From e4c65dce41bf7f6504dd68e5f4b5b88f6966e827 Mon Sep 17 00:00:00 2001 From: wass3rw3rk <49894298+wass3rw3rk@users.noreply.github.com> Date: Tue, 20 Aug 2024 14:13:26 -0500 Subject: [PATCH] enhance(docker): validate checksum + handle version updates validates gh binary checksum and uses renovate to manage GH CLI version updates --- .github/renovate.json | 5 ++++- Dockerfile | 17 +++++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index df3d2ef..e267905 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,4 +1,7 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": ["local>go-vela/renovate-config"] + "extends": [ + "local>go-vela/renovate-config", + "customManagers:dockerfileVersions" + ] } diff --git a/Dockerfile b/Dockerfile index 9ca3c2b..f4f3d10 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,8 @@ # set a global Docker argument for the default CLI version # # https://github.com/moby/moby/issues/37345 -ARG GH_VERSION=2.14.4 +# renovate: datasource=github-tags depName=cli/cli +ARG GH_VERSION=2.55.0 ################################################################################### ## docker build --no-cache --target binary -t vela-github-release:binary . ## @@ -13,13 +14,17 @@ FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef ARG GH_VERSION -ADD https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz /tmp/gh.tar.gz +ENV GH_RELEASE_URL="https://github.com/cli/cli/releases/download/v${GH_VERSION}" +ENV GH_FILENAME="gh_${GH_VERSION}_linux_amd64.tar.gz" +ENV GH_CHECKSUM_FILENAME="gh_${GH_VERSION}_checksums.txt" -RUN tar -xzf /tmp/gh.tar.gz -C /bin +RUN wget -q "${GH_RELEASE_URL}/${GH_FILENAME}" -O "${GH_FILENAME}" && \ + wget -q "${GH_RELEASE_URL}/${GH_CHECKSUM_FILENAME}" -O "${GH_CHECKSUM_FILENAME}" && \ + grep "${GH_FILENAME}" "${GH_CHECKSUM_FILENAME}" | sha256sum -c && \ + tar -xf "${GH_FILENAME}" && \ + mv "${GH_FILENAME%.tar.gz}/bin/gh" /bin/gh && \ + chmod 0700 /bin/gh -RUN cp /bin/gh_${GH_VERSION}_linux_amd64/bin/gh /bin/gh - -RUN chmod 0700 /bin/gh ################################################################## ## docker build --no-cache -t vela-github-release:local . ##