From 4c2bf161b00f3a68726754401c0552f7aea53399 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9s=20Zacchino?= <az@adhoc.com.ar>
Date: Mon, 13 Jan 2025 14:50:00 -0300
Subject: [PATCH] [ADD] Secrets

---
 .github/workflows/build.yaml | 37 +++++++++++++++++++-----------------
 Dockerfile                   | 34 ++++++++++++++++++++++-----------
 2 files changed, 43 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index fb31a59..a28a7b2 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -3,11 +3,12 @@ name: build
 on:
   workflow_dispatch:
     inputs:
+      # TODO: skip geoIP check
       odoo_target:
         description: "Odoo Version"
         required: true
         type: choice
-        options: 
+        options:
         - "18.0"
         default: "18.0"
       odoo_build_force:
@@ -44,7 +45,7 @@ jobs:
     steps:
       - name: Check if GeoIP has any update
         id: get-last-modified
-        run: |  
+        run: |
           MAXMIND_UPDATE=$(curl -I -sL -u ${MAXMIND_LICENSE_USR}:${MAXMIND_LICENSE_KEY} 'https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz' | grep -i 'Last-Modified')
           MAXMIND_UPDATE=${MAXMIND_UPDATE#*: }
           MAXMIND_UPDATE=$(date -d "$MAXMIND_UPDATE" +"%Y%m%d%H%M%S")
@@ -92,18 +93,20 @@ jobs:
           cache-to: type=gha,mode=max
           context: .
           push: true
-          build-args: |
-            MAXMIND_LICENSE_USER=${{ secrets.MAXMIND_LICENSE_USR }}
+          secrets: |
+            MAXMIND_LICENSE_USR=${{ secrets.MAXMIND_LICENSE_USR }}
             MAXMIND_LICENSE_KEY=${{ secrets.MAXMIND_LICENSE_KEY }}
-            MAXMIND_UPDATE=${{ env.MAXMIND_UPDATE }}
-            ODOO_VERSION=${{ env.ODOO_TARGET }}
-            ODOO_BUILD=${{ steps.get-odoo-build.outputs.date }}.${{ env.ODOO_BUILD }}
+          #   SAAS_PROVIDER_URL=${{ secrets.SAAS_PROVIDER_URL }}
+          #   SAAS_PROVIDER_TOKEN=${{ secrets.SAAS_PROVIDER_TOKEN }}
+          #   GITHUB_BOT_TOKEN=${{ secrets.BOT_TOKEN_GITHUB }}
+          build-args: |
             SAAS_PROVIDER_URL=${{ secrets.SAAS_PROVIDER_URL }}
             SAAS_PROVIDER_TOKEN=${{ secrets.SAAS_PROVIDER_TOKEN }}
             GITHUB_BOT_TOKEN=${{ secrets.BOT_TOKEN_GITHUB }}
+            MAXMIND_UPDATE=${{ env.MAXMIND_UPDATE }}
+            ODOO_VERSION=${{ env.ODOO_TARGET }}
+            ODOO_BUILD=${{ steps.get-odoo-build.outputs.date }}.${{ env.ODOO_BUILD }}
             ODOO_BY_ADHOC_BUILD=${{ steps.get-odoo-adhoc-build.outputs.date }}.${{ github.run_number }}.${{ env.ODOO_BY_ADHOC_BUILD }}
-          # Force to recreate this layer (this is no longer needed due the ODOO_BY_ADHOC_BUILD)
-          # no-cache-filters: aggregate-source
           target: dev
           tags: |
             docker.io/adhoc/odoo-adhoc:${{ env.ODOO_TARGET }}.next.${{ steps.get-odoo-adhoc-build.outputs.date }}.${{ github.run_number }}.dev
@@ -117,15 +120,18 @@ jobs:
           cache-to: type=gha,mode=max
           context: .
