Merge pull request #128 from voxpupuli/updates

feat: switch to Containerfile and update CI workflows to use it, update gemset to eliminate duplicates

Author: rwaffen

.github/workflows/build_container.yml

@@ -58,6 +58,7 @@ jobs:
             RUBYGEM_VOXPUPULI_RELEASE=${{ matrix.rubygem_voxpupuli-release }}
             RUBYGEM_VOXPUPULI_TEST=${{ matrix.rubygem_voxpupuli-test }}
           build_arch: linux/${{ matrix.platform }}
+          buildfile: Containerfile
           docker_username: voxpupulibot
           docker_password: ${{ secrets.DOCKERHUB_BOT_ADMIN_TOKEN }}
           tags: |

.github/workflows/ci.yaml

@@ -41,6 +41,7 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           tags: 'ci/voxbox:${{ matrix.rubygem_puppet }}'
+          file: Containerfile
           push: false
           platforms: linux/${{ matrix.platform }}
           build-args: |

.github/workflows/security_scanning.yml

@@ -43,6 +43,7 @@ jobs:
         with:
           tags: 'ci/voxbox:${{ matrix.rubygem_puppet }}'
           push: false
+          file: Containerfile
           platforms: linux/${{ matrix.platform }}
           build-args: |
             BASE_IMAGE=${{ matrix.base_image }}

Dockerfile renamed to Containerfile

@@ -56,17 +56,24 @@ RUN apk update \
     && bundle config set path.system true \
     && bundle config set jobs $(nproc) \
     && bundle install --gemfile=/Gemfile \
+    && bundle clean --force \
     && rm -rf /usr/local/lib/ruby/gems/*/cache/* \
     && rm -rf /usr/local/lib/ruby/gems/*/gems/cgi-* \
     && rm -rf /usr/local/lib/ruby/gems/*/specifications/default/cgi-*.gemspec \
     && rm -rf /usr/local/lib/ruby/gems/*/gems/stringio-* \
     && rm -rf /usr/local/lib/ruby/gems/*/specifications/default/stringio-*.gemspec \
     && rm -rf /usr/local/lib/ruby/gems/*/gems/rdoc-* \
     && rm -rf /usr/local/lib/ruby/gems/*/specifications/default/rdoc-*.gemspec \
-    && rm -rf /usr/local/lib/ruby/gems/2.7.0/gems/default/rexml-* \
-    && rm -rf /usr/local/lib/ruby/gems/2.7.0/specifications/default/rexml-*.gemspec \
     && rm -rf /usr/local/lib/ruby/gems/*/gems/rexml-* \
-    && rm -rf /usr/local/lib/ruby/gems/*/specifications/rexml-*.gemspec
+    && rm -rf /usr/local/lib/ruby/gems/*/specifications/rexml-*.gemspec \
+    && rm -rf /usr/local/lib/ruby/gems/*/gems/racc-* \
+    && rm -rf /usr/local/lib/ruby/gems/*/specifications/default/racc-*.gemspec \
+    && rm -rf /usr/local/lib/ruby/gems/*/gems/drb-* \
+    && rm -rf /usr/local/lib/ruby/gems/*/specifications/default/drb-*.gemspec \
+    && rm -rf /usr/local/lib/ruby/gems/*/gems/csv-* \
+    && rm -rf /usr/local/lib/ruby/gems/*/specifications/default/csv-*.gemspec \
+    && rm -rf /usr/local/lib/ruby/gems/*/gems/minitest-* \
+    && rm -rf /usr/local/lib/ruby/gems/*/specifications/minitest-*.gemspec
 
 ###############################################################################
 
@@ -79,7 +86,7 @@ LABEL org.label-schema.maintainer="Voxpupuli Team <[email protected]>" \
       org.label-schema.license="AGPL-3.0-or-later" \
       org.label-schema.vcs-url="https://github.com/voxpupuli/container-voxbox" \
       org.label-schema.schema-version="1.0" \
-      org.label-schema.dockerfile="/Dockerfile"
+      org.label-schema.dockerfile="/Containerfile"
 
