From e9eea14f29202a96d4f1aac786b5b349f9c752b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 09:23:21 +0000 Subject: [PATCH 01/16] Build(deps): Bump oras-project/setup-oras from 1.2.0 to 1.2.1 Bumps [oras-project/setup-oras](https://github.com/oras-project/setup-oras) from 1.2.0 to 1.2.1. - [Release notes](https://github.com/oras-project/setup-oras/releases) - [Commits](https://github.com/oras-project/setup-oras/compare/v1.2.0...v1.2.1) --- updated-dependencies: - dependency-name: oras-project/setup-oras dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ddcab62d..b9e20322 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -738,7 +738,7 @@ jobs: # Required for running "oras" CLI - name: Setup ORAS - uses: oras-project/setup-oras@v1.2.0 + uses: oras-project/setup-oras@v1.2.1 with: version: ${{ env.ORAS_VERSION }} From 0a9e448dfa928886744aa756bf3a276c34ba3310 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 09:23:25 +0000 Subject: [PATCH 02/16] Build(deps): Bump actions/upload-artifact from 4.4.0 to 4.4.3 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.0 to 4.4.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.3) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/pipeline.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ddcab62d..f2e3c57c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -183,7 +183,7 @@ jobs: .cr-release-packages/blue-agent-${{ needs.init.outputs.VERSION }}.tgz - name: Upload Helm chart - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@v4.4.3 with: if-no-files-found: error # Fail if no files are uploaded include-hidden-files: true # Folder begins with a dot, if not checked the whole folder is ignored @@ -830,7 +830,7 @@ jobs: --baseURL "${{ steps.pages.outputs.base_url }}/" - name: Upload build artifact - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@v4.4.3 with: if-no-files-found: error # Fail if no files are uploaded name: hugo From 128ba34b72fc8b77d437b5e9c268473fda298b5b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 09:23:27 +0000 Subject: [PATCH 03/16] Build(deps): Bump docker/setup-buildx-action from 3.6.1 to 3.7.1 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.6.1 to 3.7.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v3.6.1...v3.7.1) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ddcab62d..7668f0ed 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -334,7 +334,7 @@ jobs: # Required for "docker build" command - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3.6.1 + uses: docker/setup-buildx-action@v3.7.1 with: version: v${{ env.BUILDX_VERSION }} driver-opts: | From c00c7c879cb2e59870b6c11966dc3638ab61fdfc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Oct 2024 14:40:08 +0000 Subject: [PATCH 04/16] Build(deps): Bump sigstore/cosign-installer from 3.6.0 to 3.7.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/pipeline.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 342f774e..7846af59 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -148,7 +148,7 @@ jobs: - name: Setup Cosign # Only sign builds on main branch if: github.ref == 'refs/heads/main' - uses: sigstore/cosign-installer@v3.6.0 + uses: sigstore/cosign-installer@v3.7.0 with: cosign-release: v${{ env.COSIGN_VERSION }} @@ -350,7 +350,7 @@ jobs: - name: Setup Cosign # Only sign builds on main branch if: github.ref == 'refs/heads/main' - uses: sigstore/cosign-installer@v3.6.0 + uses: sigstore/cosign-installer@v3.7.0 with: cosign-release: v${{ env.COSIGN_VERSION }} @@ -536,7 +536,7 @@ jobs: - name: Setup Cosign # Only sign builds on main branch if: github.ref == 'refs/heads/main' - uses: sigstore/cosign-installer@v3.6.0 + uses: sigstore/cosign-installer@v3.7.0 with: cosign-release: v${{ env.COSIGN_VERSION }} From edaff0a2752d1fd2daa4d54ff218f9d4fe9bc409 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Nov 2024 10:03:14 +0000 Subject: [PATCH 05/16] Build(deps): Bump ubi8/ubi-minimal in /src/docker Bumps ubi8/ubi-minimal from `7583ca0` to `c12e67a`. --- updated-dependencies: - dependency-name: ubi8/ubi-minimal dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- src/docker/Dockerfile-ubi8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/docker/Dockerfile-ubi8 b/src/docker/Dockerfile-ubi8 index 9441f9ba..56b6a5f3 100644 --- a/src/docker/Dockerfile-ubi8 +++ b/src/docker/Dockerfile-ubi8 @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # check=skip=UndefinedVar -FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c AS base +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.10@sha256:c12e67af6a7e15113d76bc72f10bef2045c026c71ec8b7124c8a075458188a83 AS base # Configure local user ENV USER=root From c485e3644a0664ddaac099114e61c1a887afb897 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 09:50:30 +0000 Subject: [PATCH 06/16] Build(deps): Bump ubi9-minimal from 9.4 to 9.5 in /src/docker Bumps ubi9-minimal from 9.4 to 9.5. --- updated-dependencies: - dependency-name: ubi9-minimal dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- src/docker/Dockerfile-ubi9 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/docker/Dockerfile-ubi9 b/src/docker/Dockerfile-ubi9 index fe743737..871ee0d8 100644 --- a/src/docker/Dockerfile-ubi9 +++ b/src/docker/Dockerfile-ubi9 @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # check=skip=UndefinedVar -FROM registry.access.redhat.com/ubi9-minimal:9.4@sha256:f182b500ff167918ca1010595311cf162464f3aa1cab755383d38be61b4d30aa AS base +FROM registry.access.redhat.com/ubi9-minimal:9.5@sha256:6907fbacb294ab6ba988f8bcc6bd5127f589966e5808fcb454de3e104983ae5b AS base # Configure local user ENV USER=root From 28ba380fb0d3787174048481d9e03654f255ec1d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 10:01:20 +0000 Subject: [PATCH 07/16] Build(deps): Bump docker/build-push-action from 6.7.0 to 6.10.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.7.0 to 6.10.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v6.7.0...v6.10.0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 98d92f6b..ac409fdd 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -421,7 +421,7 @@ jobs: echo "tag=$tag" >> $GITHUB_OUTPUT - name: Build & push container - uses: docker/build-push-action@v6.7.0 + uses: docker/build-push-action@v6.10.0 with: build-args: | AWS_CLI_VERSION=${{ env.AWS_CLI_VERSION }} From c9f0545832aa82537473dc1518e6fe84941a8676 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Thu, 28 Nov 2024 16:43:20 +0100 Subject: [PATCH 08/16] security: Upgrade base images --- src/docker/Dockerfile-bookworm | 2 +- src/docker/Dockerfile-bullseye | 2 +- src/docker/Dockerfile-focal | 2 +- src/docker/Dockerfile-jammy | 2 +- src/docker/Dockerfile-noble | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/docker/Dockerfile-bookworm b/src/docker/Dockerfile-bookworm index 059e9fcf..0116f45b 100644 --- a/src/docker/Dockerfile-bookworm +++ b/src/docker/Dockerfile-bookworm @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # check=skip=UndefinedVar -FROM mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim@sha256:b3cdb99fb356091b6395f3444d355da8ae5d63572ba777bed95b65848d6e02be AS base +FROM mcr.microsoft.com/dotnet/aspnet:8.0-bookworm-slim@sha256:d53ebf3481ea8ac8e4fa5c4213ae1f32a33e68e5b8181868edb11d0496a00432 AS base # Force apt-get to not use TTY ENV DEBIAN_FRONTEND=noninteractive diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye index 3ff13cc3..55ce83e8 100644 --- a/src/docker/Dockerfile-bullseye +++ b/src/docker/Dockerfile-bullseye @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # check=skip=UndefinedVar -FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim@sha256:3717ce4bc6e34336ac100762eb766dc9cb739543686d0189001c1cafa57ba29c AS base +FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim@sha256:f9e1ba6847d4f3854ebdfa367540d9e8090935cae034864284419dee037b2258 AS base # Force apt-get to not use TTY ENV DEBIAN_FRONTEND=noninteractive diff --git a/src/docker/Dockerfile-focal b/src/docker/Dockerfile-focal index a310d4eb..5017c48b 100644 --- a/src/docker/Dockerfile-focal +++ b/src/docker/Dockerfile-focal @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # check=skip=UndefinedVar -FROM mcr.microsoft.com/dotnet/aspnet:6.0-focal@sha256:fe64a7f5bf2e300e52ad4eadc8d59c0ec7f096e22107d910c478366ee99c903d AS base +FROM mcr.microsoft.com/dotnet/aspnet:6.0-focal@sha256:eb64d9af3c637a16533d4e510e4ff9dba7397ede73593b13a93dcc332058c182 AS base # Force apt-get to not use TTY ENV DEBIAN_FRONTEND=noninteractive diff --git a/src/docker/Dockerfile-jammy b/src/docker/Dockerfile-jammy index 25cb6f23..9cb1958c 100644 --- a/src/docker/Dockerfile-jammy +++ b/src/docker/Dockerfile-jammy @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # check=skip=UndefinedVar -FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy@sha256:d41af821cc90286d7c0d81c6a25733846ee7eebb2b55479934af909afd36471a AS base +FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy@sha256:440fcf7393169e07526df19360628c424a95c435d1beaf70a53048387398e79f AS base # Force apt-get to not use TTY ENV DEBIAN_FRONTEND=noninteractive diff --git a/src/docker/Dockerfile-noble b/src/docker/Dockerfile-noble index 