From b78a7d461d33bb77a5d0b1abb7463eb80ea8e047 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 18 Aug 2024 22:06:28 +0200 Subject: [PATCH] build image from scratch --- .dictionary | 1 + .gitignore | 1 + .gitsv/config.yml | 47 ++++++++++++++++++++++ .markdownlint.yml | 6 +++ .prettierignore | 2 + .woodpecker/build-container.yml | 69 +++++++++++++++++++++++++++++++++ .woodpecker/build-package.yml | 25 ++++++++++++ .woodpecker/docs.yml | 60 ++++++++++++++++++++++++++++ .woodpecker/notify.yml | 26 +++++++++++++ Containerfile.multiarch | 46 ++++++++++++++++++++++ LICENSE | 21 ++++++++++ README.md | 25 ++++++++++++ overlay/.keep | 0 renovate.json | 4 ++ trivy-secret.yaml | 6 +++ trivy.yaml | 4 ++ 16 files changed, 343 insertions(+) create mode 100644 .dictionary create mode 100644 .gitignore create mode 100644 .gitsv/config.yml create mode 100644 .markdownlint.yml create mode 100644 .prettierignore create mode 100644 .woodpecker/build-container.yml create mode 100644 .woodpecker/build-package.yml create mode 100644 .woodpecker/docs.yml create mode 100644 .woodpecker/notify.yml create mode 100644 Containerfile.multiarch create mode 100644 LICENSE create mode 100644 README.md create mode 100644 overlay/.keep create mode 100644 renovate.json create mode 100644 trivy-secret.yaml create mode 100644 trivy.yaml diff --git a/.dictionary b/.dictionary new file mode 100644 index 0000000..64b0f22 --- /dev/null +++ b/.dictionary @@ -0,0 +1 @@ +Ansible diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1b763b1 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +CHANGELOG.md diff --git a/.gitsv/config.yml b/.gitsv/config.yml new file mode 100644 index 0000000..acaf506 --- /dev/null +++ b/.gitsv/config.yml @@ -0,0 +1,47 @@ +--- +version: "1.1" + +versioning: + update-major: [] + update-minor: [feat] + update-patch: [fix, perf, refactor, chore, test, ci, docs] + +tag: + pattern: "v%d.%d.%d" + +release-notes: + sections: + - name: Features + commit-types: [feat] + section-type: commits + - name: Bug Fixes + commit-types: [fix] + section-type: commits + - name: Performance Improvements + commit-types: [perf] + section-type: commits + - name: Code Refactoring + commit-types: [refactor] + section-type: commits + - name: Others + commit-types: [chore] + section-type: commits + - name: Testing + commit-types: [test] + section-type: commits + - name: CI Pipeline + commit-types: [ci] + section-type: commits + - name: Documentation + commit-types: [docs] + section-type: commits + - name: BREAKING CHANGES + section-type: breaking-changes + +commit-message: + footer: + issue: + key: issue + add-value-prefix: "#" + issue: + regex: "#?[0-9]+" diff --git a/.markdownlint.yml b/.markdownlint.yml new file mode 100644 index 0000000..b59a114 --- /dev/null +++ b/.markdownlint.yml @@ -0,0 +1,6 @@ +--- +default: True +MD013: False +MD041: False +MD004: + style: dash diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..135c35d --- /dev/null +++ b/.prettierignore @@ -0,0 +1,2 @@ +*.tpl.md +LICENSE diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml new file mode 100644 index 0000000..2d55377 --- /dev/null +++ b/.woodpecker/build-container.yml @@ -0,0 +1,69 @@ +--- +when: + - event: [pull_request, tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +steps: + - name: security-build + image: quay.io/thegeeklab/wp-docker-buildx:5 + settings: + containerfile: Containerfile.multiarch + output: type=oci,dest=oci/${CI_REPO_NAME},tar=false + repo: thegeeklab/${CI_REPO_NAME} + + - name: security-scan + image: ghcr.io/aquasecurity/trivy + commands: + - trivy -v + - trivy image --input oci/${CI_REPO_NAME} + environment: + TRIVY_EXIT_CODE: "1" + TRIVY_IGNORE_UNFIXED: "true" + TRIVY_NO_PROGRESS: "true" + TRIVY_SEVERITY: HIGH,CRITICAL + TRIVY_TIMEOUT: 1m + + - name: publish-dockerhub + image: quay.io/thegeeklab/wp-docker-buildx:5 + group: container + settings: + auto_tag: true + containerfile: Containerfile.multiarch + password: + from_secret: docker_password + platforms: + - linux/amd64 + - linux/arm64 + provenance: false + repo: