fix: bump default superchain images (#1799)

* fix: bump default superchain images

delivlib has some places where it defaults to a particular superchain
image, which may grow outdated over time. This came up specifically
in the context of ECR mirroring recently.

Bump the Superchain image we're using to a recent one everywhere
(`bookworm` instead of `bullseye`, a more recent Node because Node 18
is about to be deprecated).

Also make sure that all CodeBuild projects have reasonable descriptions,
because we have hundreds in our account now and we need some way
to tell them apart.

* chore: self mutation

Signed-off-by: github-actions <[email protected]>

* Duplicate superchain information into tests

* Unused import

---------

Signed-off-by: github-actions <[email protected]>
Co-authored-by: github-actions <[email protected]>

lib/__tests__/registry-sync/ecr-mirror.test.ts

@@ -36,7 +36,7 @@ describe('EcrMirror', () => {
             Value: '123aass:password-key:AWSCURRENT',
           },
         ],
-        Image: 'public.ecr.aws/jsii/superchain:1-bullseye-slim-node18',
+        Image: 'public.ecr.aws/jsii/superchain:1-bookworm-slim-node22',
       },
       Source: {
         BuildSpec: {

lib/__tests__/signing.test.ts

@@ -103,7 +103,7 @@ describe('with standard pipeline', () => {
             },
           },
         ],
-        Image: 'public.ecr.aws/jsii/superchain:1-bullseye-slim-node18',
+        Image: 'public.ecr.aws/jsii/superchain:1-bookworm-slim-node22',
         ImagePullCredentialsType: 'SERVICE_ROLE',
         PrivilegedMode: false,
         Type: 'LINUX_CONTAINER',

lib/build-env.ts

@@ -1,4 +1,5 @@
 import { aws_codebuild as cbuild } from 'aws-cdk-lib';
+import { DEFAULT_SUPERCHAIN_IMAGE } from './constants';
 
 export interface BuildEnvironmentProps {
   computeType?: cbuild.ComputeType;
@@ -14,7 +15,7 @@ export function createBuildEnvironment(props: BuildEnvironmentProps) {
     computeType: props.computeType || cbuild.ComputeType.SMALL,
     privileged: props.privileged,
     environmentVariables: renderEnvironmentVariables({ ...props.environment, ...props.env }),
-    buildImage: props.buildImage || cbuild.LinuxBuildImage.fromDockerRegistry('public.ecr.aws/jsii/superchain:1-bullseye-slim-node18'),
+    buildImage: props.buildImage || cbuild.LinuxBuildImage.fromDockerRegistry(DEFAULT_SUPERCHAIN_IMAGE),
   };
 
   return environment;

lib/constants.ts

@@ -0,0 +1,4 @@
+/**
+ * The default superchain image that will be used all across delivlib if no override is supplied.
+ */
+export const DEFAULT_SUPERCHAIN_IMAGE = 'public.ecr.aws/jsii/superchain:1-bookworm-slim-node22';

lib/pipeline.ts

@@ -217,6 +217,7 @@ export class Pipeline extends Construct {
   private readonly buildEnvironment: cbuild.BuildEnvironment;
   private readonly buildSpec?: cbuild.BuildSpec;
   private firstPublishStageName?: string;
+  private readonly descrPipelineName: string;
 
   constructor(parent: Construct, name: string, props: PipelineProps) {
     super(parent, name);
@@ -229,6 +230,9 @@ export class Pipeline extends Construct {
       pipelineName: props.pipelineName,
       restartExecutionOnUpdate: props.restartExecutionOnUpdate === undefined ? true : props.restartExecutionOnUpdate,
     });
+    // We will use the pipeline name if given, but we can't use the Ref if not given
+    // because that would create cyclic references. Fall back to construct path if anonymous.
+    this.descrPipelineName = props.pipelineName ?? this.node.path;
 
     this.branch = props.branch || 'master';
     this.sourceArtifact = props.repo.createSourceStage(this.pipeline, this.branch);
@@ -241,6 +245,7 @@ export class Pipeline extends Construct {
       buildProjectName = `${props.pipelineName}-Build`;
     }
     this.buildProject = new cbuild.PipelineProject(this, 'BuildProject', {
+      description: `Pipeline ${this.descrPipelineName}: build step`,
       projectName: buildProjectName,
       environment: this.buildEnvironment,
       buildSpec: this.buildSpec,
@@ -388,48 +393,55 @@ export class Pipeline extends Construct {
 