62d43a7c..0cf4fb9b 100644 --- a/src/docker/Dockerfile-noble +++ b/src/docker/Dockerfile-noble @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # check=skip=UndefinedVar -FROM mcr.microsoft.com/dotnet/aspnet:8.0-noble@sha256:a516b80935ab07dc415244dcdb8c52f4592644282127ecfa37c77561d26d25d5 AS base +FROM mcr.microsoft.com/dotnet/aspnet:8.0-noble@sha256:d1f7c5f0ef897b62d8580f5a51dbc9add024c273d06b67ff28580c882e9ff672 AS base # Force apt-get to not use TTY ENV DEBIAN_FRONTEND=noninteractive From 52028460c2ba97ea56c4554b0b26d875a69872bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Sat, 19 Oct 2024 17:12:42 +0200 Subject: [PATCH 09/16] feat: Add Azure Linux 3 distro --- .github/workflows/pipeline.yaml | 4 +- .../docs/advanced-topics/bicep-deployment.md | 38 +-- .../docs/advanced-topics/docker-in-docker.md | 1 + docs/content/docs/getting-started.md | 1 + docs/content/docs/security.md | 1 + src/bicep/main.bicep | 1 + src/docker/Dockerfile-azurelinux3 | 276 ++++++++++++++++++ test/pipeline/root.yaml | 10 +- 8 files changed, 310 insertions(+), 22 deletions(-) create mode 100644 src/docker/Dockerfile-azurelinux3 diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index a9e26edd..0467b911 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -308,6 +308,8 @@ jobs: fail-fast: false matrix: include: + - os: azurelinux3 + arch: linux/amd64,linux/arm64 - os: bookworm arch: linux/amd64,linux/arm64 - os: bullseye @@ -903,7 +905,7 @@ jobs: # Rate limiting on Azure DevOps SaaS APIs is triggered quickly by integration tests, so we need to limit the number of parallel jobs max-parallel: 3 matrix: - os: [bookworm, bullseye, focal, jammy, noble, ubi8, ubi9] + os: [azurelinux3, bookworm, bullseye, focal, jammy, noble, ubi8, ubi9] steps: - name: Checkout uses: actions/checkout@v4.1.7 diff --git a/docs/content/docs/advanced-topics/bicep-deployment.md b/docs/content/docs/advanced-topics/bicep-deployment.md index e143716c..1e1bc493 100644 --- a/docs/content/docs/advanced-topics/bicep-deployment.md +++ b/docs/content/docs/advanced-topics/bicep-deployment.md @@ -6,22 +6,22 @@ Bicep is a deployment language for Azure, allowing to easily deploy resources on #### Bicep parameters -| Parameter | Description | Default | -| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | -| `autoscalingMaxReplicas` | Maximum number of simultaneous jobs the agent can run | `100` | -| `autoscalingMinReplicas` | Minimum number of replicas the agent should have | `0` | -| `autoscalingPollingInterval` | Minimum number of replicas the agent should have; Warning, a low value will cause rate limiting or throttling, and can cause high load on the Azure DevOps API | `10` | -| `extraEnv` | Extra environment variables to pass to the agent | `[]` | -| `imageFlavor` | Flavor of the container image, represents the Linux distribution. Allowed values: `bookworm`, `bullseye`, `focal`, `jammy`, `noble`, `ubi8`, `ubi9` | `bookworm` | -| `imageName` | Name of the container image | `clemlesne/blue-agent` | -| `imageRegistry` | Registry of the container image. Allowed values: `docker.io`, `ghcr.io` | `ghcr.io` | -| `imageVersion` | Version of the container image, it is recommended to use a specific version like "1.0.0" instead of "latest" | `main` | -| `instance` | Name of the instance, will be used to build the name of the resources | Value from `deployment().name` | -| `location` | Location of resources | `westeurope` | -| `pipelinesCapabilities` | Capabilities of the agent | `['arch_x64']` | -| `pipelinesOrganizationURL` | URL of the Azure DevOps organization | _None_ | -| `pipelinesPersonalAccessToken` | Personal access token allowing the agent to connect to the Azure DevOps organization. This parameter is secure. | _None_ | -| `pipelinesPoolName` | Name of the Azure Pipelines self-hosted pool the agent should be added to | _None_ | -| `pipelinesTimeout` | Timeout in seconds for the agent to run a job before it is automatically terminated | `3600` | -| `resourcesCpu` | Number of CPU cores allocated to the agent | `2` | -| `resourcesMemory` | Amount of memory allocated to the agent | `4Gi` | +| Parameter | Description | Default | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------ | +| `autoscalingMaxReplicas` | Maximum number of simultaneous jobs the agent can run | `100` | +| `autoscalingMinReplicas` | Minimum number of replicas the agent should have | `0` | +| `autoscalingPollingInterval` | Minimum number of replicas the agent should have; Warning, a low value will cause rate limiting or throttling, and can cause high load on the Azure DevOps API | `10` | +| `extraEnv` | Extra environment variables to pass to the agent | `[]` | +| `imageFlavor` | Flavor of the container image, represents the Linux distribution. Allowed values: `azurelinux3`, `bookworm`, `bullseye`, `focal`, `jammy`, `noble`, `ubi8`, `ubi9` | `bookworm` | +| `imageName` | Name of the container image | `clemlesne/blue-agent` | +| `imageRegistry` | Registry of the container image. Allowed values: `docker.io`, `ghcr.io` | `ghcr.io` | +| `imageVersion` | Version of the container image, it is recommended to use a specific version like "1.0.0" instead of "latest" | `main` | +| `instance` | Name of the instance, will be used to build the name of the resources | Value from `deployment().name` | +| `location` | Location of resources | `westeurope` | +| `pipelinesCapabilities` | Capabilities of the agent | `['arch_x64']` | +| `pipelinesOrganizationURL` | URL of the Azure DevOps organization | _None_ | +| `pipelinesPersonalAccessToken` | Personal access token allowing the agent to connect to the Azure DevOps organization. This parameter is secure. | _None_ | +| `pipelinesPoolName` | Name of the Azure Pipelines self-hosted pool the agent should be added to | _None_ | +| `pipelinesTimeout` | Timeout in seconds for the agent to run a job before it is automatically terminated | `3600` | +| `resourcesCpu` | Number of CPU cores allocated to the agent | `2` | +| `resourcesMemory` | Amount of memory allocated to the agent | `4Gi` | diff --git a/docs/content/docs/advanced-topics/docker-in-docker.md b/docs/content/docs/advanced-topics/docker-in-docker.md index 056f4c8a..ae658581 100644 --- a/docs/content/docs/advanced-topics/docker-in-docker.md +++ b/docs/content/docs/advanced-topics/docker-in-docker.md @@ -17,6 +17,7 @@ Linux systems are supported, but not Windows: | `Ref` | Container build inside of the agent with BuildKit | | ------------------------------------------------ | ------------------------------------------------- | +| `ghcr.io/clemlesne/blue-agent:azurelinux3-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:bookworm-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:bullseye-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:focal-main` | ✅ | diff --git a/docs/content/docs/getting-started.md b/docs/content/docs/getting-started.md index 63e7cdbd..357a0dd9 100644 --- a/docs/content/docs/getting-started.md +++ b/docs/content/docs/getting-started.md @@ -84,6 +84,7 @@ OS support is generally called "flavor" in this documentation. The following tab | `Ref` | OS | `Size` | `Arch` | Support | | ------------------------------------------------ | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | +| `ghcr.io/clemlesne/blue-agent:azurelinux3-main` | [Azure Linux 3](https://github.com/microsoft/azurelinux) | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/azurelinux3-main?label=) | `amd64`, `arm64/v8` | [See Microsoft Azure documentation.](https://learn.microsoft.com/en-us/azure/aks/support-policies) | | `ghcr.io/clemlesne/blue-agent:bookworm-main` | [Debian Bookworm (12)](https://www.debian.org/releases/bookworm) slim | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/bookworm-main?label=) | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS) | | `ghcr.io/clemlesne/blue-agent:bullseye-main` | [Debian Bullseye (11)](https://www.debian.org/releases/bullseye) slim | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/bullseye-main?label=) | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS) | | `ghcr.io/clemlesne/blue-agent:noble-main` | [Ubuntu Noble (24.04)](https://www.releases.ubuntu.com/noble) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/noble-main?label=) | `amd64` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) | diff --git a/docs/content/docs/security.md b/docs/content/docs/security.md index e664b7ed..4a293488 100644 --- a/docs/content/docs/security.md +++ b/docs/content/docs/security.md @@ -14,6 +14,7 @@ Scanned systems: | `Ref` | Vulnerability scans with Snyk | | ------------------------------------------------ | ----------------------------- | +| `ghcr.io/clemlesne/blue-agent:azurelinux3-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:bookworm-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:bullseye-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:focal-main` | ✅ | diff --git a/src/bicep/main.bicep b/src/bicep/main.bicep index 8e53fff3..85fd72d9 100644 --- a/src/bicep/main.bicep +++ b/src/bicep/main.bicep @@ -11,6 +11,7 @@ param autoscalingPollingInterval int = 10 param extraEnv array = [] @description('Flavor of the container image, represents the Linux distribution') @allowed([ + 'azurelinux3' 'bookworm' 'bullseye' 'focal' diff --git a/src/docker/Dockerfile-azurelinux3 b/src/docker/Dockerfile-azurelinux3 new file mode 100644 index 00000000..ceb49640 --- /dev/null +++ b/src/docker/Dockerfile-azurelinux3 @@ -0,0 +1,276 @@ +FROM mcr.microsoft.com/dotnet/aspnet:8.0-azurelinux3.0@sha256:e1cddf0093fc04fc5ded6c475abb0205db1279ff3dc2597b34403b4853a5a00c AS base + +# Configure local user +ENV USER=root +ENV HOME=/app-root + +# Allow tdnf to valides TLS connections +ENV GNUPGHOME=/root/.gnupg + +# Avoid Python cache during build +ENV PYTHONDONTWRITEBYTECODE=1 + +# Install: +# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) +# - Azure Pipelines agent system requirements +# - iptables, for BuildKit +# - gzip, make, tar, unzip, wget, zip, zstd, dnsutils, rsync, for developer ease-of-life +# - zsh, for inter-operability +RUN --mount=target=/var/cache/tdnf,type=cache,id=yum-${TARGETPLATFORM},sharing=locked \ + tdnf update -y \ + && tdnf install -y \ + bind-utils \ + build-essential \ + ca-certificates \ + cargo \ + curl \ + findutils \ + gcc \ + gcc-c++ \ + git \ + git-core \ + git-lfs \ + gnupg \ + gzip \ + hostname \ + iptables \ + iputils \ + jq \ + lsb-release \ + make \ + openssl \ + openssl-devel \ + pkg-config \ + rsync \ + shadow-utils \ + sudo \ + tar \ + unzip \ + wget \ + zip \ + zsh \ + zstd \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +# Copy helper script, then verify installation +COPY arch.sh . +RUN chmod +x arch.sh \ + && bash arch.sh + +# Persist Python version +ARG PYTHON_VERSION_MAJOR_MINOR +ARG PYTHON_VERSION_PATCH +ENV PYTHON_VERSION=${PYTHON_VERSION_MAJOR_MINOR}.${PYTHON_VERSION_PATCH} + +FROM base AS rootlesskit + +# Install Go, then verify installation +ARG GO_VERSION +ENV GO_VERSION=${GO_VERSION} +RUN rm -rf /usr/local/go \ + && curl -LsSf --retry 8 --retry-all-errors https://go.dev/dl/go${GO_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C /usr/local +ENV PATH="${PATH}:/usr/local/go/bin" +RUN go version + +# Install RootlessKit, then verify installation +ARG ROOTLESSKIT_VERSION +ENV ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} +RUN --mount=target=/rootlesskit-${ROOTLESSKIT_VERSION},type=cache,id=rootlesskit-${ROOTLESSKIT_VERSION}-${TARGETPLATFORM},sharing=locked \ + git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/rootless-containers/rootlesskit.git rootlesskit \ + # Ugly but that's work + && cp -r rootlesskit/* rootlesskit-${ROOTLESSKIT_VERSION} \ + && rm -rf rootlesskit \ + && cd rootlesskit-${ROOTLESSKIT_VERSION} \ + && make \ + && make install \ + && cd .. \ + && rootlesskit --version \ + && rootlessctl --version + +FROM base AS python + +# Build Python from source, then verify installation +ARG PYTHON_VERSION +ENV PYTHON_VERSION=${PYTHON_VERSION} +RUN --mount=target=/var/cache/tdnf,type=cache,id=yum-${TARGETPLATFORM},sharing=locked --mount=target=/Python-${PYTHON_VERSION},type=cache,id=python-${PYTHON_VERSION}-${TARGETPLATFORM},sharing=locked \ + tdnf update -y \ + && tdnf install -y \ + bzip2 \ + bzip2-devel \ + expat \ + expat-devel \ + gdb \ + gdbm-devel \ + glibc-devel \ + libffi-devel \ + libstdc++-devel \ + libuuid-devel \ + libxml2-devel \ + ncurses-devel \ + rpm-build \ + sqlite \ + sqlite-devel \ + sqlite-libs \ + xz-devel \ + xz-libs \ + zlib-devel \ + && curl -LsSf --retry 8 --retry-all-errors https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ + && tar -xzf python.tgz \ + && rm python.tgz \ + && cd Python-${PYTHON_VERSION} \ + && gnu_arch="$(rpm --eval '%{_target_cpu}')-centos-linux-gnu" \ + && ./configure \ + --build=$gnu_arch \ + --enable-optimizations \ + --with-ensurepip=install \ + --with-lto \ + && make profile-removal \ + && extra_cflags="$(rpm --eval '%{optflags}')" \ + && ldflags="$(rpm --eval '%{__global_ldflags}')" \ + && make -j $(nproc) "EXTRA_CFLAGS=${extra_cflags:-}" "LDFLAGS=${ldflags:-}" \ + && make install \ + && cd .. \ + && python3 --version \ + && python3 -m pip --version \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +FROM base + +# Install Python, then verify installation +COPY --from=python /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} +COPY --from=python /usr/local/lib/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/lib/python${PYTHON_VERSION_MAJOR_MINOR} +RUN ln -s /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python3 \ + && ln -s /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python \ + && python --version \ + && python3 --version \ + && python${PYTHON_VERSION_MAJOR_MINOR} --version \ + && python3 -m pip --version + +# Install Python build tools +RUN --mount=target=/${USER}/.cache/pip,type=cache,id=pip-${PYTHON_VERSION_MAJOR_MINOR}-${TARGETPLATFORM},sharing=locked \ + python3 -m pip \ + --disable-pip-version-check \ + --quiet \ + --retries 8 \ + --timeout 120 \ + install \ + --upgrade \ + pip setuptools wheel \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +# Install Azure CLI, then verify installation +ARG AZURE_CLI_VERSION +ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} +RUN --mount=target=/${USER}/.cache/pip,type=cache,id=pip-${PYTHON_VERSION_MAJOR_MINOR}-${TARGETPLATFORM},sharing=locked \ + python3 -m pip \ + --disable-pip-version-check \ + --quiet \ + --retries 8 \ + --timeout 120 \ + install \ + azure-cli==${AZURE_CLI_VERSION} \ + && az version \ + && rm -rf ${HOME}/.azure ${HOME}/.cache/pip \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +# Install AWS CLI, then verify installation +ARG AWS_CLI_VERSION +ENV AWS_CLI_VERSION=${AWS_CLI_VERSION} +RUN curl -LsSf --retry 8 --retry-all-errors https://awscli.amazonaws.com/awscli-exe-linux-$(ARCH_X64=x86_64 ARCH_ARM64=aarch64 bash arch.sh)-${AWS_CLI_VERSION}.zip -o awscli.zip \ + && unzip -q awscli.zip \ + && ./aws/install \ + && rm -rf awscli.zip aws \ + && aws --version + +# Install Google Cloud CLI, then verify installation +ARG GCLOUD_CLI_VERSION +ENV GCLOUD_CLI_VERSION=${GCLOUD_CLI_VERSION} +RUN curl -LsSf --retry 8 --retry-all-errors https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_CLI_VERSION}-linux-$(ARCH_X64=x86_64 ARCH_ARM64=arm bash arch.sh).tar.gz | tar -xz -C /usr/local \ + && /usr/local/google-cloud-sdk/install.sh \ + --additional-components beta \ + --quiet \ + && ln -s /usr/local/google-cloud-sdk/bin/gcloud /usr/bin/gcloud \ + && ln -s /usr/local/google-cloud-sdk/bin/gsutil /usr/bin/gsutil \ + && gcloud version \ + && rm -rf /usr/local/google-cloud-sdk/.install ${HOME}/.config/gcloud \ + && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null + +# Install Powershell, then verify installation +ARG POWERSHELL_VERSION +ENV POWERSHELL_VERSION=${POWERSHELL_VERSION} +RUN mkdir -p /opt/microsoft/powershell \ + && curl -LsSf --retry 8 --retry-all-errors https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-$(bash arch.sh).tar.gz | tar -xz -C /opt/microsoft/powershell \ + && chmod +x /opt/microsoft/powershell/pwsh \ + && ln -s /opt/microsoft/powershell/pwsh /usr/bin/pwsh \ + && pwsh -Version \ + && rm -rf ${HOME}/.config/powershell ${HOME}/.cache/powershell + +# Install YQ, then verify installation +ARG YQ_VERSION +ENV YQ_VERSION=${YQ_VERSION} +RUN curl -LsSf --retry 8 --retry-all-errors https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_$(ARCH_X64=amd64 bash arch.sh) -o /usr/bin/yq \ + && chmod +x /usr/bin/yq \ + && yq --version + +# Install Tini, then verify installation +ARG TINI_VERSION +ENV TINI_VERSION=${TINI_VERSION} +RUN curl -LsSf --retry 8 --retry-all-errors https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$(ARCH_X64=amd64 bash arch.sh) -o /tini \ + && chmod +x /tini \ + && /tini --version +ENTRYPOINT ["/tini", "--"] + +# Install BuildKit, then verify installation +ARG BUILDKIT_VERSION +ENV BUILDKIT_VERSION=${BUILDKIT_VERSION} +RUN mkdir buildkit \ + && curl -LsSf --retry 8 --retry-all-errors https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C buildkit \ + && mv buildkit/bin/* /usr/local/bin \ + && rm -rf buildkit \ + && buildctl --version \ + && buildkitd --version + +# Install RootlessKit, then verify installation +COPY --from=rootlesskit /usr/local/bin/rootless* /usr/bin/ +RUN rootlesskit --version \ + && rootlessctl --version + +# Install Azure Pipelines Agent sources, then verify installation +ARG AZP_AGENT_VERSION +ENV AZP_AGENT_VERSION=${AZP_AGENT_VERSION} +ENV AZP_HOME=${HOME}/azp-agent +# Disable agent auto-updates +# See: https://github.com/microsoft/azure-pipelines-agent/blob/b5ff4408239f3e938560f8b2e3848df76489a8d0/src/Agent.Listener/Agent.cs#L354C24-L354C24 +ENV agent.disableupdate="1" +RUN mkdir -p ${AZP_HOME} \ + && curl -LsSf --retry 8 --retry-all-errors https://vstsagentpackage.azureedge.net/agent/${AZP_AGENT_VERSION}/pipelines-agent-linux-$(bash arch.sh)-${AZP_AGENT_VERSION}.tar.gz | tar -xz -C ${AZP_HOME} \ + && cd ${AZP_HOME} \ + && chmod +x run-docker.sh config.sh \ + && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \ + && rm -rf _diag \ + # Allow local user to R/W to agent home + && chmod -R a+w . +ENV AZP_WORK=${HOME}/azp-work +ENV AZP_CUSTOM_CERT_PEM=${HOME}/azp-custom-certs + +# Cleanup helper script +RUN rm arch.sh + +# Reset Python configs to default +ENV PYTHONDONTWRITEBYTECODE= +ENV PIP_BREAK_SYSTEM_PACKAGES= + +# Configure local user +RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \ + && chown -R ${USER} /run/user/0 ${HOME} \ + && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid +USER 0:0 +ENV XDG_RUNTIME_DIR=/run/user/0 +ENV TMPDIR=${HOME}/.local/tmp +ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock + +# Install Azure Pipelines Agent startup script +WORKDIR ${AZP_HOME} +COPY start.sh . +# Run as exec form, so that it can receive signals from Tini +CMD ["bash", "start.sh"] diff --git a/test/pipeline/root.yaml b/test/pipeline/root.yaml index a4f7490d..d0260aa0 100644 --- a/test/pipeline/root.yaml +++ b/test/pipeline/root.yaml @@ -20,10 +20,16 @@ jobs: - bash: | if command -v apt-get &> /dev/null; then + echo "Using apt-get" sudo apt-get update - sudo apt-get install -y python3-pip + sudo apt-get install -y wget elif command -v microdnf &> /dev/null; then - sudo microdnf install -y python3.11-pip + echo "Using microdnf" + sudo microdnf install -y wget + elif command -v tdnf &> /dev/null; then + echo "Using tdnf" + sudo tdnf update -y + sudo tdnf install -y wget else echo "No suported package manager" exit 1 From 6477d5fffdc58c9b670a885c83cc5bc55f98ec1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Tue, 7 Jan 2025 11:55:28 +0100 Subject: [PATCH 10/16] breaking: Upgrade to azure-pipelines-agent v4 --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 0467b911..fcfad8a8 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -27,7 +27,7 @@ env: # https://npmjs.com/package/snyk?activeTab=versions SNYK_VERSION: 1.1293.1 # https://github.com/microsoft/azure-pipelines-agent/releases - AZP_AGENT_VERSION: 3.244.1 + AZP_AGENT_VERSION: 4.248.0 # https://github.com/PowerShell/PowerShell/releases POWERSHELL_VERSION: 7.2.23 # https://github.com/krallin/tini/releases From 5df46706cffa05095c069b9d59d21808617c8ce4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Tue, 7 Jan 2025 12:04:26 +0100 Subject: [PATCH 11/16] breaking: Remove Bullseye and Focal as they are not supported anymore Azure Pipelines Agent v4 now requires .NET v8. --- .github/workflows/pipeline.yaml | 6 +- .../docs/advanced-topics/bicep-deployment.md | 38 +-- .../docs/advanced-topics/build-aspnet.md | 5 +- .../docs/advanced-topics/docker-in-docker.md | 2 - .../docs/advanced-topics/helm-deployment.md | 4 +- docs/content/docs/getting-started.md | 2 - docs/content/docs/security.md | 8 +- src/bicep/main.bicep | 2 - src/docker/Dockerfile-bullseye | 278 ------------------ src/docker/Dockerfile-focal | 277 ----------------- 10 files changed, 26 insertions(+), 596 deletions(-) delete mode 100644 src/docker/Dockerfile-bullseye delete mode 100644 src/docker/Dockerfile-focal diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index fcfad8a8..1a603a7d 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -312,10 +312,6 @@ jobs: arch: linux/amd64,linux/arm64 - os: bookworm arch: linux/amd64,linux/arm64 - - os: bullseye - arch: linux/amd64,linux/arm64 - - os: focal - arch: linux/amd64,linux/arm64 - os: jammy arch: linux/amd64,linux/arm64 - os: noble @@ -905,7 +901,7 @@ jobs: # Rate limiting on Azure DevOps SaaS APIs is triggered quickly by integration tests, so we need to limit the number of parallel jobs max-parallel: 3 matrix: - os: [azurelinux3, bookworm, bullseye, focal, jammy, noble, ubi8, ubi9] + os: [azurelinux3, bookworm, jammy, noble, ubi8, ubi9] steps: - name: Checkout uses: actions/checkout@v4.1.7 diff --git a/docs/content/docs/advanced-topics/bicep-deployment.md b/docs/content/docs/advanced-topics/bicep-deployment.md index 1e1bc493..182126b5 100644 --- a/docs/content/docs/advanced-topics/bicep-deployment.md +++ b/docs/content/docs/advanced-topics/bicep-deployment.md @@ -6,22 +6,22 @@ Bicep is a deployment language for Azure, allowing to easily deploy resources on #### Bicep parameters -| Parameter | Description | Default | -| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------ | -| `autoscalingMaxReplicas` | Maximum number of simultaneous jobs the agent can run | `100` | -| `autoscalingMinReplicas` | Minimum number of replicas the agent should have | `0` | -| `autoscalingPollingInterval` | Minimum number of replicas the agent should have; Warning, a low value will cause rate limiting or throttling, and can cause high load on the Azure DevOps API | `10` | -| `extraEnv` | Extra environment variables to pass to the agent | `[]` | -| `imageFlavor` | Flavor of the container image, represents the Linux distribution. Allowed values: `azurelinux3`, `bookworm`, `bullseye`, `focal`, `jammy`, `noble`, `ubi8`, `ubi9` | `bookworm` | -| `imageName` | Name of the container image | `clemlesne/blue-agent` | -| `imageRegistry` | Registry of the container image. Allowed values: `docker.io`, `ghcr.io` | `ghcr.io` | -| `imageVersion` | Version of the container image, it is recommended to use a specific version like "1.0.0" instead of "latest" | `main` | -| `instance` | Name of the instance, will be used to build the name of the resources | Value from `deployment().name` | -| `location` | Location of resources | `westeurope` | -| `pipelinesCapabilities` | Capabilities of the agent | `['arch_x64']` | -| `pipelinesOrganizationURL` | URL of the Azure DevOps organization | _None_ | -| `pipelinesPersonalAccessToken` | Personal access token allowing the agent to connect to the Azure DevOps organization. This parameter is secure. | _None_ | -| `pipelinesPoolName` | Name of the Azure Pipelines self-hosted pool the agent should be added to | _None_ | -| `pipelinesTimeout` | Timeout in seconds for the agent to run a job before it is automatically terminated | `3600` | -| `resourcesCpu` | Number of CPU cores allocated to the agent | `2` | -| `resourcesMemory` | Amount of memory allocated to the agent | `4Gi` | +| Parameter | Description | Default | +| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `autoscalingMaxReplicas` | Maximum number of simultaneous jobs the agent can run | `100` | +| `autoscalingMinReplicas` | Minimum number of replicas the agent should have | `0` | +| `autoscalingPollingInterval` | Minimum number of replicas the agent should have; Warning, a low value will cause rate limiting or throttling, and can cause high load on the Azure DevOps API | `10` | +| `extraEnv` | Extra environment variables to pass to the agent | `[]` | +| `imageFlavor` | Flavor of the container image, represents the Linux distribution. Allowed values: `azurelinux3`, `bookworm`, `jammy`, `noble`, `ubi8`, `ubi9` | `bookworm` | +| `imageName` | Name of the container image | `clemlesne/blue-agent` | +| `imageRegistry` | Registry of the container image. Allowed values: `docker.io`, `ghcr.io` | `ghcr.io` | +| `imageVersion` | Version of the container image, it is recommended to use a specific version like "1.0.0" instead of "latest" | `main` | +| `instance` | Name of the instance, will be used to build the name of the resources | Value from `deployment().name` | +| `location` | Location of resources | `westeurope` | +| `pipelinesCapabilities` | Capabilities of the agent | `['arch_x64']` | +| `pipelinesOrganizationURL` | URL of the Azure DevOps organization | _None_ | +| `pipelinesPersonalAccessToken` | Personal access token allowing the agent to connect to the Azure DevOps organization. This parameter is secure. | _None_ | +| `pipelinesPoolName` | Name of the Azure Pipelines self-hosted pool the agent should be added to | _None_ | +| `pipelinesTimeout` | Timeout in seconds for the agent to run a job before it is automatically terminated | `3600` | +| `resourcesCpu` | Number of CPU cores allocated to the agent | `2` | +| `resourcesMemory` | Amount of memory allocated to the agent | `4Gi` | diff --git a/docs/content/docs/advanced-topics/build-aspnet.md b/docs/content/docs/advanced-topics/build-aspnet.md index 82dcaad3..c9fc5d5e 100644 --- a/docs/content/docs/advanced-topics/build-aspnet.md +++ b/docs/content/docs/advanced-topics/build-aspnet.md @@ -7,10 +7,7 @@ It was chosen arbitrarily to install the LTS non SDK version of ASNP.NET. Becaus - LTS is better supported by Microsoft than STS - The non-SDK is lighter when included in a container, knowing that not everyone will use it for building purposes -Bundled versions installed depends on the image used: - -- Debian Bullseye (11) and Ubuntu Focal (20.04) use the `6.x` version (Microsoft doesn't support any LTS upgrades for these versions) -- Other images use the `8.x` version +All images are bundled with the `8.x` version. It is recommended that development teams to hard-code the framework version you want to use, in your pipeline. With this setup, the developer controls its environment, not the platform. If they decide to upgrade, they update the pipeline, if not, not. This is under the responsibility of the developer. diff --git a/docs/content/docs/advanced-topics/docker-in-docker.md b/docs/content/docs/advanced-topics/docker-in-docker.md index ae658581..82846976 100644 --- a/docs/content/docs/advanced-topics/docker-in-docker.md +++ b/docs/content/docs/advanced-topics/docker-in-docker.md @@ -19,8 +19,6 @@ Linux systems are supported, but not Windows: | ------------------------------------------------ | ------------------------------------------------- | | `ghcr.io/clemlesne/blue-agent:azurelinux3-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:bookworm-main` | ✅ | -| `ghcr.io/clemlesne/blue-agent:bullseye-main` | ✅ | -| `ghcr.io/clemlesne/blue-agent:focal-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:jammy-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:noble-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:ubi8-main` | ✅ | diff --git a/docs/content/docs/advanced-topics/helm-deployment.md b/docs/content/docs/advanced-topics/helm-deployment.md index 6ac2bd41..721ce5ea 100644 --- a/docs/content/docs/advanced-topics/helm-deployment.md +++ b/docs/content/docs/advanced-topics/helm-deployment.md @@ -23,10 +23,10 @@ Helm is a package manager for Kubernetes, allowing to easily deploy applications | `extraVolumeMounts` | Additional volume mounts for the agent container | `[]` | | `extraVolumes` | Additional volumes for the agent pod | `[]` | | `fullnameOverride` | Overrides release fullname | `""` | -| `image.flavor` | Container image tag, can be `bookworm`, `bullseye`, `focal`, `jammy`, `noble`, `ubi8`, `ubi9`, `win-ltsc2019`, or `win-ltsc2022` | `bookworm` | +| `image.flavor` | Container image tag, can be `bookworm`, `jammy`, `noble`, `ubi8`, `ubi9`, `win-ltsc2019`, or `win-ltsc2022` | `bookworm` | | `image.isWindows` | Turn on is the agent is a Windows-based system | `false` | | `image.pullPolicy` | Container image pull policy | `IfNotPresent` | -| `image.repository` | Container image repository | `ghcr.io/clemlesne/blue-agent:bullseye` | +| `image.repository` | Container image repository | `ghcr.io/clemlesne/blue-agent:bookworm` | | `image.version` | Container image tag | _Version_ | | `imagePullSecrets` | Use secrets to pull the container image | `[]` | | `initContainers` | Init containers for the agent pod | `[]` | diff --git a/docs/content/docs/getting-started.md b/docs/content/docs/getting-started.md index 357a0dd9..97933c45 100644 --- a/docs/content/docs/getting-started.md +++ b/docs/content/docs/getting-started.md @@ -86,10 +86,8 @@ OS support is generally called "flavor" in this documentation. The following tab | ------------------------------------------------ | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `ghcr.io/clemlesne/blue-agent:azurelinux3-main` | [Azure Linux 3](https://github.com/microsoft/azurelinux) | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/azurelinux3-main?label=) | `amd64`, `arm64/v8` | [See Microsoft Azure documentation.](https://learn.microsoft.com/en-us/azure/aks/support-policies) | | `ghcr.io/clemlesne/blue-agent:bookworm-main` | [Debian Bookworm (12)](https://www.debian.org/releases/bookworm) slim | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/bookworm-main?label=) | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS) | -| `ghcr.io/clemlesne/blue-agent:bullseye-main` | [Debian Bullseye (11)](https://www.debian.org/releases/bullseye) slim | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/bullseye-main?label=) | `amd64`, `arm64/v8` | [See Debian LTS wiki.](https://wiki.debian.org/LTS) | | `ghcr.io/clemlesne/blue-agent:noble-main` | [Ubuntu Noble (24.04)](https://www.releases.ubuntu.com/noble) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/noble-main?label=) | `amd64` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) | | `ghcr.io/clemlesne/blue-agent:jammy-main` | [Ubuntu Jammy (22.04)](https://www.releases.ubuntu.com/jammy) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/jammy-main?label=) | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) | -| `ghcr.io/clemlesne/blue-agent:focal-main` | [Ubuntu Focal (20.04)](https://www.releases.ubuntu.com/focal) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/focal-main?label=) | `amd64`, `arm64/v8` | [See Ubuntu LTS wiki.](https://wiki.ubuntu.com/Releases) | | `ghcr.io/clemlesne/blue-agent:ubi9-main` | [Red Hat UBI 9](https://developers.redhat.com/articles/ubi-faq) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/ubi9-main?label=) | `amd64`, `arm64/v8` | [See Red Hat product life cycles.](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux) | | `ghcr.io/clemlesne/blue-agent:ubi8-main` | [Red Hat UBI 8](https://developers.redhat.com/articles/ubi-faq) minimal | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/ubi8-main?label=) | `amd64`, `arm64/v8` | [See Red Hat product life cycles.](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux) | | `ghcr.io/clemlesne/blue-agent:win-ltsc2022-main` | [Windows Server 2022](https://learn.microsoft.com/en-us/windows-server) Core | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/clemlesne/blue-agent/win-ltsc2022-main?label=) | `amd64` | [See base image servicing lifecycles.](https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle) | diff --git a/docs/content/docs/security.md b/docs/content/docs/security.md index 4a293488..b97207dc 100644 --- a/docs/content/docs/security.md +++ b/docs/content/docs/security.md @@ -16,8 +16,6 @@ Scanned systems: | ------------------------------------------------ | ----------------------------- | | `ghcr.io/clemlesne/blue-agent:azurelinux3-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:bookworm-main` | ✅ | -| `ghcr.io/clemlesne/blue-agent:bullseye-main` | ✅ | -| `ghcr.io/clemlesne/blue-agent:focal-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:jammy-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:noble-main` | ✅ | | `ghcr.io/clemlesne/blue-agent:ubi8-main` | ✅ | @@ -41,8 +39,8 @@ Cosign public key is available in [`/cosign.pub`](cosign.pub). ```bash # Example of verification with Cosign -❯ cosign verify --key cosign.pub ghcr.io/clemlesne/blue-agent:bullseye-main -Verification for ghcr.io/clemlesne/blue-agent:bullseye-main -- +❯ cosign verify --key cosign.pub ghcr.io/clemlesne/blue-agent:bookworm-main +Verification for ghcr.io/clemlesne/blue-agent:bookworm-main -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline @@ -81,4 +79,4 @@ Systems are built every days. Each image is accompanied by a [SBOM (Software Bil Nevertheless it can happen that a package provider (e.g. Debian, Canonical, Red Hat) deploys a system update that introduces a bug. This is difficult to predict. -Each image is pushed with a unique tag, which corresponds to the date of the last update (example: `bullseye-20230313` for a build on March 13, 2023). It is therefore possible to fix the download of a version by modifying the `image.version` property to `20230313`. +Each image is pushed with a unique tag, which corresponds to the date of the last update (example: `bookworm-20230313` for a build on March 13, 2023). It is therefore possible to fix the download of a version by modifying the `image.version` property to `20230313`. diff --git a/src/bicep/main.bicep b/src/bicep/main.bicep index 85fd72d9..1d71a9eb 100644 --- a/src/bicep/main.bicep +++ b/src/bicep/main.bicep @@ -13,8 +13,6 @@ param extraEnv array = [] @allowed([ 'azurelinux3' 'bookworm' - 'bullseye' - 'focal' 'jammy' 'noble' 'ubi8' diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye deleted file mode 100644 index 55ce83e8..00000000 --- a/src/docker/Dockerfile-bullseye +++ /dev/null @@ -1,278 +0,0 @@ -# syntax=docker/dockerfile:1 -# check=skip=UndefinedVar - -FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim@sha256:f9e1ba6847d4f3854ebdfa367540d9e8090935cae034864284419dee037b2258 AS base - -# Force apt-get to not use TTY -ENV DEBIAN_FRONTEND=noninteractive - -# Configure local user -ENV USER=root -ENV HOME=/app-root - -# Avoid Python cache during build -ENV PYTHONDONTWRITEBYTECODE=1 - -# Install: -# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) -# - Azure Pipelines agent system requirements -# - dbus-user-session, fuse-overlayfs, iptables, for BuildKit -# - gzip, make, tar, unzip, wget, zip, zstd, dnsutils, rsync, for developer ease-of-life -# - zsh, for inter-operability -RUN rm -f /etc/apt/apt.conf.d/docker-clean \ - && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache -RUN --mount=target=/var/lib/apt/lists,type=cache,id=apt-lists-${TARGETPLATFORM},sharing=locked --mount=target=/var/cache,type=cache,id=var-cache-${TARGETPLATFORM},sharing=locked \ - apt-get update -q \ - && apt-get install -y -q --no-install-recommends \ - build-essential \ - ca-certificates \ - cargo \ - curl \ - dbus-user-session \ - dnsutils \ - fuse-overlayfs \ - git \ - git-lfs \ - gnupg \ - gzip \ - iptables \ - iputils-ping \ - jq \ - libffi-dev \ - libssl-dev \ - lsb-release \ - make \ - pkg-config \ - rsync \ - software-properties-common \ - sudo \ - tar \ - uidmap \ - unzip \ - wget \ - zip \ - zsh \ - zstd \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -# Copy helper script, then verify installation -COPY arch.sh . -RUN chmod +x arch.sh \ - && bash arch.sh - -# Persist Python version -ARG PYTHON_VERSION_MAJOR_MINOR -ARG PYTHON_VERSION_PATCH -ENV PYTHON_VERSION=${PYTHON_VERSION_MAJOR_MINOR}.