           push: true
-          build-args: |
-            MAXMIND_LICENSE_USER=${{ secrets.MAXMIND_LICENSE_USR }}
+          secrets: |
+            MAXMIND_LICENSE_USR=${{ secrets.MAXMIND_LICENSE_USR }}
             MAXMIND_LICENSE_KEY=${{ secrets.MAXMIND_LICENSE_KEY }}
-            MAXMIND_UPDATE=${{ env.MAXMIND_UPDATE }}
-            ODOO_VERSION=${{ env.ODOO_TARGET }}
-            ODOO_BUILD=${{ steps.get-odoo-build.outputs.date }}
+          #   SAAS_PROVIDER_URL=${{ secrets.SAAS_PROVIDER_URL }}
+          #   SAAS_PROVIDER_TOKEN=${{ secrets.SAAS_PROVIDER_TOKEN }}
+          #   GITHUB_BOT_TOKEN=${{ secrets.BOT_TOKEN_GITHUB }}
+          build-args: |
             SAAS_PROVIDER_URL=${{ secrets.SAAS_PROVIDER_URL }}
             SAAS_PROVIDER_TOKEN=${{ secrets.SAAS_PROVIDER_TOKEN }}
             GITHUB_BOT_TOKEN=${{ secrets.BOT_TOKEN_GITHUB }}
+            MAXMIND_UPDATE=${{ env.MAXMIND_UPDATE }}
+            ODOO_VERSION=${{ env.ODOO_TARGET }}
             ODOO_BUILD=${{ steps.get-odoo-build.outputs.date }}.${{ env.ODOO_BUILD }}
             ODOO_BY_ADHOC_BUILD=${{ steps.get-odoo-adhoc-build.outputs.date }}.${{ github.run_number }}.${{ env.ODOO_BY_ADHOC_BUILD }}
           target: prod
@@ -133,6 +139,3 @@ jobs:
             docker.io/adhoc/odoo-adhoc:${{ env.ODOO_TARGET }}.next.${{ steps.get-odoo-adhoc-build.outputs.date }}.${{ github.run_number }}
             docker.io/adhoc/odoo-adhoc:${{ env.ODOO_TARGET }}.next.${{ steps.get-odoo-adhoc-build.outputs.date }}
             docker.io/adhoc/odoo-adhoc:${{ env.ODOO_TARGET }}.next
-
-
-          
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 295e264..efcc347 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,9 @@
-# GeoIP db from MaxMind (need to be refreshed TODO: refresh ¿on update/daily?)
+# GeoIP db from MaxMind
 FROM debian:12-slim AS geo-ip
-ARG MAXMIND_LICENSE_KEY=default \
-    MAXMIND_LICENSE_USR=1011117 \
-    MAXMIND_UPDATE=default
-RUN mkdir -p /GeoIP \ 
+ARG MAXMIND_UPDATE=default
+RUN --mount=type=secret,id=MAXMIND_LICENSE_KEY,env=MAXMIND_LICENSE_KEY \
+    --mount=type=secret,id=MAXMIND_LICENSE_USR,env=MAXMIND_LICENSE_USR \
+    mkdir -p /GeoIP \
     && cd /GeoIP \
     && apt-get -qq update \
     && apt-get install -yqq --no-install-recommends curl ca-certificates \
@@ -11,7 +11,6 @@ RUN mkdir -p /GeoIP \
     && tar -xzf /GeoIP/GeoLite2-City.tar.gz -C /GeoIP \
     && find /GeoIP/GeoLite2-City_* | grep "GeoLite2-City.mmdb" | xargs -I{} mv {} /GeoIP \
     && rm /GeoIP/GeoLite2-City.tar.gz \
-    && chown -R $ODOO_USER:$ODOO_USER /GeoIP \
     && apt-get purge -yqq curl ca-certificates \
     && rm -Rf /var/lib/apt/lists/* /tmp/*
 
@@ -180,9 +179,7 @@ USER odoo
 ## ---------------------------------------------------------------- SO
 
 FROM os-base AS os-base-updated
-ARG ODOO_BY_ADHOC_MINOR_VERSION="" \
-    ODOO_BY_ADHOC_BUILD=0
-ENV ODOO_BY_ADHOC_MINOR_VERSION="$ODOO_BY_ADHOC_MINOR_VERSION"
+ARG ODOO_BY_ADHOC_BUILD=0
 USER root
 RUN export NEEDRESTART_MODE=a \
     && export DEBIAN_FRONTEND=noninteractive \
@@ -198,10 +195,17 @@ RUN export NEEDRESTART_MODE=a \
 USER $ODOO_USER
 
