Update Dockerfile to better support Renovate and remove unnecessary G…

…HA workflow (#45)
defenseunicorns · May 3, 2023 · f28d791 · f28d791
1 parent efcc103
commit f28d791
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 142 deletions.
diff --git a/.github/workflows/auto-assign-to-project.yml b/.github/workflows/auto-assign-to-project.yml
diff --git a/.tool-versions b/.tool-versions
@@ -0,0 +1,17 @@
+adr-tools 3.0.0
+awscli 2.11.0
+checkov 2.3.3
+flux2 0.41.2
+golang 1.19.5
+golangci-lint 1.50.1
+hadolint 2.12.0
+helm 3.11.2
+kubectl 1.26.3
+make 4.4
+pre-commit 3.0.1
+python 3.11.1
+sops 3.7.3
+terraform 1.4.4
+terraform-docs 0.16.0
+tflint 0.44.1
+tfsec 1.28.1
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,7 @@
 FROM rockylinux:9
 
+# Renovate "style" is used for some versioning. See https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
+
 # Make all shells run in a safer way. Ref: https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/
 SHELL [ "/bin/bash", "-euxo", "pipefail", "-c" ]
 
@@ -35,137 +37,28 @@ RUN dnf install -y --refresh \
   && rm -rf /var/cache/yum/
 
 # Install asdf. Get versions from https://github.com/asdf-vm/asdf/releases
-ARG ASDF_VERSION="0.11.1"
-ENV ASDF_VERSION=${ASDF_VERSION}
 # hadolint ignore=SC2016
-RUN git clone --branch v"${ASDF_VERSION}" --depth 1 https://github.com/asdf-vm/asdf.git "${HOME}/.asdf" \
+# renovate: datasource=github-tags depName=asdf-vm/asdf versioning=semver-coerced
+ENV ASDF_VERSION=v0.11.1
+RUN git clone https://github.com/asdf-vm/asdf.git --branch ${ASDF_VERSION} --depth 1 "${HOME}/.asdf" \
   && echo -e '\nsource $HOME/.asdf/asdf.sh' >> "${HOME}/.bashrc" \
   && echo -e '\nsource $HOME/.asdf/asdf.sh' >> "${HOME}/.profile" \
   && source "${HOME}/.asdf/asdf.sh"
 ENV PATH="/root/.asdf/shims:/root/.asdf/bin:${PATH}"
 
-# Install golang. Get versions using 'asdf list all golang'
-ARG GOLANG_VERSION="1.19.5"
-ENV GOLANG_VERSION=${GOLANG_VERSION}
-RUN asdf plugin add golang \
-  && asdf install golang "${GOLANG_VERSION}" \
-  && asdf global golang "${GOLANG_VERSION}"
-
-# Install golangci-lint. Get versions using 'asdf list all golangci-lint'
-ARG GOLANGCILINT_VERSION="1.50.1"
-ENV GOLANGCILINT_VERSION=${GOLANGCILINT_VERSION}
-RUN asdf plugin add golangci-lint \
-  && asdf install golangci-lint "${GOLANGCILINT_VERSION}" \
-  && asdf global golangci-lint "${GOLANGCILINT_VERSION}"
-
-# Install python. Get versions using 'asdf list all python'
-ARG PYTHON_VERSION="3.11.1"
-ENV PYTHON_VERSION=${PYTHON_VERSION}
-RUN asdf plugin add python \
-  && asdf install python "${PYTHON_VERSION}" \
-  && asdf global python "${PYTHON_VERSION}"
-
-# Install hadolint. Get versions using 'asdf list all hadolint'
-ARG HADOLINT_VERSION="2.12.0"
-ENV HADOLINT_VERSION=${HADOLINT_VERSION}
-RUN asdf plugin add hadolint \
-  && asdf install hadolint "${HADOLINT_VERSION}" \
-  && asdf global hadolint "${HADOLINT_VERSION}"
-
-# Install pre-commit. Get versions using 'asdf list all pre-commit'
-ARG PRE_COMMIT_VERSION="3.0.1"
-ENV PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION}
-RUN asdf plugin add pre-commit \
-  && asdf install pre-commit "${PRE_COMMIT_VERSION}" \
-  && asdf global pre-commit "${PRE_COMMIT_VERSION}"
-
-# Install Terraform. Get versions using 'asdf list all terraform'
-ARG TERRAFORM_VERSION="1.4.4"
-ENV TERRAFORM_VERSION=${TERRAFORM_VERSION}
-RUN asdf plugin add terraform \
-  && asdf install terraform "${TERRAFORM_VERSION}" \
-  && asdf global terraform "${TERRAFORM_VERSION}"
-
-# Install terraform-docs. Get versions using 'asdf list all terraform-docs'
-ARG TERRAFORM_DOCS_VERSION="0.16.0"
-ENV TERRAFORM_DOCS_VERSION=${TERRAFORM_DOCS_VERSION}
-RUN asdf plugin add terraform-docs \
-  && asdf install terraform-docs "${TERRAFORM_DOCS_VERSION}" \
-  && asdf global terraform-docs "${TERRAFORM_DOCS_VERSION}"
-
-# Install tflint. Get versions using 'asdf list all tflint'
-ARG TFLINT_VERSION="0.44.1"
-ENV TFLINT_VERSION=${TFLINT_VERSION}
-RUN asdf plugin add tflint \
-  && asdf install tflint "${TFLINT_VERSION}" \
-  && asdf global tflint "${TFLINT_VERSION}"
-
-# Install tfsec. Get versions using 'asdf list all tfsec'
-ARG TFSEC_VERSION="1.28.1"
-ENV TFSEC_VERSION=${TFSEC_VERSION}
-RUN asdf plugin add tfsec \
-  && asdf install tfsec "${TFSEC_VERSION}" \
-  && asdf global tfsec "${TFSEC_VERSION}"
-
-# Install checkov. Get versions using 'asdf list all checkov'
-ARG CHECKOV_VERSION="2.3.3"
-ENV CHECKOV_VERSION=${CHECKOV_VERSION}
-RUN asdf plugin add checkov \
-  && asdf install checkov "${CHECKOV_VERSION}" \
-  && asdf global checkov "${CHECKOV_VERSION}"
-
-# Install sops. Get versions using 'asdf list all sops'
-ARG SOPS_VERSION="3.7.3"
-ENV SOPS_VERSION=${SOPS_VERSION}
-RUN asdf plugin add sops \
-  && asdf install sops "${SOPS_VERSION}" \
-  && asdf global sops "${SOPS_VERSION}"
-
-# Install make. Get versions using 'asdf list all make'
-ARG MAKE_VERSION="4.4"
-ENV MAKE_VERSION=${MAKE_VERSION}
-RUN asdf plugin add make \
-  && asdf install make "${MAKE_VERSION}" \
-  && asdf global make "${MAKE_VERSION}"
-
-# Install adr-tools. Get versions using 'asdf list all adr-tools'
-ARG ADR_TOOLS_VERSION="3.0.0"
-ENV ADR_TOOLS_VERSION=${ADR_TOOLS_VERSION}
-RUN asdf plugin add adr-tools \
-  && asdf install adr-tools "${ADR_TOOLS_VERSION}" \
-  && asdf global adr-tools "${ADR_TOOLS_VERSION}"
-
-# Install awscli. Get versions using 'asdf list all awscli'
-ARG AWSCLI_VERSION="2.11.0"
-ENV AWSCLI_VERSION=${AWSCLI_VERSION}
-RUN asdf plugin add awscli \
-  && asdf install awscli "${AWSCLI_VERSION}" \
-  && asdf global awscli "${AWSCLI_VERSION}"
-
-# Install kubectl. Get versions using 'asdf list all kubectl'
-ARG KUBECTL_VERSION="1.26.3"
-ENV KUBECTL_VERSION=${KUBECTL_VERSION}
-RUN asdf plugin add kubectl \
-  && asdf install kubectl "${KUBECTL_VERSION}" \
-  && asdf global kubectl "${KUBECTL_VERSION}"
+# Copy our .tool-versions file into the container
+COPY .tool-versions /root/.tool-versions
 
