From cd5c64f184af86d99e7f6d4d2a3083d4a0f051dd Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Sat, 14 Dec 2024 21:03:46 -0500 Subject: [PATCH 1/7] Add dockerfile and GHA to build and publish ct-test-srv container --- .github/workflows/container-build.yml | 31 ++++++++++++++++++++++ .github/workflows/container-release.yml | 35 +++++++++++++++++++++++++ test/ct-test-srv/Dockerfile | 19 ++++++++++++++ 3 files changed, 85 insertions(+) create mode 100644 .github/workflows/container-build.yml create mode 100644 .github/workflows/container-release.yml create mode 100644 test/ct-test-srv/Dockerfile diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml new file mode 100644 index 00000000000..6c7095a34f8 --- /dev/null +++ b/.github/workflows/container-build.yml @@ -0,0 +1,31 @@ +# Build containers on every PR +# See also container-release.yml + +name: Container Build + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + +jobs: + build-container: + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + matrix: + include: + - dockerfile: test/ct-test-srv/Dockerfile + image: ghcr.io/letsencrypt/ct-test-srv + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Build + run: docker buildx build . -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.sha }}" diff --git a/.github/workflows/container-release.yml b/.github/workflows/container-release.yml new file mode 100644 index 00000000000..37f1579cb59 --- /dev/null +++ b/.github/workflows/container-release.yml @@ -0,0 +1,35 @@ +# Build and publish containers for this release +# see also container-build.yml + +name: Container Release + +on: + push: + tags: + - release-* + +jobs: + push-container: + runs-on: ubuntu-24.04 + strategy: + fail-fast: false + matrix: + include: + - dockerfile: test/ct-test-srv/Dockerfile + image: ghcr.io/letsencrypt/ct-test-srv + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Build + run: docker buildx build . -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.ref_name }}" + + - name: login + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin + + - name: Push + run: docker push "${{ matrix.image }}:${{ github.ref_name }}" diff --git a/test/ct-test-srv/Dockerfile b/test/ct-test-srv/Dockerfile new file mode 100644 index 00000000000..ac4185b771d --- /dev/null +++ b/test/ct-test-srv/Dockerfile @@ -0,0 +1,19 @@ +FROM golang:1.23.4 AS build + +WORKDIR /app + +COPY go.mod go.sum vendor ./ + +COPY . . + +RUN go build -o /bin/ct-test-srv ./test/ct-test-srv/main.go + +FROM ubuntu:24.04 + +COPY --from=build /bin/ct-test-srv /bin/ct-test-srv + +COPY test/ct-test-srv/ct-test-srv.json /etc/ct-test-srv.json + +ENTRYPOINT ["/bin/ct-test-srv"] + +CMD ["-config", "/etc/ct-test-srv.json"] From 90576a1d7bcb8c7720ca2c8057fe3170664c8823 Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Sat, 14 Dec 2024 23:35:15 -0500 Subject: [PATCH 2/7] Run as non-root user --- test/ct-test-srv/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/ct-test-srv/Dockerfile b/test/ct-test-srv/Dockerfile index ac4185b771d..53d08ae37ea 100644 --- a/test/ct-test-srv/Dockerfile +++ b/test/ct-test-srv/Dockerfile @@ -10,10 +10,14 @@ RUN go build -o /bin/ct-test-srv ./test/ct-test-srv/main.go FROM ubuntu:24.04 +RUN useradd -r -u 10001 cttest + COPY --from=build /bin/ct-test-srv /bin/ct-test-srv COPY test/ct-test-srv/ct-test-srv.json /etc/ct-test-srv.json ENTRYPOINT ["/bin/ct-test-srv"] +USER cttest + CMD ["-config", "/etc/ct-test-srv.json"] From 388dac12b2b52bfcbf9a32abdd7b4ee1fbe7f597 Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Sun, 15 Dec 2024 16:29:22 -0500 Subject: [PATCH 3/7] Add Go version as a dockerfile ARG, set in GHA --- .github/workflows/container-build.yml | 4 +++- .github/workflows/container-release.yml | 4 +++- test/ct-test-srv/Dockerfile | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index 6c7095a34f8..46211a6d516 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -16,6 +16,8 @@ jobs: strategy: