-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathDockerfile
117 lines (95 loc) · 4.57 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Build with: podman build --ulimit nofile=65535:65535 . -t custom-renovate
# Run with: podman run --rm <additional args> custom-renovate renovate
FROM registry.access.redhat.com/ubi9-minimal
LABEL description="Mintmaker - Renovate custom image" \
summary="Mintmaker basic container image - a Renovate custom image" \
maintainer="EXD Rebuilds Guild <[email protected] >" \
io.k8s.description="Mintmaker - Renovate custom image" \
com.redhat.component="mintmaker-renovate-image" \
distribution-scope="public" \
release="0.0.1" \
url="https://github.com/konflux-ci/mintmaker-renovate-image/" \
vendor="Red Hat, Inc."
# The version number is from upstream Renovate, while the `-rpm` suffix
# is to differentiate the rpm lockfile enabled fork
ARG RENOVATE_VERSION=38.132.0-rpm
# Version for the rpm-lockfile-prototype executable from
# https://github.com/konflux-ci/rpm-lockfile-prototype/tags
ARG RPM_LOCKFILE_PROTOTYPE_VERSION=0.13.1
# NodeJS version used for Renovate, has to satisfy the version
# specified in Renovate's package.json
ARG NODEJS_VERSION=20.17.0
# Using OpenSSL store allows for external modifications of the store. It is needed for the internal Red Hat cert.
ENV NODE_OPTIONS=--use-openssl-ca
ENV LANG=C.UTF-8
RUN microdnf update -y && \
microdnf install -y \
git \
openssl \
python3.12-pip \
python3.12 \
python3.11 \
python3.11-pip \
python3-pip \
python3-dnf \
python3.9 \
cargo \
golang \
skopeo \
xz \
xz-devel \
findutils \
zlib-devel \
bzip2 \
bzip2-devel \
ncurses-devel \
libffi-devel \
readline \
sqlite \
sqlite-devel && \
microdnf clean all
RUN curl -L -o /tmp/tkn.tar.gz https://github.com/tektoncd/cli/releases/download/v0.38.1/tkn_0.38.1_Linux_x86_64.tar.gz && tar xvzf /tmp/tkn.tar.gz -C /usr/bin/ tkn && rm -f /tmp/tkn.tar.gz
# Install nodejs
RUN curl -o node-v${NODEJS_VERSION}-linux-x64.tar.xz https://nodejs.org/dist/v${NODEJS_VERSION}/node-v${NODEJS_VERSION}-linux-x64.tar.xz
RUN tar xf node-v${NODEJS_VERSION}-linux-x64.tar.xz && \
mv node-v${NODEJS_VERSION}-linux-x64/bin/* /bin/ && \
mv node-v${NODEJS_VERSION}-linux-x64/include/* /include/ && \
mv node-v${NODEJS_VERSION}-linux-x64/lib/* /lib/ && \
rm -fr node-v${NODEJS_VERSION}-linux-x64 && \
rm -f node-v${NODEJS_VERSION}-linux-x64.tar.xz
# Add renovate user and switch to it
RUN useradd -lms /bin/bash -u 1001 -g 0 renovate
RUN chmod -R 6775 /home/renovate && chown :0 /home/renovate
RUN mkdir -p /home/renovate/.cache && chown :0 /home/renovate/.cache && chmod 6775 /home/renovate/.cache
WORKDIR /home/renovate
USER 1001
# Enable renovate user's bin dirs,
# ~/.local/bin for Python executables
# ~/node_modules/.bin for renovate
ENV PATH="/home/renovate/.local/bin:/home/renovate/node_modules/.bin:/home/renovate/go/bin:/home/renovate/.pyenv/bin:/tmp/renovate/cache/others/go/bin:${PATH}"
# Install package managers
RUN npm install [email protected] && npm cache clean --force
# Use virtualenv isolation to avoid dependency issues with other global packages
RUN pip3.12 install --user pipx && pip3.12 cache purge
RUN pipx install --python python3.12 poetry pdm pipenv hashin uv hatch pip-tools && rm -fr ~/.cache/pipx && pip3.12 cache purge
# Install pyenv
RUN curl https://pyenv.run | sh
RUN echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.profile && \
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.profile && \
echo 'eval "$(pyenv init -)"' >> ~/.profile
WORKDIR /home/renovate/renovate
# Clone Renovate from specific ref (that includes the RPM lockfile support)
RUN git clone --depth=1 --branch rpm-lockfiles-new https://github.com/redhat-exd-rebuilds/renovate.git .
# Replace package.json version for this build
RUN sed -i "s/0.0.0-semantic-release/${RENOVATE_VERSION}/g" package.json
# Install project dependencies, build and install Renovate
RUN pnpm install && pnpm build && npm install --prefix /home/renovate . && pnpm store prune && npm cache clean --force
WORKDIR /home/renovate/rpm-lockfile-prototype
# Clone and install the rpm-lockfile-prototype
# We must pass --no-dependencies, otherwise it would try to
# fetch dnf from PyPI, which is just a dummy package
RUN git clone --depth=1 --branch v${RPM_LOCKFILE_PROTOTYPE_VERSION} https://github.com/konflux-ci/rpm-lockfile-prototype.git .
USER root
RUN pip3 install jsonschema PyYaml productmd requests && pip3 install --no-dependencies . && pip3 cache purge
USER 1001
WORKDIR /workspace