   public publishToNpm(options: publishing.PublishToNpmProjectProps & AddPublishOptions) {
     this.addPublish(new publishing.PublishToNpmProject(this, 'Npm', {
+      description: options.description ?? `Pipeline ${this.descrPipelineName}: publish to NPM`,
       dryRun: this.dryRun,
       ...options,
     }), options);
   }
 
   public publishToMaven(options: publishing.PublishToMavenProjectProps & AddPublishOptions) {
     this.addPublish(new publishing.PublishToMavenProject(this, 'Maven', {
+      description: options.description ?? `Pipeline ${this.descrPipelineName}: publish to Maven`,
       dryRun: this.dryRun,
       ...options,
     }), options);
   }
 
   public publishToNuGet(options: publishing.PublishToNuGetProjectProps & AddPublishOptions) {
     this.addPublish(new publishing.PublishToNuGetProject(this, 'NuGet', {
+      description: options.description ?? `Pipeline ${this.descrPipelineName}: publish to NuGet`,
       dryRun: this.dryRun,
       ...options,
     }), options);
   }
 
   public publishToGitHubPages(options: publishing.PublishDocsToGitHubProjectProps & AddPublishOptions) {
     this.addPublish(new publishing.PublishDocsToGitHubProject(this, 'GitHubPages', {
+      description: options.description ?? `Pipeline ${this.descrPipelineName}: publish to GitHub Pages`,
       dryRun: this.dryRun,
       ...options,
     }), options);
   }
 
   public publishToGitHub(options: publishing.PublishToGitHubProps & AddPublishOptions) {
     this.addPublish(new publishing.PublishToGitHub(this, 'GitHub', {
+      description: options.description ?? `Pipeline ${this.descrPipelineName}: publish to GitHub`,
       dryRun: this.dryRun,
       ...options,
     }), options);
   }
 
   public publishToPyPI(options: publishing.PublishToPyPiProps & AddPublishOptions) {
     this.addPublish(new publishing.PublishToPyPi(this, 'PyPI', {
+      description: options.description ?? `Pipeline ${this.descrPipelineName}: publish to PyPI`,
       dryRun: this.dryRun,
       ...options,
     }), options);
   }
 
   public publishToS3(id: string, options: publishing.PublishToS3Props & AddPublishOptions) {
     this.addPublish(new publishing.PublishToS3(this, id, {
+      description: options.description ?? `Pipeline ${this.descrPipelineName}: publish to S3 (${options.bucket.bucketName})`,
       dryRun: this.dryRun,
       ...options,
     }), options);
@@ -440,6 +452,7 @@ export class Pipeline extends Construct {
    */
   public publishToGolang(options: publishing.PublishToGolangProps) {
     this.addPublish(new publishing.PublishToGolang(this, 'Golang', {
+      description: options.description ?? `Pipeline ${this.descrPipelineName}: publish Golang`,
       dryRun: this.dryRun,
       ...options,
     }));
@@ -474,6 +487,7 @@ export class Pipeline extends Construct {
     const mergeBack = new AutoMergeBack(this, 'MergeBack', {
       repo: this.repo,
       ...options,
+      projectDescription: options?.projectDescription ?? `Pipeline ${this.descrPipelineName}: merge-back step`,
     });
 
     if (options?.stage) {

lib/publishing.ts

@@ -9,6 +9,7 @@ import {
 } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import { ICodeSigningCertificate } from './code-signing';
+import { DEFAULT_SUPERCHAIN_IMAGE } from './constants';
 import { OpenPGPKeyPair } from './open-pgp-key-pair';
 import * as permissions from './permissions';
 import { AddToPipelineOptions, IPublisher } from './pipeline';
@@ -77,6 +78,13 @@ export interface PublishToMavenProjectProps {
    * @default - no SSM parameters
    */
   ssmPrefix?: string;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  description?: string;
 }
 