${PYTHON_VERSION_PATCH} - -FROM base AS rootlesskit - -# Install Go, then verify installation -ARG GO_VERSION -ENV GO_VERSION=${GO_VERSION} -RUN rm -rf /usr/local/go \ - && curl -LsSf --retry 8 --retry-all-errors https://go.dev/dl/go${GO_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C /usr/local -ENV PATH="${PATH}:/usr/local/go/bin" -RUN go version - -# Install RootlessKit, then verify installation -ARG ROOTLESSKIT_VERSION -ENV ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} -RUN --mount=target=/rootlesskit-${ROOTLESSKIT_VERSION},type=cache,id=rootlesskit-${ROOTLESSKIT_VERSION}-${TARGETPLATFORM},sharing=locked \ - git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/rootless-containers/rootlesskit.git rootlesskit \ - # Ugly but that's work - && cp -r rootlesskit/* rootlesskit-${ROOTLESSKIT_VERSION} \ - && rm -rf rootlesskit \ - && cd rootlesskit-${ROOTLESSKIT_VERSION} \ - && make \ - && make install \ - && cd .. \ - && rootlesskit --version \ - && rootlessctl --version - -FROM base AS python - -# Build Python from source, then verify installation -ARG PYTHON_VERSION -ENV PYTHON_VERSION=${PYTHON_VERSION} -RUN --mount=target=/var/lib/apt/lists,type=cache,id=apt-lists-${TARGETPLATFORM},sharing=locked --mount=target=/var/cache,type=cache,id=var-cache-${TARGETPLATFORM},sharing=locked --mount=target=/Python-${PYTHON_VERSION},type=cache,id=python-${PYTHON_VERSION}-${TARGETPLATFORM},sharing=locked \ - apt-get update -q \ - && apt-get install -y -q --no-install-recommends \ - g++ \ - lcov \ - libbz2-dev \ - libgdbm-compat-dev \ - libgdbm-dev \ - liblzma-dev \ - libmpdec-dev \ - libncurses5-dev \ - libncursesw5-dev \ - libreadline-dev \ - libreadline6-dev \ - libsqlite3-dev \ - libxml2-dev \ - libxmlsec1-dev \ - lzma \ - lzma-dev \ - uuid-dev \ - xz-utils \ - zlib1g-dev \ - && curl -LsSf --retry 8 --retry-all-errors https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ - && tar -xzf python.tgz \ - && rm python.tgz \ - && cd Python-${PYTHON_VERSION} \ - && gnu_arch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ - && ./configure \ - --build=$gnu_arch \ - --enable-optimizations \ - --with-ensurepip=install \ - --with-lto \ - && make profile-removal \ - && extra_cflags="$(dpkg-buildflags --get CFLAGS)" \ - && ldflags="$(dpkg-buildflags --get LDFLAGS)" \ - && make -j $(nproc) "EXTRA_CFLAGS=${extra_cflags:-}" "LDFLAGS=${ldflags:-}" \ - && make install \ - && cd .. \ - && python3 --version \ - && python3 -m pip --version \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -FROM base - -# Install Python, then verify installation -COPY --from=python /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} -COPY --from=python /usr/local/lib/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/lib/python${PYTHON_VERSION_MAJOR_MINOR} -RUN ln -s /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python3 \ - && ln -s /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python \ - && python --version \ - && python3 --version \ - && python${PYTHON_VERSION_MAJOR_MINOR} --version \ - && python3 -m pip --version - -# Install Python build tools -RUN --mount=target=/${USER}/.cache/pip,type=cache,id=pip-${PYTHON_VERSION_MAJOR_MINOR}-${TARGETPLATFORM},sharing=locked \ - python3 -m pip \ - --disable-pip-version-check \ - --quiet \ - --retries 8 \ - --timeout 120 \ - install \ - --upgrade \ - pip setuptools wheel \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -# Install Azure CLI, then verify installation -ARG AZURE_CLI_VERSION -ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} -RUN --mount=target=/${USER}/.cache/pip,type=cache,id=pip-${PYTHON_VERSION_MAJOR_MINOR}-${TARGETPLATFORM},sharing=locked \ - python3 -m pip \ - --disable-pip-version-check \ - --quiet \ - --retries 8 \ - --timeout 120 \ - install \ - azure-cli==${AZURE_CLI_VERSION} \ - && az version \ - && rm -rf ${HOME}/.azure ${HOME}/.cache/pip \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -# Install AWS CLI, then verify installation -ARG AWS_CLI_VERSION -ENV AWS_CLI_VERSION=${AWS_CLI_VERSION} -RUN curl -LsSf --retry 8 --retry-all-errors https://awscli.amazonaws.com/awscli-exe-linux-$(ARCH_X64=x86_64 ARCH_ARM64=aarch64 bash arch.sh)-${AWS_CLI_VERSION}.zip -o awscli.zip \ - && unzip -q awscli.zip \ - && ./aws/install \ - && rm -rf awscli.zip aws \ - && aws --version - -# Install Google Cloud CLI, then verify installation -ARG GCLOUD_CLI_VERSION -ENV GCLOUD_CLI_VERSION=${GCLOUD_CLI_VERSION} -RUN curl -LsSf --retry 8 --retry-all-errors https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_CLI_VERSION}-linux-$(ARCH_X64=x86_64 ARCH_ARM64=arm bash arch.sh).tar.gz | tar -xz -C /usr/local \ - && /usr/local/google-cloud-sdk/install.sh \ - --additional-components beta \ - --quiet \ - && ln -s /usr/local/google-cloud-sdk/bin/gcloud /usr/bin/gcloud \ - && ln -s /usr/local/google-cloud-sdk/bin/gsutil /usr/bin/gsutil \ - && gcloud version \ - && rm -rf /usr/local/google-cloud-sdk/.install ${HOME}/.config/gcloud \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -# Install Powershell, then verify installation -ARG POWERSHELL_VERSION -ENV POWERSHELL_VERSION=${POWERSHELL_VERSION} -RUN mkdir -p /opt/microsoft/powershell \ - && curl -LsSf --retry 8 --retry-all-errors https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-$(bash arch.sh).tar.gz | tar -xz -C /opt/microsoft/powershell \ - && chmod +x /opt/microsoft/powershell/pwsh \ - && ln -s /opt/microsoft/powershell/pwsh /usr/bin/pwsh \ - && pwsh -Version \ - && rm -rf ${HOME}/.config/powershell ${HOME}/.cache/powershell - -# Install YQ, then verify installation -ARG YQ_VERSION -ENV YQ_VERSION=${YQ_VERSION} -RUN curl -LsSf --retry 8 --retry-all-errors https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_$(ARCH_X64=amd64 bash arch.sh) -o /usr/bin/yq \ - && chmod +x /usr/bin/yq \ - && yq --version - -# Install Tini, then verify installation -ARG TINI_VERSION -ENV TINI_VERSION=${TINI_VERSION} -RUN curl -LsSf --retry 8 --retry-all-errors https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$(ARCH_X64=amd64 bash arch.sh) -o /tini \ - && chmod +x /tini \ - && /tini --version -ENTRYPOINT ["/tini", "--"] - -# Install BuildKit, then verify installation -ARG BUILDKIT_VERSION -ENV BUILDKIT_VERSION=${BUILDKIT_VERSION} -RUN mkdir buildkit \ - && curl -LsSf --retry 8 --retry-all-errors https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C buildkit \ - && mv buildkit/bin/* /usr/local/bin \ - && rm -rf buildkit \ - && buildctl --version \ - && buildkitd --version - -# Install RootlessKit, then verify installation -COPY --from=rootlesskit /usr/local/bin/rootless* /usr/bin/ -RUN rootlesskit --version \ - && rootlessctl --version - -# Install Azure Pipelines Agent sources, then verify installation -ARG AZP_AGENT_VERSION -ENV AZP_AGENT_VERSION=${AZP_AGENT_VERSION} -ENV AZP_HOME=${HOME}/azp-agent -# Disable agent auto-updates -# See: https://github.com/microsoft/azure-pipelines-agent/blob/b5ff4408239f3e938560f8b2e3848df76489a8d0/src/Agent.Listener/Agent.cs#L354C24-L354C24 -ENV agent.disableupdate="1" -RUN mkdir -p ${AZP_HOME} \ - && curl -LsSf --retry 8 --retry-all-errors https://vstsagentpackage.azureedge.net/agent/${AZP_AGENT_VERSION}/pipelines-agent-linux-$(bash arch.sh)-${AZP_AGENT_VERSION}.tar.gz | tar -xz -C ${AZP_HOME} \ - && cd ${AZP_HOME} \ - && chmod +x run-docker.sh config.sh \ - && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \ - && rm -rf _diag \ - # Allow local user to R/W to agent home - && chmod -R a+w . -ENV AZP_WORK=${HOME}/azp-work -ENV AZP_CUSTOM_CERT_PEM=${HOME}/azp-custom-certs - -# Cleanup helper script -RUN rm arch.sh - -# Reset Python configs to default -ENV PYTHONDONTWRITEBYTECODE= - -# Configure local user -RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \ - && chown -R ${USER} /run/user/0 ${HOME} \ - && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid -USER 0:0 -ENV XDG_RUNTIME_DIR=/run/user/0 -ENV TMPDIR=${HOME}/.local/tmp -ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock - -# Install Azure Pipelines Agent startup script -WORKDIR ${AZP_HOME} -COPY start.sh . -# Run as exec form, so that it can receive signals from Tini -CMD ["bash", "start.sh"] diff --git a/src/docker/Dockerfile-focal b/src/docker/Dockerfile-focal deleted file mode 100644 index 5017c48b..00000000 --- a/src/docker/Dockerfile-focal +++ /dev/null @@ -1,277 +0,0 @@ -# syntax=docker/dockerfile:1 -# check=skip=UndefinedVar - -FROM mcr.microsoft.com/dotnet/aspnet:6.0-focal@sha256:eb64d9af3c637a16533d4e510e4ff9dba7397ede73593b13a93dcc332058c182 AS base - -# Force apt-get to not use TTY -ENV DEBIAN_FRONTEND=noninteractive - -# Configure local user -ENV USER=root -ENV HOME=/app-root - -# Avoid Python cache during build -ENV PYTHONDONTWRITEBYTECODE=1 - -# Install: -# - Azure CLI system requirements (C/Rust build tools for libs non pre-built on this platform) -# - Azure Pipelines agent system requirements -# - dbus-user-session, iptables, uidmap, for BuildKit -# - gzip, make, tar, unzip, wget, zip, zstd, dnsutils, rsync, for developer ease-of-life -# - zsh, for inter-operability -RUN rm -f /etc/apt/apt.conf.d/docker-clean \ - && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache -RUN --mount=target=/var/lib/apt/lists,type=cache,id=apt-lists-${TARGETPLATFORM},sharing=locked --mount=target=/var/cache,type=cache,id=var-cache-${TARGETPLATFORM},sharing=locked \ - apt-get update -q \ - && apt-get install -y -q --no-install-recommends \ - build-essential \ - ca-certificates \ - cargo \ - curl \ - dbus-user-session \ - dnsutils \ - git \ - git-lfs \ - gnupg \ - gzip \ - iptables \ - iputils-ping \ - jq \ - libffi-dev \ - libssl-dev \ - lsb-release \ - make \ - pkg-config \ - rsync \ - software-properties-common \ - sudo \ - tar \ - uidmap \ - unzip \ - wget \ - zip \ - zsh \ - zstd \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -# Copy helper script, then verify installation -COPY arch.sh . -RUN chmod +x arch.sh \ - && bash arch.sh - -# Persist Python version -ARG PYTHON_VERSION_MAJOR_MINOR -ARG PYTHON_VERSION_PATCH -ENV PYTHON_VERSION=${PYTHON_VERSION_MAJOR_MINOR}.