-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathDockerfile
131 lines (105 loc) · 5.19 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Build with: podman build --ulimit nofile=65535:65535 . -t custom-renovate
# Run with: podman run --rm <additional args> custom-renovate renovate
FROM registry.access.redhat.com/ubi9-minimal
LABEL description="Mintmaker - Renovate custom image" \
summary="Mintmaker basic container image - a Renovate custom image" \
maintainer="EXD Rebuilds Guild <[email protected] >" \
io.k8s.description="Mintmaker - Renovate custom image" \
com.redhat.component="mintmaker-renovate-image" \
distribution-scope="public" \
release="0.0.1" \
url="https://github.com/konflux-ci/mintmaker-renovate-image/" \
vendor="Red Hat, Inc."
# The version number is from upstream Renovate, while the `-rpm` suffix
# is to differentiate the rpm lockfile enabled fork
ARG RENOVATE_VERSION=38.132.0-rpm
# Version for the rpm-lockfile-prototype executable from
# https://github.com/konflux-ci/rpm-lockfile-prototype/tags
ARG RPM_LOCKFILE_PROTOTYPE_VERSION=0.13.2
# NodeJS version used for Renovate, has to satisfy the version
# specified in Renovate's package.json
ARG NODEJS_VERSION=20.17.0
# Using OpenSSL store allows for external modifications of the store. It is needed for the internal Red Hat cert.
ENV NODE_OPTIONS=--use-openssl-ca
ENV LANG=C.UTF-8
# PYENV_ROOT is also set in ~/.profile, but the file isn't always read
ENV PYENV_ROOT="/home/renovate/.pyenv"
RUN microdnf update -y && \
microdnf install -y \
git \
openssl \
python3.12-pip \
python3.12 \
python3.11 \
python3.11-pip \
python3-pip \
python3-dnf \
python3.9 \
cargo \
golang \
skopeo \
xz \
xz-devel \
findutils \
zlib-devel \
bzip2 \
bzip2-devel \
ncurses-devel \
libffi-devel \
readline \
sqlite \
sqlite-devel && \
microdnf clean all
RUN curl -L -o /tmp/tkn.tar.gz https://github.com/tektoncd/cli/releases/download/v0.38.1/tkn_0.38.1_Linux_x86_64.tar.gz && tar xvzf /tmp/tkn.tar.gz -C /usr/bin/ tkn && rm -f /tmp/tkn.tar.gz
RUN curl -L https://github.com/mikefarah/yq/releases/download/v4.45.1/yq_linux_amd64 -o /usr/bin/yq && chmod +x /usr/bin/yq
# Install nodejs
RUN curl -o node-v${NODEJS_VERSION}-linux-x64.tar.xz https://nodejs.org/dist/v${NODEJS_VERSION}/node-v${NODEJS_VERSION}-linux-x64.tar.xz
RUN tar xf node-v${NODEJS_VERSION}-linux-x64.tar.xz && \
mv node-v${NODEJS_VERSION}-linux-x64/bin/* /bin/ && \
mv node-v${NODEJS_VERSION}-linux-x64/include/* /include/ && \
mv node-v${NODEJS_VERSION}-linux-x64/lib/* /lib/ && \
rm -fr node-v${NODEJS_VERSION}-linux-x64 && \
rm -f node-v${NODEJS_VERSION}-linux-x64.tar.xz
# Add renovate user and switch to it
RUN useradd -lms /bin/bash -u 1001 -g 0 renovate
RUN chmod -R 6775 /home/renovate && chown :0 /home/renovate
RUN mkdir -p /home/renovate/.cache && chown :0 /home/renovate/.cache && chmod 6775 /home/renovate/.cache
WORKDIR /home/renovate
USER 1001
# Enable renovate user's bin dirs,
# ~/.local/bin for Python executables
# ~/node_modules/.bin for renovate
ENV PATH="/home/renovate/.local/bin:/home/renovate/node_modules/.bin:/home/renovate/go/bin:/home/renovate/.pyenv/bin:/tmp/renovate/cache/others/go/bin:${PATH}"
# Install package managers
RUN npm install [email protected] && npm cache clean --force
# Use virtualenv isolation to avoid dependency issues with other global packages
RUN pip3.12 install --user pipx && pip3.12 cache purge
RUN pipx install --python python3.12 poetry pdm pipenv hashin uv hatch pip-tools \
git+https://github.com/konflux-ci/pipeline-migration-tool.git && \
rm -fr ~/.cache/pipx && pip3.12 cache purge
# Install pyenv
RUN curl https://pyenv.run | sh
RUN echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.profile && \
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.profile && \
echo 'eval "$(pyenv init -)"' >> ~/.profile
# Install additional Python versions
RUN $PYENV_ROOT/plugins/python-build/bin/python-build $(pyenv latest -f -k 3.10) $HOME/python3.10
ENV PATH="${PATH}:/home/renovate/python3.10/bin"
RUN $PYENV_ROOT/plugins/python-build/bin/python-build $(pyenv latest -f -k 3.13) $HOME/python3.13
ENV PATH="${PATH}:/home/renovate/python3.13/bin"
WORKDIR /home/renovate/renovate
# Clone Renovate from specific ref (that includes the RPM lockfile support)
RUN git clone --depth=1 --branch rpm-lockfiles-new https://github.com/redhat-exd-rebuilds/renovate.git .
# Replace package.json version for this build
RUN sed -i "s/0.0.0-semantic-release/${RENOVATE_VERSION}/g" package.json
# Install project dependencies, build and install Renovate
RUN pnpm install && pnpm build && npm install --prefix /home/renovate . && pnpm store prune && npm cache clean --force
WORKDIR /home/renovate/rpm-lockfile-prototype
# Clone and install the rpm-lockfile-prototype
# We must pass --no-dependencies, otherwise it would try to
# fetch dnf from PyPI, which is just a dummy package
RUN git clone --depth=1 --branch v${RPM_LOCKFILE_PROTOTYPE_VERSION} https://github.com/konflux-ci/rpm-lockfile-prototype.git .
USER root
RUN pip3 install jsonschema PyYaml productmd requests && pip3 install --no-dependencies . && pip3 cache purge
USER 1001
WORKDIR /workspace