From d5b4910951c96b8db2bc3a9b4668933bd682dea8 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Fri, 12 Jan 2024 12:25:28 -0700 Subject: [PATCH] core/ci: check docker base images (#4906) * check docker base images * test bad image * debugging * fix missing gcr image * restore hash * fix docker tag * improved check * fix variable * fix check --- .github/workflows/test.yaml | 7 +++ Dockerfile.debug | 2 +- scripts/check-docker-images | 88 +++++++++++++++++++++++++++++++++++++ 3 files changed, 96 insertions(+), 1 deletion(-) create mode 100755 scripts/check-docker-images diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 910de7905..c0fe838fd 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -140,3 +140,10 @@ jobs: github.event.pull_request.head.sha }} env: SKIP: lint + + check-docker-images: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - run: ./scripts/check-docker-images diff --git a/Dockerfile.debug b/Dockerfile.debug index 9d14dd593..9f63eac06 100644 --- a/Dockerfile.debug +++ b/Dockerfile.debug @@ -30,7 +30,7 @@ RUN make build-debug NAME=pomerium RUN touch /config.yaml RUN go install github.com/go-delve/delve/cmd/dlv@latest -FROM debian:bookworm@sha256:22cc4de537485807b7efe6f4c942d7460c4482852f49434f9c022c044c545a90 +FROM debian:bookworm@sha256:b16cef8cbcb20935c0f052e37fc3d38dc92bfec0bcfb894c328547f81e932d67 ENV AUTOCERT_DIR /data/autocert WORKDIR /pomerium COPY --from=build /go/src/github.com/pomerium/pomerium/bin/* /bin/ diff --git a/scripts/check-docker-images b/scripts/check-docker-images new file mode 100755 index 000000000..d5bebf299 --- /dev/null +++ b/scripts/check-docker-images @@ -0,0 +1,88 @@ +#!/usr/bin/bash +set -euo pipefail + +inspect-manifest() { + local _image + _image="${1?"image is required"}" + + local _temp_dir + _temp_dir="${TMPDIR-/tmp}" + local _image_hash + _image_hash="$(echo -n "$_image" | shasum | cut -f1 -d' ')" + local _temp_file + _temp_file="${_temp_dir}/check-docker-image-${_image_hash}.json" + + if [ ! -f "$_temp_file" ]; then + docker buildx imagetools inspect \ + --format='{{json .}}' \ + "$_image" >"$_temp_file" + fi + + cat "$_temp_file" +} + +check-image() { + local _image + _image="${1?"image is required"}" + + echo "checking image=$_image" + + local _manifest + _manifest="$(inspect-manifest "$_image")" + + local _has_arm64 + _has_arm64="$(echo "$_manifest" | jq ' + .manifest.manifests + | map(select(.platform.architecture == "arm64" and .platform.os == "linux")) + | length >= 1 + ')" + + if [[ "$_has_arm64" != "true" ]]; then + echo "- missing ARM64 in $_manifest" + exit 1 + fi + + local _has_amd64 + _has_amd64="$(echo "$_manifest" | jq ' + .manifest.manifests + | map(select(.platform.architecture == "amd64" and .platform.os == "linux")) + | length >= 1 + ')" + + if [[ "$_has_amd64" != "true" ]]; then + echo "- missing AMD64 in $_manifest" + exit 1 + fi +} + +check-dockerfile() { + local _file + _file="${1?"file is required"}" + + echo "checking dockerfile=$_file" + + while IFS= read -r _image; do + check-image "$_image" + done < <(sed -n -r -e 's/^FROM ([^:]*)(:[^@]*)(@sha256[^ ]*).*$/\1\2\3/p' "$_file") +} + +check-directory() { + local _directory + _directory="${1?"directory is required"}" + + echo "checking directory=$_directory" + + local _file + while IFS= read -r -d '' _file; do + check-dockerfile "$_file" + done < <(find "$_directory" -name "*Dockerfile*" -print0) +} + +main() { + local _project_root + _project_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/.." + + check-directory "$_project_root" +} + +main