 FROM os-base-updated AS aggregate-source
+ARG DOCKER_IMAGE="adhoc/odoo-adhoc"
+# TODO: Change this when gitagrregate on entry point is disabled
 ARG SAAS_PROVIDER_TOKEN=default \
     SAAS_PROVIDER_URL="" \
-    DOCKER_IMAGE="adhoc/odoo-adhoc" \
     GITHUB_BOT_TOKEN=""
+ENV SAAS_PROVIDER_TOKEN=$SAAS_PROVIDER_TOKEN \
+    SAAS_PROVIDER_URL=$SAAS_PROVIDER_URL \
+    GITHUB_BOT_TOKEN=$GITHUB_BOT_TOKEN
+    # --mount=type=secret,id=SAAS_PROVIDER_TOKEN,env=SAAS_PROVIDER_TOKEN \
+    # --mount=type=secret,id=SAAS_PROVIDER_URL,env=SAAS_PROVIDER_URL \
+    # --mount=type=secret,id=GITHUB_BOT_TOKEN,env=GITHUB_BOT_TOKEN \
 RUN git config --global init.defaultBranch main \
     && git config --global pull.rebase true \
     && git config --global user.name "John Doe" \
@@ -227,6 +231,10 @@ RUN find $SOURCES \( -path $SOURCES/openupgradelib -o -path $SOURCES/upgrade-uti
 FROM os-base-updated AS prod
 COPY --from=aggregate-source-without-git --chown=$ODOO_USER:$ODOO_USER $SOURCES $SOURCES
 COPY --from=aggregate-source --chown=$ODOO_USER:$ODOO_USER $RESOURCES/saas-odoo_project_repos.yml $RESOURCES/saas-odoo_project_version_repos.yml $RESOURCES
+# TODO: Change this when gitagrregate on entry point is disabled
+# --mount=type=secret,id=SAAS_PROVIDER_TOKEN,env=SAAS_PROVIDER_TOKEN \
+# --mount=type=secret,id=SAAS_PROVIDER_URL,env=SAAS_PROVIDER_URL \
+# --mount=type=secret,id=GITHUB_BOT_TOKEN,env=GITHUB_BOT_TOKEN \
 RUN pip install --user --no-cache-dir -e $SOURCES/odoo \
     && autoaggregate_pip --config "$RESOURCES/saas-odoo_project_repos.yml" --output "$SOURCES/repositories" \
     && autoaggregate_pip --config "$RESOURCES/saas-odoo_project_version_repos.yml" --output "$SOURCES/repositories" \
@@ -236,6 +244,10 @@ FROM os-base-updated AS dev
 COPY --from=aggregate-source --chown=$ODOO_USER:$ODOO_USER $SOURCES $SOURCES
 COPY --from=aggregate-source --chown=$ODOO_USER:$ODOO_USER $RESOURCES/saas-odoo_project_repos.yml $RESOURCES/saas-odoo_project_version_repos.yml $RESOURCES
 USER root
+
+# --mount=type=secret,id=SAAS_PROVIDER_TOKEN,env=SAAS_PROVIDER_TOKEN \
+# --mount=type=secret,id=SAAS_PROVIDER_URL,env=SAAS_PROVIDER_URL \
+# --mount=type=secret,id=GITHUB_BOT_TOKEN,env=GITHUB_BOT_TOKEN \
 RUN --mount=type=bind,src=requirements/tools/dev/dev.packages,dst=/home/odoo/tools.dev.dev.packages \
     --mount=type=bind,src=requirements/tools/test/test.packages,dst=/home/odoo/tools.test.test.packages \
     --mount=type=bind,src=requirements/tools/test/requirements.txt,dst=/home/odoo/tools.test.requirements.txt \
@@ -251,5 +263,5 @@ RUN --mount=type=bind,src=requirements/tools/dev/dev.packages,dst=/home/odoo/too
     && su - $ODOO_USER -c "autoaggregate_pip --config \"$RESOURCES/saas-odoo_project_repos.yml\" --output \"$SOURCES/repositories\"" \
     && su - $ODOO_USER -c "autoaggregate_pip --config \"$RESOURCES/saas-odoo_project_version_repos.yml\" --output \"$SOURCES/repositories\"" \
     && rm $RESOURCES/saas-odoo_project_repos.yml $RESOURCES/saas-odoo_project_version_repos.yml \
-    && chsh -s /bin/false $ODOO_USER 
+    && chsh -s /bin/false $ODOO_USER
 USER $ODOO_USER