thegeeklab/${CI_REPO_NAME} + username: + from_secret: docker_username + when: + - event: [tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + + - name: publish-quay + image: quay.io/thegeeklab/wp-docker-buildx:5 + group: container + settings: + auto_tag: true + containerfile: Containerfile.multiarch + password: + from_secret: quay_password + platforms: + - linux/amd64 + - linux/arm64 + provenance: false + registry: quay.io + repo: quay.io/thegeeklab/${CI_REPO_NAME} + username: + from_secret: quay_username + when: + - event: [tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} diff --git a/.woodpecker/build-package.yml b/.woodpecker/build-package.yml new file mode 100644 index 0000000..44951b2 --- /dev/null +++ b/.woodpecker/build-package.yml @@ -0,0 +1,25 @@ +--- +when: + - event: [pull_request, tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +steps: + - name: changelog + image: quay.io/thegeeklab/git-sv + commands: + - git sv current-version + - git sv release-notes -t ${CI_COMMIT_TAG:-next} -o CHANGELOG.md + - cat CHANGELOG.md + + - name: publish-gitea + image: quay.io/thegeeklab/wp-gitea-release + settings: + api_key: + from_secret: gitea_token + base_url: https://gitea.rknet.org + note: CHANGELOG.md + title: ${CI_COMMIT_TAG} + when: + - event: [tag] diff --git a/.woodpecker/docs.yml b/.woodpecker/docs.yml new file mode 100644 index 0000000..e3a7351 --- /dev/null +++ b/.woodpecker/docs.yml @@ -0,0 +1,60 @@ +--- +when: + - event: [pull_request, tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +steps: + - name: markdownlint + image: quay.io/thegeeklab/markdownlint-cli + group: test + commands: + - markdownlint 'README.md' + + - name: spellcheck + image: quay.io/thegeeklab/alpine-tools + group: test + commands: + - spellchecker --files '_docs/**/*.md' 'README.md' -d .dictionary -p spell indefinite-article syntax-urls + environment: + FORCE_COLOR: "true" + + - name: link-validation + image: docker.io/lycheeverse/lychee + group: test + commands: + - lychee --no-progress --format detailed README.md + + - name: pushrm-dockerhub + image: docker.io/chko/docker-pushrm:1 + environment: + DOCKER_USER: + from_secret: docker_username + DOCKER_PASS: + from_secret: docker_password + PUSHRM_FILE: README.md + PUSHRM_SHORT: Ansible dev tools collection + PUSHRM_TARGET: thegeeklab/${CI_REPO_NAME} + when: + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + status: [success] + + - name: pushrm-quay + image: docker.io/chko/docker-pushrm:1 + environment: + APIKEY__QUAY_IO: + from_secret: quay_token + PUSHRM_FILE: README.md + PUSHRM_TARGET: quay.io/thegeeklab/${CI_REPO_NAME} + when: + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + status: [success] + +depends_on: + - build-package + - build-container diff --git a/.woodpecker/notify.yml b/.woodpecker/notify.yml new file mode 100644 index 0000000..374a96a --- /dev/null +++ b/.woodpecker/notify.yml @@ -0,0 +1,26 @@ +--- +when: + - event: [tag] + - event: [push, manual] + branch: + - ${CI_REPO_DEFAULT_BRANCH} + +runs_on: [success, failure] + +steps: + - name: matrix + image: quay.io/thegeeklab/wp-matrix + settings: + homeserver: + from_secret: matrix_homeserver + room_id: + from_secret: matrix_room_id + user_id: + from_secret: matrix_user_id + access_token: + from_secret: matrix_access_token + when: + - status: [success, failure] + +depends_on: + - docs diff --git a/Containerfile.multiarch b/Containerfile.multiarch new file mode 100644 index 0000000..9c7cf2d --- /dev/null +++ b/Containerfile.multiarch @@ -0,0 +1,46 @@ +FROM docker.io/python:3.12-alpine@sha256:c2f41e6a5a67bc39b95be3988dd19fbd05d1b82375c46d9826c592cca014d4de + +LABEL maintainer="Robert Kaussow " +LABEL org.opencontainers.image.authors="Robert Kaussow " +LABEL org.opencontainers.image.title="ansible-dev-tools" +LABEL org.opencontainers.image.url="https://gitea.rknet.org/container/ansible-dev-tools" +LABEL org.opencontainers.image.source="https://gitea.rknet.org/container/ansible-dev-tools" +LABEL org.opencontainers.image.documentation="https://gitea.rknet.org/container/ansible-dev-tools" + +ARG ANSIBLE_VERSION +ARG MOLECULE_VERSION + +# renovate: datasource=pypi depName=molecule +ENV MOLECULE_VERSION="${MOLECULE_VERSION:-24.7.0}" +# renovate: datasource=pypi depName=ansible +ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-10.2.0}" +# renovate: datasource=pypi depName=ansible +ENV ANSIBLE_LINT_VERSION="${ANSIBLE_LINT_VERSION:-24.7.0}" + +ENV PY_COLORS=1 +ENV ANSIBLE_FORCE_COLOR=true + +COPY overlay/ / + +RUN apk add --update --no-cache --virtual .build-deps build-base libffi-dev musl-dev openssl-dev python3-dev cargo && \ + apk add --update --no-cache git openssh-client && \ + apk upgrade --no-cache libexpat && \ + export CARGO_NET_GIT_FETCH_WITH_CLI=true && \ + export USER=root && \ + echo "Installing requirements ..." && \ + pip install -qq --no-cache-dir --upgrade pip && \ + pip install -qq --no-cache-dir boto boto3 botocore apache-libcloud hcloud \ + flaky passlib pytest pytest-testinfra && \ + echo "Installing ansible 'v$ANSIBLE_VERSION' ..." && \ + pip install -qq --no-cache-dir ansible=="$ANSIBLE_VERSION" && \ + echo "Installing molecule 'v$MOLECULE_VERSION' ..." && \ + pip install -qq --no-cache-dir molecule=="$MOLECULE_VERSION" molecule-plugins[docker] molecule_hetznercloud && \ + echo "Installing ansible-lint 'v$ANSIBLE_LINT_VERSION' ..." && \ + pip install -qq --no-cache-dir ansible-lint=="$ANSIBLE_LINT_VERSION" && \ + apk del .build-deps && \ + rm -rf /var/cache/apk/* && \ + rm -rf /tmp/* && \ + rm -rf /root/.cache/ + +USER root +CMD ["/bin/sh"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3812eb4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2022 Robert Kaussow + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished +to do so, subject to the following conditions: + +The above copyright notice and this permission notice (including the next +paragraph) shall be included in all copies or substantial portions of the +Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS +OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF +OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..0061540 --- /dev/null +++ b/README.md @@ -0,0 +1,25 @@ +# ansible-dev-tools + +Ansible dev tools collection + + + +[![Build Status](https://ci.rknet.org/api/badges/container/ansible-dev-tools/status.svg)](https://ci.rknet.org/repos/container/ansible-dev-tools) +[![Docker Hub](https://img.shields.io/badge/dockerhub-latest-blue.svg?logo=docker&logoColor=white)](https://hub.docker.com/r/thegeeklab/ansible-dev-tools) +[![Quay.io](https://img.shields.io/badge/quay-latest-blue.svg?logo=docker&logoColor=white)](https://quay.io/repository/thegeeklab/ansible-dev-tools) +[![Source: Gitea](https://img.shields.io/badge/source-gitea-blue.svg?logo=gitea&logoColor=white)](https://gitea.rknet.org/container/ansible-dev-tools) +[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/container/ansible-dev-tools/src/branch/main/LICENSE) + + + +Ansible dev tools collection + +## Tools + +- [ansible](https://github.com/ansible/ansible) +- [ansible-lint](https://github.com/ansible/ansible-lint) +- [molecule](https://github.com/ansible/molecule) + +## License + +This project is licensed under the MIT License - see the [LICENSE](https://gitea.rknet.org/container/molecule/src/branch/main/LICENSE) file for details. diff --git a/overlay/.keep b/overlay/.keep new file mode 100644 index 0000000..e69de29 diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..5f02575 --- /dev/null +++ b/renovate.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["github>thegeeklab/renovate-presets:docker"] +} diff --git a/trivy-secret.yaml b/trivy-secret.yaml new file mode 100644 index 0000000..abca175 --- /dev/null +++ b/trivy-secret.yaml @@ -0,0 +1,6 @@ +--- +allow-rules: + - id: private-key + path: .*/ansible/.*/site-packages/ansible_collections/(community|google|netapp)/.*\.py + - id: aws-secret-access-key + path: .*/ansible/.*/site-packages/ansible_collections/amazon/.*\.py diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..e74b43b --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,4 @@ +--- +scan: + skip-files: + - /usr/local/bin/gomplate