 RUN apk update \
     && apk upgrade \
@@ -94,7 +101,7 @@ RUN apk update \
 
 COPY --from=builder /usr/local/lib/ruby/gems /usr/local/lib/ruby/gems
 COPY --from=builder /usr/local/bundle /usr/local/bundle
-COPY Dockerfile /
+COPY Containerfile /
 COPY voxbox/Rakefile /
 
 WORKDIR /repo

voxbox/Gemfile

@@ -4,27 +4,24 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org'
 
 gem 'facter',                ENV['RUBYGEM_FACTER']
 gem 'modulesync',            ENV['RUBYGEM_MODULESYNC']
-gem 'puppet',                ENV['RUBYGEM_PUPPET']
+gem 'onceover',              ENV['RUBYGEM_ONCEOVER']
 gem 'puppet_metadata',       ENV['RUBYGEM_PUPPET_METADATA']
+gem 'puppet-ghostbuster',    ENV['RUBYGEM_PUPPET_GHOSTBUSTER']
+gem 'puppet',                ENV['RUBYGEM_PUPPET']
 gem 'r10k',                  ENV['RUBYGEM_R10K']
 gem 'ra10ke',                ENV['RUBYGEM_RA10KE']
+gem 'rspec_junit_formatter', ENV['RUBYGEM_RSPEC_JUNIT_FORMATTER']
+gem 'rubocop-performance',   ENV['RUBYGEM_RUBOCOP_PERFORMANCE']
 gem 'voxpupuli-acceptance',  ENV['RUBYGEM_VOXPUPULI_ACCEPTANCE']
 gem 'voxpupuli-release',     ENV['RUBYGEM_VOXPUPULI_RELEASE']
 gem 'voxpupuli-test',        ENV['RUBYGEM_VOXPUPULI_TEST']
-gem 'rubocop-performance',   ENV['RUBYGEM_RUBOCOP_PERFORMANCE']
-gem 'onceover',              ENV['RUBYGEM_ONCEOVER']
-gem 'rspec_junit_formatter', ENV['RUBYGEM_RSPEC_JUNIT_FORMATTER']
-gem 'puppet-ghostbuster',    ENV['RUBYGEM_PUPPET_GHOSTBUSTER']
 
 # CVE fixes
-gem 'cgi', '~> 0.4.1'             # cgi 0.1.0 has CVEs - remove default and install upstream replacement
-gem 'stringio', '~> 3.1'          # stringio 0.1.0 has CVEs - remove default and install upstream replacement
-gem 'rexml', '~> 3.3', '>= 3.3.6' # rexml < 3.3 has CVEs - remove default and install upstream replacement
-gem 'rdoc', '~> 6.7'              # rdoc 6.2.1 has CVEs - remove default and install upstream replacement
-
-# Pin dependencies to avoid installing duplicate versions
-# see https://github.com/voxpupuli/container-voxbox/issues/97
-gem 'racc',     '1.8.1'
-gem 'minitest', '5.16.3'
-gem 'drb',      '2.1.1'
-gem 'csv',      '3.2.6'
+gem 'cgi',      '~> 0.5'  # cgi 0.1.0 has CVEs - remove default and install upstream replacement
+gem 'csv',      '~> 3.2'  # csv 3.1.2 has CVEs - remove default and install upstream replacement
+gem 'drb',      '~> 2.2'  # drb 2.1.1 has CVEs - remove default and install upstream replacement
+gem 'minitest', '~> 5.25' # minitest 5.16.3 has CVEs - remove default and install upstream replacement
+gem 'racc',     '~> 1.8'  # racc 1.6.2 has CVEs - remove default and install upstream replacement
+gem 'rdoc',     '~> 6.14' # rdoc 6.2.1 has CVEs - remove default and install upstream replacement
+gem 'rexml',    '~> 3.4'  # rexml < 3.3 has CVEs - remove default and install upstream replacement
+gem 'stringio', '~> 3.1'  # stringio 0.1.0 has CVEs - remove default and install upstream replacement