-# Install Flux CLI. Get versions using 'asdf list all flux2'
-ARG FLUX_VERSION="0.41.2"
-ENV FLUX_VERSION=${FLUX_VERSION}
-RUN asdf plugin add flux2 \
-  && asdf install flux2 "${FLUX_VERSION}" \
-  && asdf global flux2 "${FLUX_VERSION}"
+# Install all ASDF plugins that are present in the .tool-versions file
+RUN cat /root/.tool-versions | cut -d' ' -f1 | grep "^[^\#]" | xargs -i asdf plugin add {}
 
-# Install Helm. Get versions using 'asdf list all helm'
-ARG HELM_VERSION="3.11.2"
-ENV HELM_VERSION=${HELM_VERSION}
-RUN asdf plugin add helm \
-  && asdf install helm "${HELM_VERSION}" \
-  && asdf global helm "${HELM_VERSION}"
+# Install all ASDF versions that are present in the .tool-versions file
+# Checkov requires python to be installed so we have to make sure that gets installed first
+RUN asdf install python && asdf install
 
 # Install sshuttle. Get versions by running `pip index versions sshuttle`
-ARG SSHUTTLE_VERSION="1.1.1"
-ENV SSHUTTLE_VERSION=${SSHUTTLE_VERSION}
+# renovate: datasource=pypi depName=sshuttle
+ENV SSHUTTLE_VERSION=1.1.1
 RUN pip install --force-reinstall -v "sshuttle==${SSHUTTLE_VERSION}"
 
 # Support tools installed as root when running as any other user

diff --git a/renovate.json b/renovate.json
diff --git a/renovate.json5 b/renovate.json5
@@ -0,0 +1,42 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    // Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard
+    ":dependencyDashboard",
+    // Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers
+    ":semanticPrefixFixDepsChoreOthers",
+    // Ignore node_modules, bower_components, vendor and various test/tests directories. See https://docs.renovatebot.com/presets-default/#ignoremodulesandtests
+    ":ignoreModulesAndTests",
+    // Group all updates together. See https://docs.renovatebot.com/presets-group/#groupall
+    // Other less drastic groupings that may be of interest include: group:allNonMajor, group:recommended, group:monorepos
+    "group:all",
+    // Apply crowd-sourced package replacement rules. See https://docs.renovatebot.com/presets-replacements/#replacementsall
+    "replacements:all",
+    // Apply crowd-sourced workarounds for known problems with packages. See https://docs.renovatebot.com/presets-workarounds/#workaroundsall
+    "workarounds:all",
+    // Only run outside of office hours. See https://docs.renovatebot.com/presets-schedule/#schedulenonofficehours
+    "schedule:nonOfficeHours"
+  ],
+  // Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels
+  labels: [
+    "renovate"
+  ],
+  // Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit
+  prHourlyLimit: 0,
+  // Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit
+  prConcurrentLimit: 0,
+  // Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/
+  "pre-commit": {
+    enabled: true
+  },
+  "regexManagers": [
+    // Custom regex manager that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
+    {
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=(?<currentValue>.*)\\s"
+      ],
+      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
+    }
+  ]
+}