Skip to content

Make the notary version detectable #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jonnystoten merged 2 commits into from
Aug 23, 2024
Merged

Make the notary version detectable #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dbdbf02
Make the notary version detectable
LaurentGoderre Jul 11, 2024
cf64d96
Removed the builder variant
LaurentGoderre Aug 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: |
docker build notary-builder --tag notary:builder
tag="$(docker run --rm notary:builder sh -c 'echo $TAG' | awk '{gsub(/^v/, ""); print}')"
docker tag notary:builder "notary:${tag}-builder"
Comment on lines -13 to -16
Copy link

@whalelines whalelines Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the builder variant being removed?

Copy link
Member Author

@LaurentGoderre LaurentGoderre Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docker-library/official-images#15568 (comment)

- run: docker build notary-server --tag notary:server
- run: docker build notary-signer --tag notary:signer
- uses: actions/checkout@v3 # clone Notary upstream repo (used for generating necessary certificates to test against)
Expand Down
1 change: 0 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
.jq-template.awk
.template-helper-functions.jq
38 changes: 0 additions & 38 deletions Dockerfile-builder.template
View file
Open in desktop

This file was deleted.

30 changes: 29 additions & 1 deletion Dockerfile.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,31 @@
FROM golang:1.19-alpine{{ .alpine }} AS build
Copy link

@whalelines whalelines Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps #36 should just be closed and its changes included in this PR?


RUN apk add --no-cache git make

ENV NOTARYPKG github.com/theupdateframework/notary
Copy link

@whalelines whalelines Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ENV NOTARYPKG github.com/theupdateframework/notary
ENV NOTARYPKG github.com/notaryproject/notary

Copy link
Member Author

@LaurentGoderre LaurentGoderre Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This must match what is in the go manifest which in version 0.7.0 is still that one as per:

https://github.com/notaryproject/notary/blob/b0b6bfdd4933081e8d5ae026b24e8337311dd598/go.mod#L1

Copy link

@whalelines whalelines Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are the same repo, theupdateframework/notary redirects to notaryproject/notary, as your link shows.

Copy link
Member

@tianon-sso tianon-sso Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, but this is used in the Go modules, so it has to match what Go thinks the module name is 🙃

Copy link
Member Author

@LaurentGoderre LaurentGoderre Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly! It's confusing I know

Copy link
Member

@thaJeztah thaJeztah Aug 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Careful; the module wasn't renamed yet in the current release though (still uses github.com/theupdateframework/notary); https://github.com/notaryproject/notary/blob/v0.7.0/go.mod#L1

i.e. github.com/notaryproject/notary did not yet do a release

ENV TAG v{{ .version }}

ENV GOFLAGS -mod=vendor

WORKDIR /go/src/$NOTARYPKG
RUN set -eux; \
git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
# In case the version in file doens't match the tag (like in 0.7.0)
Copy link

@whalelines whalelines Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# In case the version in file doens't match the tag (like in 0.7.0)
# In case the version in file doesn't match the tag (like in 0.7.0)

Copy link

@whalelines whalelines Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this mean?

Copy link
Member Author

@LaurentGoderre LaurentGoderre Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When version 0.7.0 was release, the main file used in the code to determine the version wasn't bumped.

This is the 0.7.0 commit where the version is wrong.

https://github.com/notaryproject/notary/blob/b0b6bfdd4933081e8d5ae026b24e8337311dd598/NOTARY_VERSION

echo "${TAG//v/}" > NOTARY_VERSION; \
# https://github.com/notaryproject/notary/pull/1635
git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
git -c user.name=foo -c user.email=foo@example.com cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
go get github.com/dvsekhvalnov/jose2go@v0.0.0-20200901110807-248326c1351b; \
go mod vendor; \
# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
# Make the version detectable by scanners
sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
Copy link

@whalelines whalelines Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
sed -i -E 's,(version\.NotaryVersion=\$\(NOTARY_VERSION\)),\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION),' Makefile; \

-r and -E are redundant, -E is more common.

I'd avoid using a regular expression special character, | in this case, as the substitution delimiter.

Copy link
Member Author

@LaurentGoderre LaurentGoderre Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not the special character? I've seen it done like this many time

Copy link

@whalelines whalelines Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would you use the special character? How would you escape it?

Copy link
Member

@tianon-sso tianon-sso Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I usually use -r, but -E is POSIX:

       -E, -r, --regexp-extended

              use  extended regular expressions in the script (for portability
              use POSIX -E).

Perhaps you meant -e, which is otherwise implied?