 /**
@@ -92,7 +100,8 @@ export class PublishToMavenProject extends Construct implements IPublisher {
     const forReal = props.dryRun === undefined ? 'false' : (!props.dryRun).toString();
 
     const shellable = new Shellable(this, 'Default', {
-      platform: new LinuxPlatform(props.buildImage ?? cbuild.LinuxBuildImage.fromDockerRegistry('public.ecr.aws/jsii/superchain:1-bookworm-slim-node20')),
+      description: props.description,
+      platform: new LinuxPlatform(props.buildImage ?? cbuild.LinuxBuildImage.fromDockerRegistry(DEFAULT_SUPERCHAIN_IMAGE)),
       scriptDirectory: path.join(__dirname, 'publishing', 'maven'),
       entrypoint: 'publish.sh',
       environment: noUndefined({
@@ -165,6 +174,13 @@ export interface PublishToNpmProjectProps {
    * @default - no SSM parameters
    */
   ssmPrefix?: string;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  description?: string;
 }
 
 /**
@@ -182,6 +198,7 @@ export class PublishToNpmProject extends Construct implements IPublisher {
     const access = props.access ?? NpmAccess.PUBLIC;
 
     const shellable = new Shellable(this, 'Default', {
+      description: props.description,
       platform: new LinuxPlatform(cbuild.LinuxBuildImage.STANDARD_7_0),
       scriptDirectory: path.join(__dirname, 'publishing', 'npm'),
       entrypoint: 'publish.sh',
@@ -249,6 +266,13 @@ export interface PublishToNuGetProjectProps {
    * @default - no SSM parameters
    */
   ssmPrefix?: string;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  description?: string;
 }
 
 /**
@@ -281,7 +305,8 @@ export class PublishToNuGetProject extends Construct implements IPublisher {
     }
 
     const shellable = new Shellable(this, 'Default', {
-      platform: new LinuxPlatform(props.buildImage ?? cbuild.LinuxBuildImage.fromDockerRegistry('public.ecr.aws/jsii/superchain:1-bookworm-slim-node20')),
+      description: props.description,
+      platform: new LinuxPlatform(props.buildImage ?? cbuild.LinuxBuildImage.fromDockerRegistry(DEFAULT_SUPERCHAIN_IMAGE)),
       scriptDirectory: path.join(__dirname, 'publishing', 'nuget'),
       entrypoint: 'publish.sh',
       environment,
@@ -353,6 +378,13 @@ export interface PublishDocsToGitHubProjectProps {
    * @default - no SSM parameters
    */
   ssmPrefix?: string;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  description?: string;
 }
 
 /**
@@ -368,6 +400,7 @@ export class PublishDocsToGitHubProject extends Construct implements IPublisher
     const forReal = props.dryRun === undefined ? 'false' : (!props.dryRun).toString();
 
     const shellable = new Shellable(this, 'Default', {
+      description: props.description,
       platform: new LinuxPlatform(cbuild.LinuxBuildImage.STANDARD_7_0),
       scriptDirectory: path.join(__dirname, 'publishing', 'docs'),
       entrypoint: 'publish.sh',
@@ -466,6 +499,13 @@ export interface PublishToGitHubProps {
    * @default - no SSM parameters
    */
   ssmPrefix?: string;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  description?: string;
 }
 
 export class PublishToGitHub extends Construct implements IPublisher {
@@ -485,6 +525,7 @@ export class PublishToGitHub extends Construct implements IPublisher {
     }
 
     const shellable = new Shellable(this, 'Default', {
+      description: props.description,
       platform: new LinuxPlatform(cbuild.LinuxBuildImage.STANDARD_7_0),
       scriptDirectory: path.join(__dirname, 'publishing', 'github'),
       entrypoint: 'publish.sh',
@@ -542,6 +583,13 @@ export interface PublishToS3Props {
    * @default true
    */
   dryRun?: boolean;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  description?: string;
 }
 
 export class PublishToS3 extends Construct implements IPublisher {
@@ -554,6 +602,7 @@ export class PublishToS3 extends Construct implements IPublisher {
     const forReal = props.dryRun === undefined ? 'false' : (!props.dryRun).toString();
 
     const shellable = new Shellable(this, 'Default', {
+      description: props.description,
       platform: new LinuxPlatform(cbuild.LinuxBuildImage.STANDARD_7_0),
       scriptDirectory: path.join(__dirname, 'publishing', 's3'),
       entrypoint: 'publish.sh',
@@ -604,6 +653,13 @@ export interface PublishToPyPiProps {
    * @default - no SSM parameters
    */
   ssmPrefix?: string;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  description?: string;
 }
 
