chore(docker): update docker.io/python:3.12-alpine docker digest to 5365725

Reviewed-on: #373
Co-authored-by: Renovator Bot <renovator@rknet.org>
Co-committed-by: Renovator Bot <renovator@rknet.org>

.woodpecker/build-container.yml

@@ -6,14 +6,14 @@ when:
       - ${CI_REPO_DEFAULT_BRANCH}
 
 steps:
-  security-build:
+  - name: security-build
-    image: quay.io/thegeeklab/wp-docker-buildx:1
+    image: quay.io/thegeeklab/wp-docker-buildx:4
     settings:
       containerfile: Containerfile.multiarch
       output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
       repo: thegeeklab/${CI_REPO_NAME}
 
-  security-scan:
+  - name: security-scan
     image: ghcr.io/aquasecurity/trivy
     commands:
       - trivy -v
@@ -24,11 +24,10 @@ steps:
       TRIVY_NO_PROGRESS: "true"
       TRIVY_SEVERITY: HIGH,CRITICAL
       TRIVY_TIMEOUT: 1m
-      TRIVY_SKIP_FILES: /usr/local/bin/gomplate
 
-  publish-dockerhub:
+  - name: publish-dockerhub
+    image: quay.io/thegeeklab/wp-docker-buildx:4
     group: container
-    image: quay.io/thegeeklab/wp-docker-buildx:1
     settings:
       auto_tag: true
       containerfile: Containerfile.multiarch
@@ -47,9 +46,9 @@ steps:
         branch:
           - ${CI_REPO_DEFAULT_BRANCH}
 
-  publish-quay:
+  - name: publish-quay
+    image: quay.io/thegeeklab/wp-docker-buildx:4
     group: container
-    image: quay.io/thegeeklab/wp-docker-buildx:1
     settings:
       auto_tag: true
       containerfile: Containerfile.multiarch

.woodpecker/build-package.yml

@@ -6,22 +6,20 @@ when:
       - ${CI_REPO_DEFAULT_BRANCH}
 
 steps:
-  changelog:
+  - name: changelog
     image: quay.io/thegeeklab/git-sv
     commands:
-      - git fetch --depth=2147483647
       - git sv current-version
       - git sv release-notes -t ${CI_COMMIT_TAG:-next} -o CHANGELOG.md
       - cat CHANGELOG.md
 
-  publish-gitea:
+  - name: publish-gitea
-    image: plugins/gitea-release
+    image: quay.io/thegeeklab/wp-gitea-release
     settings:
       api_key:
         from_secret: gitea_token
       base_url: https://gitea.rknet.org
       note: CHANGELOG.md
-      overwrite: true
       title: ${CI_COMMIT_TAG}
     when:
       - event: [tag]

.woodpecker/docs.yml

@@ -6,26 +6,27 @@ when:
       - ${CI_REPO_DEFAULT_BRANCH}
 
 steps:
-  markdownlint:
+  - name: markdownlint
     image: quay.io/thegeeklab/markdownlint-cli
+    group: test
     commands:
       - markdownlint 'README.md'
 
-  spellcheck:
+  - name: spellcheck
     image: quay.io/thegeeklab/alpine-tools
+    group: test
     commands:
       - spellchecker --files '_docs/**/*.md' 'README.md' -d .dictionary -p spell indefinite-article syntax-urls
     environment:
       FORCE_COLOR: "true"
-      NPM_CONFIG_LOGLEVEL: "error"
 
-  link-validation:
+  - name: link-validation
     image: docker.io/lycheeverse/lychee
     group: test
     commands:
       - lychee --no-progress --format detailed README.md
 
-  pushrm-dockerhub:
+  - name: pushrm-dockerhub
     image: docker.io/chko/docker-pushrm:1
     secrets:
       - source: docker_password
@@ -42,7 +43,7 @@ steps:
           - ${CI_REPO_DEFAULT_BRANCH}
         status: [success]
 
-  pushrm-quay:
+  - name: pushrm-quay
     image: docker.io/chko/docker-pushrm:1
     secrets:
       - source: quay_token

.woodpecker/notify.yml

@@ -8,7 +8,7 @@ when:
 runs_on: [success, failure]
 
 steps:
-  matrix:
+  - name: matrix
     image: quay.io/thegeeklab/wp-matrix
     settings:
       homeserver:

Containerfile.multiarch

@@ -1,4 +1,4 @@
-FROM docker.io/python:3.12-alpine@sha256:09f18c1f8ca777f63934b415af9a781a0e5aaba5e005ba0475cba71bb3e8e609
+FROM docker.io/python:3.12-alpine@sha256:5365725a6cd59b72a927628fdda9965103e3dc671676c89ef3ed8b8b0e22e812
 
 LABEL maintainer="Robert Kaussow <mail@thegeeklab.de>"
 LABEL org.opencontainers.image.authors="Robert Kaussow <mail@thegeeklab.de>"
@@ -11,34 +11,28 @@ ARG ANSIBLE_VERSION
 ARG MOLECULE_VERSION
 
 # renovate: datasource=pypi depName=molecule
-ENV MOLECULE_VERSION="${MOLECULE_VERSION:-6.0.2}"
+ENV MOLECULE_VERSION="${MOLECULE_VERSION:-24.2.1}"
 # renovate: datasource=pypi depName=ansible
-ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-9.1.0}"
+ENV ANSIBLE_VERSION="${ANSIBLE_VERSION:-9.5.1}"
 
