rm -rf /var/lib/apt/lists/*
ARG USER_UID=1000
ARG USER_GID=$USER_UID
RUN if ! getent group "$USER_GID"; then groupadd --gid "$USER_GID" dependabot ; \
else GROUP_NAME=$(getent group $USER_GID | awk -F':' '{print $1}'); groupmod -n dependabot "$GROUP_NAME" ; fi \
&& useradd --uid "${USER_UID}" --gid "${USER_GID}" -m dependabot \
&& mkdir -p /opt && chown dependabot:dependabot /opt && chgrp dependabot /etc/ssl/certs && chmod g+w /etc/ssl/certs
USER dependabot
ENV DEPENDABOT_HOME="/home/dependabot"
WORKDIR $DEPENDABOT_HOME
COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME
# Install Ruby from official Docker image
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb`
COPY --from=ruby:3.1.4-bookworm --chown=dependabot:dependabot /usr/local /usr/local
# We had to explicitly bump this as the bundled version `0.2.2` in ubuntu 22.04 has a bug.
# Once Ubuntu base image pulls in a new enough yaml version, we may not need to
# explicitly manage this. However, if we do opt to pull it back out, see all changes
# required in https://github.com/dependabot/dependabot-core/pull/7112
ARG LIBYAML_VERSION=0.2.5
RUN curl -sL https://pyyaml.org/download/libyaml/yaml-$LIBYAML_VERSION.tar.gz -o libyaml.tar.gz && \
mkdir -p $DEPENDABOT_HOME/src/libyaml && \
tar -xvf libyaml.tar.gz -C $DEPENDABOT_HOME/src/libyaml && \
rm libyaml.tar.gz
# For users to determine if dependabot is running
ENV DEPENDABOT=true
# Disable automatic pulling of files stored with Git LFS
# This avoids downloading large files not necessary for the dependabot scripts
ENV GIT_LFS_SKIP_SMUDGE=1
# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-amd64.tar.gz"
RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
COPY --chown=dependabot:dependabot omnibus omnibus
COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependabot-updater/
COPY --chown=dependabot:dependabot common/Gemfile common/dependabot-common.gemspec common/
COPY --chown=dependabot:dependabot common/lib/dependabot.rb common/lib/dependabot.rb
COPY --chown=dependabot:dependabot bundler/Gemfile bundler/dependabot-bundler.gemspec bundler/
COPY --chown=dependabot:dependabot cargo/Gemfile cargo/dependabot-cargo.gemspec cargo/
COPY --chown=dependabot:dependabot composer/Gemfile composer/dependabot-composer.gemspec composer/
COPY --chown=dependabot:dependabot docker/Gemfile docker/dependabot-docker.gemspec docker/
COPY --chown=dependabot:dependabot elm/Gemfile elm/dependabot-elm.gemspec elm/
COPY --chown=dependabot:dependabot git_submodules/Gemfile git_submodules/dependabot-git_submodules.gemspec git_submodules/
COPY --chown=dependabot:dependabot github_actions/Gemfile github_actions/dependabot-github_actions.gemspec github_actions/
COPY --chown=dependabot:dependabot go_modules/Gemfile go_modules/dependabot-go_modules.gemspec go_modules/
COPY --chown=dependabot:dependabot gradle/Gemfile gradle/dependabot-gradle.gemspec gradle/
COPY --chown=dependabot:dependabot hex/Gemfile hex/dependabot-hex.gemspec hex/
COPY --chown=dependabot:dependabot maven/Gemfile maven/dependabot-maven.gemspec maven/
COPY --chown=dependabot:dependabot npm_and_yarn/Gemfile npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
COPY --chown=dependabot:dependabot nuget/Gemfile nuget/dependabot-nuget.gemspec nuget/
COPY --chown=dependabot:dependabot pub/Gemfile pub/dependabot-pub.gemspec pub/
COPY --chown=dependabot:dependabot python/Gemfile python/dependabot-python.gemspec python/
COPY --chown=dependabot:dependabot swift/Gemfile swift/dependabot-swift.gemspec swift/
COPY --chown=dependabot:dependabot terraform/Gemfile terraform/dependabot-terraform.gemspec terraform/
# prevent having all the source in every ecosystem image
RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler swift; do \
mkdir -p $ecosystem/lib/dependabot; \
touch $ecosystem/lib/dependabot/$ecosystem.rb; \
done
WORKDIR $DEPENDABOT_HOME/dependabot-updater
# When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle update --lock --bundler`
# Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install.
# This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions.
ARG BUNDLER_V2_VERSION=2.4.17
RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \
rm -rf /var/lib/gems/*/cache/* && \
bundle config set --global build.psych --with-libyaml-source-dir=$DEPENDABOT_HOME/src/libyaml/yaml-$LIBYAML_VERSION && \
bundle config set --local path 'vendor' && \
bundle config set --local frozen 'true' && \
bundle config set --local without 'development' && \
bundle install && \
rm -rf ~/.bundle/cache
ENV PATH="$DEPENDABOT_HOME/bin:$PATH"
ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
USER root
CMD ["bin/run"]