core/ci: check docker base images (#4906)

* check docker base images * test bad image * debugging * fix missing gcr image * restore hash * fix docker tag * improved check * fix variable * fix check
2025-04-28 09:56:31 +02:00 · 2024-01-12 12:25:28 -07:00 · 2024-01-12 12:25:28 -07:00 · d5b4910951
commit d5b4910951
parent c7c2087483
3 changed files with 96 additions and 1 deletions
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@ -140,3 +140,10 @@ jobs:
            github.event.pull_request.head.sha }}
        env:
          SKIP: lint
+
+  check-docker-images:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - run: ./scripts/check-docker-images
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@ -30,7 +30,7 @@ RUN make build-debug NAME=pomerium
 RUN touch /config.yaml
 RUN go install github.com/go-delve/delve/cmd/dlv@latest

-FROM debian:bookworm@sha256:22cc4de537485807b7efe6f4c942d7460c4482852f49434f9c022c044c545a90
+FROM debian:bookworm@sha256:b16cef8cbcb20935c0f052e37fc3d38dc92bfec0bcfb894c328547f81e932d67
 ENV AUTOCERT_DIR /data/autocert
 WORKDIR /pomerium
 COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/
--- a/scripts/check-docker-images
+++ b/scripts/check-docker-images
@ -0,0 +1,88 @@
+#!/usr/bin/bash
+set -euo pipefail
+
+inspect-manifest() {
+    local _image
+    _image="${1?"image is required"}"
+
+    local _temp_dir
+    _temp_dir="${TMPDIR-/tmp}"
+    local _image_hash
+    _image_hash="$(echo -n "$_image" | shasum | cut -f1 -d' ')"
+    local _temp_file
+    _temp_file="${_temp_dir}/check-docker-image-${_image_hash}.json"
+
+    if [ ! -f "$_temp_file" ]; then
+        docker buildx imagetools inspect \
+            --format='{{json .}}' \
+            "$_image" >"$_temp_file"
+    fi
+
+    cat "$_temp_file"
+}
+
+check-image() {
+    local _image
+    _image="${1?"image is required"}"
+
+    echo "checking image=$_image"
+
+    local _manifest
+    _manifest="$(inspect-manifest "$_image")"
+
+    local _has_arm64
+    _has_arm64="$(echo "$_manifest" | jq '
+        .manifest.manifests
+        | map(select(.platform.architecture == "arm64" and .platform.os == "linux"))
+        | length >= 1
+    ')"
+
+    if [[ "$_has_arm64" != "true" ]]; then
+        echo "- missing ARM64 in $_manifest"
+        exit 1
+    fi
+
+    local _has_amd64
+    _has_amd64="$(echo "$_manifest" | jq '
+        .manifest.manifests
+        | map(select(.platform.architecture == "amd64" and .platform.os == "linux"))
+        | length >= 1
+    ')"
+
+    if [[ "$_has_amd64" != "true" ]]; then
+        echo "- missing AMD64 in $_manifest"
+        exit 1
+    fi
+}
+
+check-dockerfile() {
+    local _file
+    _file="${1?"file is required"}"
+
+    echo "checking dockerfile=$_file"
+
+    while IFS= read -r _image; do
+        check-image "$_image"
+    done < <(sed -n -r -e 's/^FROM ([^:]*)(:[^@]*)(@sha256[^ ]*).*$/\1\2\3/p' "$_file")
+}
+
+check-directory() {
+    local _directory
+    _directory="${1?"directory is required"}"
+
+    echo "checking directory=$_directory"
+
+    local _file
+    while IFS= read -r -d '' _file; do
+        check-dockerfile "$_file"
+    done < <(find "$_directory" -name "*Dockerfile*" -print0)
+}
+
+main() {
+    local _project_root
+    _project_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/.."
+
+    check-directory "$_project_root"
+}
+
+main