${PYTHON_VERSION_PATCH} - -FROM base AS rootlesskit - -# Install Go, then verify installation -ARG GO_VERSION -ENV GO_VERSION=${GO_VERSION} -RUN rm -rf /usr/local/go \ - && curl -LsSf --retry 8 https://go.dev/dl/go${GO_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C /usr/local -ENV PATH="${PATH}:/usr/local/go/bin" -RUN go version - -# Install RootlessKit, then verify installation -ARG ROOTLESSKIT_VERSION -ENV ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION} -RUN --mount=target=/rootlesskit-${ROOTLESSKIT_VERSION},type=cache,id=rootlesskit-${ROOTLESSKIT_VERSION}-${TARGETPLATFORM},sharing=locked \ - git clone --depth 1 --branch v${ROOTLESSKIT_VERSION} https://github.com/rootless-containers/rootlesskit.git rootlesskit \ - # Ugly but that's work - && cp -r rootlesskit/* rootlesskit-${ROOTLESSKIT_VERSION} \ - && rm -rf rootlesskit \ - && cd rootlesskit-${ROOTLESSKIT_VERSION} \ - && make \ - && make install \ - && cd .. \ - && rootlesskit --version \ - && rootlessctl --version - -FROM base AS python - -# Build Python from source, then verify installation -ARG PYTHON_VERSION -ENV PYTHON_VERSION=${PYTHON_VERSION} -RUN --mount=target=/var/lib/apt/lists,type=cache,id=apt-lists-${TARGETPLATFORM},sharing=locked --mount=target=/var/cache,type=cache,id=var-cache-${TARGETPLATFORM},sharing=locked --mount=target=/Python-${PYTHON_VERSION},type=cache,id=python-${PYTHON_VERSION}-${TARGETPLATFORM},sharing=locked \ - apt-get update -q \ - && apt-get install -y -q --no-install-recommends \ - g++ \ - lcov \ - libbz2-dev \ - libgdbm-compat-dev \ - libgdbm-dev \ - liblzma-dev \ - libmpdec-dev \ - libncurses5-dev \ - libncursesw5-dev \ - libreadline-dev \ - libreadline6-dev \ - libsqlite3-dev \ - libxml2-dev \ - libxmlsec1-dev \ - lzma \ - lzma-dev \ - uuid-dev \ - xz-utils \ - zlib1g-dev \ - && curl -LsSf --retry 8 https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz -o python.tgz \ - && tar -xzf python.tgz \ - && rm python.tgz \ - && cd Python-${PYTHON_VERSION} \ - && gnu_arch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ - && ./configure \ - --build=$gnu_arch \ - --enable-optimizations \ - --with-ensurepip=install \ - --with-lto \ - && make profile-removal \ - && extra_cflags="$(dpkg-buildflags --get CFLAGS)" \ - && ldflags="$(dpkg-buildflags --get LDFLAGS)" \ - && make -j $(nproc) "EXTRA_CFLAGS=${extra_cflags:-}" "LDFLAGS=${ldflags:-}" \ - && make install \ - && cd .. \ - && python3 --version \ - && python3 -m pip --version \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -FROM base - -# Install Python, then verify installation -COPY --from=python /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} -COPY --from=python /usr/local/lib/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/lib/python${PYTHON_VERSION_MAJOR_MINOR} -RUN ln -s /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python3 \ - && ln -s /usr/local/bin/python${PYTHON_VERSION_MAJOR_MINOR} /usr/local/bin/python \ - && python --version \ - && python3 --version \ - && python${PYTHON_VERSION_MAJOR_MINOR} --version \ - && python3 -m pip --version - -# Install Python build tools -RUN --mount=target=/${USER}/.cache/pip,type=cache,id=pip-${PYTHON_VERSION_MAJOR_MINOR}-${TARGETPLATFORM},sharing=locked \ - python3 -m pip \ - --disable-pip-version-check \ - --quiet \ - --retries 8 \ - --timeout 120 \ - install \ - --upgrade \ - pip setuptools wheel \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -# Install Azure CLI, then verify installation -ARG AZURE_CLI_VERSION -ENV AZURE_CLI_VERSION=${AZURE_CLI_VERSION} -RUN --mount=target=/${USER}/.cache/pip,type=cache,id=pip-${PYTHON_VERSION_MAJOR_MINOR}-${TARGETPLATFORM},sharing=locked \ - python3 -m pip \ - --disable-pip-version-check \ - --quiet \ - --retries 8 \ - --timeout 120 \ - install \ - azure-cli==${AZURE_CLI_VERSION} \ - && az version \ - && rm -rf ${HOME}/.azure ${HOME}/.cache/pip \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -# Install AWS CLI, then verify installation -ARG AWS_CLI_VERSION -ENV AWS_CLI_VERSION=${AWS_CLI_VERSION} -RUN curl -LsSf --retry 8 https://awscli.amazonaws.com/awscli-exe-linux-$(ARCH_X64=x86_64 ARCH_ARM64=aarch64 bash arch.sh)-${AWS_CLI_VERSION}.zip -o awscli.zip \ - && unzip -q awscli.zip \ - && ./aws/install \ - && rm -rf awscli.zip aws \ - && aws --version - -# Install Google Cloud CLI, then verify installation -ARG GCLOUD_CLI_VERSION -ENV GCLOUD_CLI_VERSION=${GCLOUD_CLI_VERSION} -RUN curl -LsSf --retry 8 https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_CLI_VERSION}-linux-$(ARCH_X64=x86_64 ARCH_ARM64=arm bash arch.sh).tar.gz | tar -xz -C /usr/local \ - && /usr/local/google-cloud-sdk/install.sh \ - --additional-components beta \ - --quiet \ - && ln -s /usr/local/google-cloud-sdk/bin/gcloud /usr/bin/gcloud \ - && ln -s /usr/local/google-cloud-sdk/bin/gsutil /usr/bin/gsutil \ - && gcloud version \ - && rm -rf /usr/local/google-cloud-sdk/.install ${HOME}/.config/gcloud \ - && find / -depth -type d -name __pycache__ -exec rm -rf {} \; 2> /dev/null - -# Install Powershell, then verify installation -ARG POWERSHELL_VERSION -ENV POWERSHELL_VERSION=${POWERSHELL_VERSION} -RUN mkdir -p /opt/microsoft/powershell \ - && curl -LsSf --retry 8 https://github.com/PowerShell/PowerShell/releases/download/v${POWERSHELL_VERSION}/powershell-${POWERSHELL_VERSION}-linux-$(bash arch.sh).tar.gz | tar -xz -C /opt/microsoft/powershell \ - && chmod +x /opt/microsoft/powershell/pwsh \ - && ln -s /opt/microsoft/powershell/pwsh /usr/bin/pwsh \ - && pwsh -Version \ - && rm -rf ${HOME}/.config/powershell ${HOME}/.cache/powershell - -# Install YQ, then verify installation -ARG YQ_VERSION -ENV YQ_VERSION=${YQ_VERSION} -RUN curl -LsSf --retry 8 https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_$(ARCH_X64=amd64 bash arch.sh) -o /usr/bin/yq \ - && chmod +x /usr/bin/yq \ - && yq --version - -# Install Tini, then verify installation -ARG TINI_VERSION -ENV TINI_VERSION=${TINI_VERSION} -RUN curl -LsSf --retry 8 https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$(ARCH_X64=amd64 bash arch.sh) -o /tini \ - && chmod +x /tini \ - && /tini --version -ENTRYPOINT ["/tini", "--"] - -# Install BuildKit, then verify installation -ARG BUILDKIT_VERSION -ENV BUILDKIT_VERSION=${BUILDKIT_VERSION} -RUN mkdir buildkit \ - && curl -LsSf --retry 8 https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-$(ARCH_X64=amd64 bash arch.sh).tar.gz | tar -xz -C buildkit \ - && mv buildkit/bin/* /usr/local/bin \ - && rm -rf buildkit \ - && buildctl --version \ - && buildkitd --version - -# Install RootlessKit, then verify installation -COPY --from=rootlesskit /usr/local/bin/rootless* /usr/bin/ -RUN rootlesskit --version \ - && rootlessctl --version - -# Install Azure Pipelines Agent sources, then verify installation -ARG AZP_AGENT_VERSION -ENV AZP_AGENT_VERSION=${AZP_AGENT_VERSION} -ENV AZP_HOME=${HOME}/azp-agent -# Disable agent auto-updates -# See: https://github.com/microsoft/azure-pipelines-agent/blob/b5ff4408239f3e938560f8b2e3848df76489a8d0/src/Agent.Listener/Agent.cs#L354C24-L354C24 -ENV agent.disableupdate="1" -RUN mkdir -p ${AZP_HOME} \ - && curl -LsSf --retry 8 https://vstsagentpackage.azureedge.net/agent/${AZP_AGENT_VERSION}/pipelines-agent-linux-$(bash arch.sh)-${AZP_AGENT_VERSION}.tar.gz | tar -xz -C ${AZP_HOME} \ - && cd ${AZP_HOME} \ - && chmod +x run-docker.sh config.sh \ - && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \ - && rm -rf _diag \ - # Allow local user to R/W to agent home - && chmod -R a+w . -ENV AZP_WORK=${HOME}/azp-work -ENV AZP_CUSTOM_CERT_PEM=${HOME}/azp-custom-certs - -# Cleanup helper script -RUN rm arch.sh - -# Reset Python configs to default -ENV PYTHONDONTWRITEBYTECODE= - -# Configure local user -RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \ - && chown -R ${USER} /run/user/0 ${HOME} \ - && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid -USER 0:0 -ENV XDG_RUNTIME_DIR=/run/user/0 -ENV TMPDIR=${HOME}/.local/tmp -ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock - -# Install Azure Pipelines Agent startup script -WORKDIR ${AZP_HOME} -COPY start.sh . -# Run as exec form, so that it can receive signals from Tini -CMD ["bash", "start.sh"] From