forked from dependabot/dependabot-core
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile.updater-core
163 lines (135 loc) · 5.66 KB
/
Dockerfile.updater-core
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
FROM ubuntu:20.04 as builder
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
### SYSTEM DEPENDENCIES
ENV DEBIAN_FRONTEND="noninteractive" \
LC_ALL="en_US.UTF-8" \
LANG="en_US.UTF-8"
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
curl \
zlib1g-dev \
libyaml-dev \
libgdbm-dev \
bison \
tzdata \
zip \
unzip \
locales \
make \
libssl-dev \
libbz2-dev \
libffi-dev \
libreadline-dev \
libncurses5-dev \
xz-utils \
tk-dev \
&& locale-gen en_US.UTF-8
### RUBY
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb`
ARG RUBY_VERSION=3.1.3
ARG RUBY_INSTALL_VERSION=0.8.5
# When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle update --bundler`
# Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install.
# This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions.
ARG BUNDLER_V2_VERSION=2.3.26
# Install Ruby, update RubyGems, and install Bundler
RUN mkdir -p /tmp/ruby-install \
&& cd /tmp/ruby-install \
&& curl -fsSL "https://github.com/postmodern/ruby-install/archive/v$RUBY_INSTALL_VERSION.tar.gz" -o ruby-install-$RUBY_INSTALL_VERSION.tar.gz \
&& tar -xzvf ruby-install-$RUBY_INSTALL_VERSION.tar.gz \
&& cd ruby-install-$RUBY_INSTALL_VERSION/ \
&& make \
&& ./bin/ruby-install -j4 --system --cleanup ruby $RUBY_VERSION -- --disable-install-doc \
&& gem install bundler -v $BUNDLER_V2_VERSION --no-document \
&& rm -rf /var/lib/gems/*/cache/* \
&& rm -rf /tmp/ruby-install
ENV HOME="/home/dependabot"
WORKDIR ${HOME}
# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-amd64.tar.gz"
RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
COPY .rubocop.yml .rubocop.yml
COPY .ruby-version .ruby-version
COPY common common
COPY omnibus omnibus
COPY updater/Gemfile updater/Gemfile.lock dependabot-updater/
COPY bundler/Gemfile bundler/dependabot-bundler.gemspec bundler/
COPY cargo/Gemfile cargo/dependabot-cargo.gemspec cargo/
COPY composer/Gemfile composer/dependabot-composer.gemspec composer/
COPY docker/Gemfile docker/dependabot-docker.gemspec docker/
COPY elm/Gemfile elm/dependabot-elm.gemspec elm/
COPY git_submodules/Gemfile git_submodules/dependabot-git_submodules.gemspec git_submodules/
COPY github_actions/Gemfile github_actions/dependabot-github_actions.gemspec github_actions/
COPY go_modules/Gemfile go_modules/dependabot-go_modules.gemspec go_modules/
COPY gradle/Gemfile gradle/dependabot-gradle.gemspec gradle/
COPY hex/Gemfile hex/dependabot-hex.gemspec hex/
COPY maven/Gemfile maven/dependabot-maven.gemspec maven/
COPY npm_and_yarn/Gemfile npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
COPY nuget/Gemfile nuget/dependabot-nuget.gemspec nuget/
COPY pub/Gemfile pub/dependabot-pub.gemspec pub/
COPY python/Gemfile python/dependabot-python.gemspec python/
COPY terraform/Gemfile terraform/dependabot-terraform.gemspec terraform/
# prevent having all the source in every ecosystem image
RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler; do \
mkdir -p $ecosystem/lib/dependabot; \
touch $ecosystem/lib/dependabot/$ecosystem.rb; \
done
WORKDIR $HOME/dependabot-updater
RUN bundle config set --local path 'vendor' && \
bundle config set --local frozen 'true' && \
bundle config set --local without 'development' && \
bundle install && \
rm -rf ~/.bundle
FROM ubuntu:20.04
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ENV DEBIAN_FRONTEND="noninteractive" \
LC_ALL="en_US.UTF-8" \
LANG="en_US.UTF-8"
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y --no-install-recommends \
# dev dependencies for CI
build-essential \
curl \
zlib1g-dev \
libgmp-dev \
unzip \
# VCS section
git \
git-lfs \
bzr \
mercurial \
# needed to sign commits
gnupg2 \
# Installs certs in dependabot-action and CLI
ca-certificates \
# used to check if a file is binary in the VendorUpdater
file \
# used by Ruby to parse YAML
libyaml-dev \
locales \
&& locale-gen en_US.UTF-8 \
&& rm -rf /var/lib/apt/lists/*
ARG USER_UID=1000
ARG USER_GID=$USER_UID
RUN if ! getent group "$USER_GID"; then groupadd --gid "$USER_GID" dependabot ; \
else GROUP_NAME=$(getent group $USER_GID | awk -F':' '{print $1}'); groupmod -n dependabot "$GROUP_NAME" ; fi \
&& useradd --uid "${USER_UID}" --gid "${USER_GID}" -m dependabot \
&& mkdir -p /opt && chown dependabot:dependabot /opt && chgrp dependabot /etc/ssl/certs && chmod g+w /etc/ssl/certs
# Disable automatic pulling of files stored with Git LFS
# This avoids downloading large files not necessary for the dependabot scripts
ENV GIT_LFS_SKIP_SMUDGE=1
COPY --from=builder /opt /opt
COPY --from=builder --chown=dependabot:dependabot /usr/local /usr/local
COPY --from=builder --chown=dependabot:dependabot /home/dependabot /home/dependabot
ENV DEPENDABOT_HOME /home/dependabot
# Add project
COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME
COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater
ENV PATH="$HOME/bin:$PATH"
ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
WORKDIR $DEPENDABOT_HOME/dependabot-updater
CMD ["bundle", "exec", "ruby", "bin/dependabot_update.rb"]