 ENV PY_COLORS=1
 ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
 ENV ANSIBLE_FORCE_COLOR=true
 ENV USER=root
-ENV PATH=/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
 
 COPY overlay/ /
 
 RUN apk add --update --no-cache --virtual .build-deps build-base libffi-dev musl-dev openssl-dev python3-dev cargo && \
     apk add --update --no-cache git openssh-client && \
+    apk upgrade --no-cache libexpat && \
     echo "Installing requirements ..." && \
-    pip install -qq --upgrade --no-cache-dir pip && \
+    pip install -qq --no-cache-dir --upgrade pip && \
-    pip install -qq --no-cache-dir -r /root/requirements.txt && \
+    pip install -qq --no-cache-dir boto boto3 botocore apache-libcloud hcloud \
+        flaky passlib pytest pytest-testinfra && \
     echo "Installing ansible 'v$ANSIBLE_VERSION' ..." && \
     pip install -qq --no-cache-dir ansible=="$ANSIBLE_VERSION" && \
-    MOLECULE_VERSION="${MOLECULE_VERSION##v}" && \
+    echo "Installing molecule version 'v$MOLECULE_VERSION' ..." && \
-    MOLECULE_MAJOR="${MOLECULE_VERSION%%.*}" && \
+    pip install -qq --no-cache-dir molecule=="$MOLECULE_VERSION" molecule-plugins[docker] molecule_hetznercloud; \
-    if [ -z "${MOLECULE_MAJOR//[0-9]}" ] && [ -n "$MOLECULE_MAJOR" ]; then \
-        echo "Installing molecule version '$MOLECULE_VERSION' ..." && \
-        pip install -qq --no-cache-dir molecule=="$MOLECULE_VERSION" molecule-plugins[docker]; \
-    else \
-        echo "Installing latest molecule ..." && \
-        pip install -qq --no-cache-dir molecule molecule-plugins[docker]; \
-    fi && \
     apk del .build-deps && \
     rm -rf /var/cache/apk/* && \
     rm -rf /tmp/* && \

overlay/bin/molecule

@@ -1,5 +1,5 @@
 #!/usr/bin/env sh
-# shellcheck disable=2039
+# shellcheck disable=2039,3040
 set -eo pipefail
 
 DIR=$(pwd)
@@ -11,7 +11,7 @@ if [ -n "${MOLECULE_CUSTOM_MODULES_REPO}" ]; then
     WORKDIR="${MOLECULE_LIBRARY_DIR}"
     [ -d "$WORKDIR" ] && rm -rf "$WORKDIR"
     mkdir -p "$WORKDIR"
-    git clone "$MOLECULE_CUSTOM_MODULES_REPO" "$WORKDIR" 2> /dev/null
+    git clone "$MOLECULE_CUSTOM_MODULES_REPO" "$WORKDIR" 2>/dev/null
 fi
 
 if [ -n "${MOLECULE_CUSTOM_FILTERS_REPO}" ]; then
@@ -19,13 +19,13 @@ if [ -n "${MOLECULE_CUSTOM_FILTERS_REPO}" ]; then
     printf "Cloning custom filters ...\n"
     [ -d "$WORKDIR" ] && rm -rf "$WORKDIR"
     mkdir -p "$WORKDIR"
-    git clone "$MOLECULE_CUSTOM_FILTERS_REPO" "$WORKDIR" 2> /dev/null
+    git clone "$MOLECULE_CUSTOM_FILTERS_REPO" "$WORKDIR" 2>/dev/null
 fi
 
 if [ -n "${MOLECULE_ANSIBLE_VAULT_PASSWORD}" ]; then
     printf "Write vault password file ...\n"
     MOLECULE_ANSIBLE_VAULT_PASSWORD_FILE=/root/.vaultpasswd
-    echo "${MOLECULE_ANSIBLE_VAULT_PASSWORD}" > $MOLECULE_ANSIBLE_VAULT_PASSWORD_FILE
+    echo "${MOLECULE_ANSIBLE_VAULT_PASSWORD}" >$MOLECULE_ANSIBLE_VAULT_PASSWORD_FILE
     exec env ANSIBLE_VAULT_PASSWORD_FILE=$MOLECULE_ANSIBLE_VAULT_PASSWORD_FILE /usr/local/bin/molecule "$@"
 else
     exec /usr/local/bin/molecule "$@"

overlay/root/requirements.txt

@@ -1,14 +0,0 @@
-# cloud provider deps
-boto
-boto3
-botocore
-apache-libcloud
-hcloud
-molecule_hetznercloud
-
-# misc
-pycrypto
-flaky
-passlib
-pytest
-pytest-testinfra

trivy-secret.yaml

@@ -0,0 +1,6 @@
+---
+allow-rules:
+  - id: private-key
+    path: .*/ansible/.*/site-packages/ansible_collections/(community|google|netapp)/.*\.py
+  - id: aws-secret-access-key
+    path: .*/ansible/.*/site-packages/ansible_collections/amazon/.*\.py

trivy.yaml

@@ -0,0 +1,4 @@
+---
+scan:
+  skip-files:
+    - /usr/local/bin/gomplate