fail-fast: false matrix: + GO_VERSION: + - "1.23.4" include: - dockerfile: test/ct-test-srv/Dockerfile image: ghcr.io/letsencrypt/ct-test-srv @@ -28,4 +30,4 @@ jobs: persist-credentials: false - name: Build - run: docker buildx build . -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.sha }}" + run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.sha }}" diff --git a/.github/workflows/container-release.yml b/.github/workflows/container-release.yml index 37f1579cb59..39cdc4b51ad 100644 --- a/.github/workflows/container-release.yml +++ b/.github/workflows/container-release.yml @@ -14,6 +14,8 @@ jobs: strategy: fail-fast: false matrix: + GO_VERSION: + - "1.23.4" include: - dockerfile: test/ct-test-srv/Dockerfile image: ghcr.io/letsencrypt/ct-test-srv @@ -26,7 +28,7 @@ jobs: persist-credentials: false - name: Build - run: docker buildx build . -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.ref_name }}" + run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.ref_name }}" - name: login run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin diff --git a/test/ct-test-srv/Dockerfile b/test/ct-test-srv/Dockerfile index 53d08ae37ea..91773b90855 100644 --- a/test/ct-test-srv/Dockerfile +++ b/test/ct-test-srv/Dockerfile @@ -1,4 +1,6 @@ -FROM golang:1.23.4 AS build +ARG GO_VERSION + +FROM golang:${GO_VERSION} AS build WORKDIR /app From 1602bf428201507521e67594c960506f639604ac Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Mon, 16 Dec 2024 16:57:58 -0500 Subject: [PATCH 4/7] Move container builds into (try-)release.yml --- .github/workflows/container-build.yml | 33 ---------------------- .github/workflows/container-release.yml | 37 ------------------------- .github/workflows/release.yml | 9 ++++++ .github/workflows/try-release.yml | 3 ++ 4 files changed, 12 insertions(+), 70 deletions(-) delete mode 100644 .github/workflows/container-build.yml delete mode 100644 .github/workflows/container-release.yml diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml deleted file mode 100644 index 46211a6d516..00000000000 --- a/.github/workflows/container-build.yml +++ /dev/null @@ -1,33 +0,0 @@ -# Build containers on every PR -# See also container-release.yml - -name: Container Build - -on: - push: - branches: [main] - pull_request: - branches: [main] - workflow_dispatch: - -jobs: - build-container: - runs-on: ubuntu-24.04 - strategy: - fail-fast: false - matrix: - GO_VERSION: - - "1.23.4" - include: - - dockerfile: test/ct-test-srv/Dockerfile - image: ghcr.io/letsencrypt/ct-test-srv - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Build - run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.sha }}" diff --git a/.github/workflows/container-release.yml b/.github/workflows/container-release.yml deleted file mode 100644 index 39cdc4b51ad..00000000000 --- a/.github/workflows/container-release.yml +++ /dev/null @@ -1,37 +0,0 @@ -# Build and publish containers for this release -# see also container-build.yml - -name: Container Release - -on: - push: - tags: - - release-* - -jobs: - push-container: - runs-on: ubuntu-24.04 - strategy: - fail-fast: false - matrix: - GO_VERSION: - - "1.23.4" - include: - - dockerfile: test/ct-test-srv/Dockerfile - image: ghcr.io/letsencrypt/ct-test-srv - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Build - run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.ref_name }}" - - - name: login - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin - - - name: Push - run: docker push "${{ matrix.image }}:${{ github.ref_name }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8e9951a4fb3..c0d3c3a97a1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,3 +48,12 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # https://cli.github.com/manual/gh_release_upload run: gh release upload "${GITHUB_REF_NAME}" boulder*.deb boulder*.tar.gz boulder*.checksums.txt + + - name: Build Container + run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.ref_name }}" + + - name: Login to ghcr.io + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin + + - name: Push Container + run: docker push "${{ matrix.image }}:${{ github.ref_name }}" diff --git a/.github/workflows/try-release.yml b/.github/workflows/try-release.yml index c7f8211d4bb..36c8c9e0145 100644 --- a/.github/workflows/try-release.yml +++ b/.github/workflows/try-release.yml @@ -42,3 +42,6 @@ jobs: - name: Show checksums id: check run: cat boulder*.checksums.txt + + - name: Build Container + run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.sha }}" From 5d9b6f9a09e390e7f430f8a6518c7f5a7beba373 Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Mon, 16 Dec 2024 17:03:05 -0500 Subject: [PATCH 5/7] Drop matrix support for container images Just explicitly handle ct-test-srv. We can re-add a matrix if/when we want a second image, but this is a lot simpler for now. --- .github/workflows/release.yml | 8 ++++---- .github/workflows/try-release.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c0d3c3a97a1..a597165a75d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,11 +49,11 @@ jobs: # https://cli.github.com/manual/gh_release_upload run: gh release upload "${GITHUB_REF_NAME}" boulder*.deb boulder*.tar.gz boulder*.checksums.txt - - name: Build Container - run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.ref_name }}" + - name: Build ct-test-srv Container + run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f test/ct-test-srv/Dockerfile -t "ghcr.io/letsencrypt/ct-test-srv:${{ github.ref_name }}" - name: Login to ghcr.io run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin - - name: Push Container - run: docker push "${{ matrix.image }}:${{ github.ref_name }}" + - name: Push ct-test-srv Container + run: docker push "ghcr.io/letsencrypt/ct-test-srv:${{ github.ref_name }}" diff --git a/.github/workflows/try-release.yml b/.github/workflows/try-release.yml index 36c8c9e0145..a40616b31fd 100644 --- a/.github/workflows/try-release.yml +++ b/.github/workflows/try-release.yml @@ -43,5 +43,5 @@ jobs: id: check run: cat boulder*.checksums.txt - - name: Build Container - run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f "${{ matrix.dockerfile }}" -t "${{ matrix.image }}:${{ github.sha }}" + - name: Build ct-test-srv Container + run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f test/ct-test-srv/Dockerfile -t "ghcr.io/letsencrypt/ct-test-srv:${{ github.sha }}" From 54ec2621ac16407ebc58c9e2f6e7946fd09d42db Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Tue, 17 Dec 2024 18:05:28 -0500 Subject: [PATCH 6/7] Don't echo the token --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a597165a75d..db581c2d29a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,7 +53,9 @@ jobs: run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f test/ct-test-srv/Dockerfile -t "ghcr.io/letsencrypt/ct-test-srv:${{ github.ref_name }}" - name: Login to ghcr.io - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin + run: printenv "$GITHUB_TOKEN" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Push ct-test-srv Container run: docker push "ghcr.io/letsencrypt/ct-test-srv:${{ github.ref_name }}" From ff9773c415c43299571c2063f05e6c38eb236026 Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Tue, 17 Dec 2024 18:11:39 -0500 Subject: [PATCH 7/7] Printenv doesn't need $ --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index db581c2d29a..52fd2495717 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,7 +53,7 @@ jobs: run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f test/ct-test-srv/Dockerfile -t "ghcr.io/letsencrypt/ct-test-srv:${{ github.ref_name }}" - name: Login to ghcr.io - run: printenv "$GITHUB_TOKEN" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin + run: printenv GITHUB_TOKEN | docker login ghcr.io -u "${{ github.actor }}" --password-stdin env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}