           [-e script] [--expression=script]
...
           [script-if-no-other-script]
...
       -e script, --expression=script

              add the script to the commands to be executed

Copy link
Member

@tianon-sso tianon-sso Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I usually use @ or ! as my "non-/ delimiter", but I don't think the exact choice matters that much here, right? If we want to use | in our regex in the future, it's pretty easy to swap then. 🤷

make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
/notary-server --version; \
/notary-signer --version;

FROM alpine:{{ .alpine }}

RUN adduser -D -H -g "" notary
Expand All @@ -12,7 +40,7 @@ ENV INSTALLDIR /notary/{{ env.variant }}
ENV PATH=$PATH:${INSTALLDIR}
WORKDIR ${INSTALLDIR}

COPY --from=notary:{{ .version }}-builder /notary-{{ env.variant }} /notary.spdx.json ./
COPY --from=build /notary-{{ env.variant }} ./
RUN ./notary-{{ env.variant }} --version

COPY ./{{ env.variant }}-config.json .
Expand Down
18 changes: 2 additions & 16 deletions apply-templates.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,6 @@ elif [ "$BASH_SOURCE" -nt "$jqt" ]; then
wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk'
fi

jqf='.template-helper-functions.jq'
if [ -n "${BASHBREW_SCRIPTS:-}" ]; then
jqf="$BASHBREW_SCRIPTS/template-helper-functions.jq"
elif [ "$BASH_SOURCE" -nt "$jqf" ]; then
wget -qO "$jqf" 'https://github.com/docker-library/bashbrew/raw/master/scripts/template-helper-functions.jq'
fi


generated_warning() {
cat <<-EOH
#
Expand All @@ -34,21 +26,15 @@ generated_warning() {

export version=latest

for variant in builder signer server; do
for variant in signer server; do
export variant

dockerfile=
dest="notary-$variant/Dockerfile"

rm "$dest"

case "$variant" in
builder)
dockerfile="Dockerfile-$variant.template"
;;
*)
dockerfile="Dockerfile.template"
esac
dockerfile="Dockerfile.template"

{
generated_warning
Expand Down
31 changes: 0 additions & 31 deletions notary-builder/Dockerfile
View file
Open in desktop

This file was deleted.

30 changes: 29 additions & 1 deletion notary-server/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,34 @@
# PLEASE DO NOT EDIT IT DIRECTLY.
#

FROM golang:1.19-alpine3.16 AS build

RUN apk add --no-cache git make

ENV NOTARYPKG github.com/theupdateframework/notary
ENV TAG v0.7.0

ENV GOFLAGS -mod=vendor

WORKDIR /go/src/$NOTARYPKG
RUN set -eux; \
git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
# In case the version in file doens't match the tag (like in 0.7.0)
echo "${TAG//v/}" > NOTARY_VERSION; \
# https://github.com/notaryproject/notary/pull/1635
git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
git -c user.name=foo -c user.email=foo@example.com cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
go get github.com/dvsekhvalnov/jose2go@v0.0.0-20200901110807-248326c1351b; \
go mod vendor; \
# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
# Make the version detectable by scanners
sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
/notary-server --version; \
/notary-signer --version;

FROM alpine:3.16

RUN adduser -D -H -g "" notary
Expand All @@ -13,7 +41,7 @@ ENV INSTALLDIR /notary/server
ENV PATH=$PATH:${INSTALLDIR}
WORKDIR ${INSTALLDIR}

COPY --from=notary:0.7.0-builder /notary-server /notary.spdx.json ./
COPY --from=build /notary-server ./
RUN ./notary-server --version

COPY ./server-config.json .
Expand Down
30 changes: 29 additions & 1 deletion notary-signer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,34 @@
# PLEASE DO NOT EDIT IT DIRECTLY.
#

FROM golang:1.19-alpine3.16 AS build

RUN apk add --no-cache git make

ENV NOTARYPKG github.com/theupdateframework/notary
ENV TAG v0.7.0

ENV GOFLAGS -mod=vendor

WORKDIR /go/src/$NOTARYPKG
RUN set -eux; \
git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
# In case the version in file doens't match the tag (like in 0.7.0)
echo "${TAG//v/}" > NOTARY_VERSION; \
# https://github.com/notaryproject/notary/pull/1635
git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
git -c user.name=foo -c user.email=foo@example.com cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
# https://github.com/notaryproject/notary/issues/1602 (rough cherry-pick of ca095023296d2d710ad9c6dec019397d46bf8576)
go get github.com/dvsekhvalnov/jose2go@v0.0.0-20200901110807-248326c1351b; \
go mod vendor; \
# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
# Make the version detectable by scanners
sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
/notary-server --version; \
/notary-signer --version;

FROM alpine:3.16

RUN adduser -D -H -g "" notary
Expand All @@ -14,7 +42,7 @@ ENV INSTALLDIR /notary/signer
ENV PATH=$PATH:${INSTALLDIR}
WORKDIR ${INSTALLDIR}

COPY --from=notary:0.7.0-builder /notary-signer /notary.spdx.json ./
COPY --from=build /notary-signer ./
RUN ./notary-signer --version

COPY ./signer-config.json .
Expand Down