 export class PublishToPyPi extends Construct {
@@ -617,6 +673,7 @@ export class PublishToPyPi extends Construct {
     const forReal = props.dryRun === undefined ? 'false' : (!props.dryRun).toString();
 
     const shellable = new Shellable(this, 'Default', {
+      description: props.description,
       platform: new LinuxPlatform(cbuild.LinuxBuildImage.STANDARD_7_0),
       scriptDirectory: path.join(__dirname, 'publishing', 'pypi'),
       entrypoint: 'publish.sh',
@@ -705,6 +762,13 @@ export interface PublishToGolangProps {
    * @default - no SSM parameters
    */
   ssmPrefix?: string;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  description?: string;
 }
 
 /**
@@ -720,6 +784,7 @@ export class PublishToGolang extends Construct {
     const dryRun = props.dryRun ?? false;
 
     const shellable = new Shellable(this, 'Default', {
+      description: props.description,
       platform: new LinuxPlatform(cbuild.LinuxBuildImage.STANDARD_7_0),
       scriptDirectory: path.join(__dirname, 'publishing', 'golang'),
       entrypoint: 'publish.sh',

lib/pull-request/merge-back.ts

@@ -81,6 +81,13 @@ export interface AutoMergeBackOptions extends pr.AutoPullRequestOptions {
    * @default - no condition
    */
   condition?: string;
+
+  /**
+   * Description for the CodeBuild project
+   *
+   * @default - No description
+   */
+  projectDescription?: string;
 }
 
 export interface AutoMergeBackPipelineOptions extends AutoMergeBackOptions {

lib/registry-sync/ecr-mirror.ts

@@ -8,9 +8,11 @@ import {
   aws_s3_assets as s3Assets,
   aws_secretsmanager as sm,
   custom_resources as cr,
+  Annotations,
 } from 'aws-cdk-lib';
 import { Construct, IConstruct } from 'constructs';
 import { MirrorSource } from './mirror-source';
+import { DEFAULT_SUPERCHAIN_IMAGE } from '../constants';
 
 /**
  * Authentication details for DockerHub.
@@ -56,6 +58,15 @@ export interface EcrMirrorProps {
    */
   readonly dockerHubCredentials: DockerHubCredentials;
 
+  /**
+   * The image used to run the mirror step itself.
+   *
+   * Prefer to supply the image yourself here.
+   *
+   * @default - Some superchain image that may grow outdated.
+   */
+  readonly buildImage?: codebuild.IBuildImage;
+
   /**
    * Sync job runs on a schedule.
    * Throws an error if neither this nor `autoStart` are specified.
@@ -101,10 +112,15 @@ export class EcrMirror extends Construct {
     const username = codeBuildSecretValue(props.dockerHubCredentials.usernameKey, props.dockerHubCredentials);
     const password = codeBuildSecretValue(props.dockerHubCredentials.passwordKey, props.dockerHubCredentials);
 
+    if (!props.buildImage) {
+      Annotations.of(this).addWarningV2('aws-delivlib:EcrMirror.missingBuildImage', 'Prefer supplying an explicit build image to relying on the default superchain.');
+    }
+
     this.project = new codebuild.Project(this, 'EcrPushImages', {
+      description: Lazy.string({ produce: () => `Synchronize ${props.sources.length} images from DockerHub to local ECR` }),
       environment: {
         privileged: true,
-        buildImage: codebuild.LinuxBuildImage.fromDockerRegistry('public.ecr.aws/jsii/superchain:1-bullseye-slim-node18'),
+        buildImage: props.buildImage ?? codebuild.LinuxBuildImage.fromDockerRegistry(DEFAULT_SUPERCHAIN_IMAGE),
       },
       environmentVariables: {
         // DockerHub credentials to avoid throttling
@@ -204,6 +220,7 @@ export class EcrMirror extends Construct {
 
     if (props.schedule) {
       new events.Rule(this, 'ScheduledTrigger', {
+        description: 'Trigger ECR mirror job',
         schedule: props.schedule,
         targets: [new targets.CodeBuildProject(this.project)],
       });