e31c31fbce34184618325c0faabe103baa9b066e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Tue, 7 Jan 2025 12:13:59 +0100 Subject: [PATCH 12/16] doc: Fix "image.repository" Helm default value --- docs/content/docs/advanced-topics/helm-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/docs/advanced-topics/helm-deployment.md b/docs/content/docs/advanced-topics/helm-deployment.md index 721ce5ea..bb5064cd 100644 --- a/docs/content/docs/advanced-topics/helm-deployment.md +++ b/docs/content/docs/advanced-topics/helm-deployment.md @@ -26,7 +26,7 @@ Helm is a package manager for Kubernetes, allowing to easily deploy applications | `image.flavor` | Container image tag, can be `bookworm`, `jammy`, `noble`, `ubi8`, `ubi9`, `win-ltsc2019`, or `win-ltsc2022` | `bookworm` | | `image.isWindows` | Turn on is the agent is a Windows-based system | `false` | | `image.pullPolicy` | Container image pull policy | `IfNotPresent` | -| `image.repository` | Container image repository | `ghcr.io/clemlesne/blue-agent:bookworm` | +| `image.repository` | Container image repository | `ghcr.io/clemlesne/blue-agent` | | `image.version` | Container image tag | _Version_ | | `imagePullSecrets` | Use secrets to pull the container image | `[]` | | `initContainers` | Init containers for the agent pod | `[]` | From 8db4672742a7362995aa4d62023801966ede709b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Tue, 7 Jan 2025 11:55:51 +0100 Subject: [PATCH 13/16] security: Upgrade deps --- .github/workflows/pipeline.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 1a603a7d..d32668b4 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -25,53 +25,53 @@ env: # https://npmjs.com/package/@microsoft/sarif-multitool?activeTab=versions SARIF_MULTITOOL_VERSION: 4.5.4 # https://npmjs.com/package/snyk?activeTab=versions - SNYK_VERSION: 1.1293.1 + SNYK_VERSION: 1.1294.3 # https://github.com/microsoft/azure-pipelines-agent/releases AZP_AGENT_VERSION: 4.248.0 # https://github.com/PowerShell/PowerShell/releases - POWERSHELL_VERSION: 7.2.23 + POWERSHELL_VERSION: 7.2.24 # https://github.com/krallin/tini/releases TINI_VERSION: 0.19.0 # https://github.com/mikefarah/yq/releases - YQ_VERSION: 4.44.3 + YQ_VERSION: 4.44.6 # https://go.dev/dl - GO_VERSION: 1.23.2 + GO_VERSION: 1.23.4 # https://github.com/rootless-containers/rootlesskit/releases ROOTLESSKIT_VERSION: 2.3.1 # https://github.com/moby/buildkit/releases - BUILDKIT_VERSION: 0.16.0 + BUILDKIT_VERSION: 0.18.2 # https://github.com/Azure/azure-cli/releases - AZURE_CLI_VERSION: 2.65.0 + AZURE_CLI_VERSION: 2.67.0 # https://github.com/stedolan/jq/releases JQ_WIN_VERSION: 1.7.1 # https://github.com/aws/aws-cli/tags - AWS_CLI_VERSION: 2.18.4 + AWS_CLI_VERSION: 2.22.29 # https://console.cloud.google.com/artifacts/docker/google.com:cloudsdktool/us/gcr.io/google-cloud-cli # Note: To get thhe version number, spot the version tag on the latest pushed container - GCLOUD_CLI_VERSION: 490.0.0 + GCLOUD_CLI_VERSION: 497.0.0 # https://github.com/git-for-windows/git/releases - GIT_WIN_VERSION: 2.47.0 + GIT_WIN_VERSION: 2.47.1 # https://github.com/facebook/zstd/releases ZSTD_WIN_VERSION: 1.5.6 # https://www.python.org/downloads PYTHON_VERSION_MAJOR_MINOR: 3.12 - PYTHON_VERSION_PATCH: 7 + PYTHON_VERSION_PATCH: 8 # https://nodejs.org/en/download/releases - NODE_VERSION: 20.18.0 + NODE_VERSION: 22.12.0 # https://github.com/helm/helm/releases - HELM_VERSION: 3.16.2 + HELM_VERSION: 3.16.4 # https://github.com/oras-project/oras/releases ORAS_VERSION: 1.2.0 # https://github.com/docker/buildx/releases - BUILDX_VERSION: 0.17.1 + BUILDX_VERSION: 0.19.3 # https://github.com/hadolint/hadolint/releases HADOLINT_VERSION: 2.12.0 # https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-history#fixed-version-bootstrappers - VS_BUILDTOOLS_WIN_VERSION: 80c57218-b55f-4260-af46-a64ffd76e7a6/7fee719abc3ba9eced84ea258ccae39a7b0cc953b539c2ea3a98c3ff588b7870 + VS_BUILDTOOLS_WIN_VERSION: f2819554-a618-400d-bced-774bb5379965/cc7231dc668ec1fb92f694c66b5d67cba1a9e21127a6e0b31c190f772bd442f2 # https://github.com/gohugoio/hugo/releases - HUGO_VERSION: 0.135.0 + HUGO_VERSION: 0.140.2 # See: https://github.com/getsops/sops/releases - SOPS_VERSION: 3.9.1 + SOPS_VERSION: 3.9.3 jobs: init: From 95c12311c6404913e5171a068f7a2f95f5e68860 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Tue, 7 Jan 2025 16:25:13 +0100 Subject: [PATCH 14/16] security: Rotate CI/CD Azure DevOps PAT --- .sops.yaml | 2 +- test/bicep/test.enc.json | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index f82e344d..272eca30 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,3 +1,3 @@ creation_rules: - - age: age1up54yhdjs672usk4etmy8naa5uh0qamy5tn3nmkwua5vp6fn7v7qz80945 + - age: age1fxq8nhldys0d49jhw474zzk305qytqnasjerrcysja8zu08zcyjqs7ck5g encrypted_regex: value diff --git a/test/bicep/test.enc.json b/test/bicep/test.enc.json index f99f714d..2fa5c70d 100644 --- a/test/bicep/test.enc.json +++ b/test/bicep/test.enc.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "pipelinesOrganizationURL": { - "value": "ENC[AES256_GCM,data:QI3JdwY82KQxIXIqVhv/330RfV8ZMN9F1SYUkJxJc14=,iv:1BBEqxR5US7syAn0Z1WC6jl0oAWD1HsaEG8IjAG9rPs=,tag:43th94I80/1HdAFiiQiIEw==,type:str]" + "value": "ENC[AES256_GCM,data:cjSb1+3g5oi/nlJEbZrgZMoJD008TOofV3b+/aGRmNU=,iv:KV8Yq35lYpTOOtjtr7RiiHcWIS3n+BwCx8CjpHJSdU8=,tag:Ljje738IoCSTggu7a+WzpQ==,type:str]" }, "pipelinesPersonalAccessToken": { - "value": "ENC[AES256_GCM,data:7B2BUaGpjMl4UiDNcZogtm1Dn8oLXRAOFFsB4fN5tGSWAplrGHYJTtuoLoFAR5jJQCFbIA==,iv:NzD30LhgHa1yBh0YF5VFjY7beB46qdzmnoyDmdlYDak=,tag:n9M8mFf0ayYHAKHFG7vJ4g==,type:str]" + "value": "ENC[AES256_GCM,data:8gFUCkfroAcFZxaUbCcsn2rjKEiEQqoOcD1D7EeuxiJTFqRDKX+6FMPhaYxqf/dFMK8giDzX+2IlSTs+ciO99WDVtvQWO98YMb3GC8649HRCT65v,iv:ZA3OYIGemJkZUvdBybGPrDO48OLTHDt8kKytFpNQTvI=,tag:+rRCUx8mvJ6uujB2yEwg6w==,type:str]" }, "pipelinesPoolName": { - "value": "ENC[AES256_GCM,data:7m8j9lsHP8xW8cQ3xBc=,iv:miZI4cKiz0t1BYH+uyhuGW926AMeEKEoyxOoQyctutU=,tag:wv5aNZ9/ZI4TuwfThXwM/Q==,type:str]" + "value": "ENC[AES256_GCM,data:d5QEx20f77YDidlwNCk=,iv:UK4Wl+B9JMzjxhBWc9BXyTsWS6a4TI5mHscIToIDCyQ=,tag:dvPlKLMGA1rGYxmJyNcEow==,type:str]" } }, "sops": { @@ -19,14 +19,14 @@ "hc_vault": null, "age": [ { - "recipient": "age1up54yhdjs672usk4etmy8naa5uh0qamy5tn3nmkwua5vp6fn7v7qz80945", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Tnl1QWp6SWZFTkdtTkVv\ncG5pVVdJZnpNanZtOE9lZ2RpSXFXdGQzZUUwClVkejc3cWlGVk9HRTJPSXJMbjVx\nZDQwSXRDTlJneXQ1T1BsNFFuUlFvWDgKLS0tIFRleS9yd2JXblFlV2VhQ1lXRjZP\nQlF5MHlXTEJoWWZsaDRLRXZ4N0pUOW8KQraADNqYDYTtnSxMfqQ3FWqVOueiOlIo\nkzyTQgQhgd9c7og0aN7eaoDhbvZzdu4NFuY4zVUWLaNJLxhUFkyU1w==\n-----END AGE ENCRYPTED FILE-----\n" + "recipient": "age1fxq8nhldys0d49jhw474zzk305qytqnasjerrcysja8zu08zcyjqs7ck5g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMTc5QkZ3ZjZhNXkyK2Fs\nRFliOGsyM3VWL09iU3F2OTNFNFY1R2U3UnlVClRtL2tUVDA1OHR0VDFKME1uZita\nYnNvSzQ3T0VkRnZyT1dEVFZYK3NHQTAKLS0tIGJmYzNwOE8xU3hOMEZIVnhlR2x1\nZ01ZTkMyQUpkcWJ1aHlGYjRXclc0ajAKgL8SqUUTyvEU4FzCMJIxndZ6ibHiC8b5\nn988u97NjoNsQVY9heyddWbUVBx3EoRSu+Pi+qSToq00h/X3k1cb7A==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-04-19T10:18:30Z", - "mac": "ENC[AES256_GCM,data:wmbOlQRkarMqPbuvvOJksDjmLxCcm1lxMFO0d3kvBGu/hG5FsN9vd2X9uC6NllSGaI0YXIK9PqA2/PNYl+liNnV5QGnfoTwlUhqqkXM8PBvo9R3o2rtJbFLaJ1hMoXjKDx74NwMOnOs2M5lwaWxkXOcquMBN93JqWKIvtwnZxRA=,iv:WqEHtJY3kT6hKYi+e1p2b8r/r/P7eKfuERR2Yzq0HXc=,tag:RgEnvXJl8ZQqpNGKAuWrIw==,type:str]", + "lastmodified": "2025-01-08T10:38:36Z", + "mac": "ENC[AES256_GCM,data:t4uNVeuNb7jW5xiwrapmn5mmGVjfqGDL8nOukBeRuvAU5TUa14MGdPDE1D7VTpLLdDuZSy+0S3RB4xDMJ/Uc3dsx/txLPbHO0hryyz1eToaJ112k0D4UpzMfRnMeN03ki5UllrjbxC3rc8QTrZHrhLKdu6NwByhACMakqB4DKuk=,iv:S/TjRVPCqxGQZP/mMk6H8rVYa7jf4gxnmg+/qG7qyXU=,tag:QwOdt0TrCvgTyndrxiX4HQ==,type:str]", "pgp": null, "encrypted_regex": "value", - "version": "3.8.1" + "version": "3.9.3" } } \ No newline at end of file From 206685ea13aa2c1f313232f09f963eb0b90255cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Wed, 8 Jan 2025 11:36:59 +0100 Subject: [PATCH 15/16] quality: Fix integration tests logging --- test/integration-run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration-run.sh b/test/integration-run.sh index af5ac2ab..60950244 100644 --- a/test/integration-run.sh +++ b/test/integration-run.sh @@ -16,8 +16,8 @@ fi echo "➡️ Running integration tests for agent ${agent} with prefix ${prefix}, flavor ${flavor} and version ${version}" -echo "Configuring Azure DevOps organization ${org_url}" org_url="https://dev.azure.com/blue-agent" +echo "Configuring Azure DevOps organization ${org_url}" az devops configure --defaults organization=${org_url} # Get the pool id From 2e75f433dc1439d891e2c3a130a5ed46923654f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= Date: Wed, 8 Jan 2025 11:40:14 +0100 Subject: [PATCH 16/16] doc: Add references for CI/CD secrets --- .github/workflows/pipeline.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index d32668b4..f5748dc3 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -936,9 +936,11 @@ jobs: - name: Integration env: + # See: https://learn.microsoft.com/en-us/azure/devops/cli/log-in-via-pat?view=azure-devops&tabs=windows#use-the-azure_devops_ext_pat-environment-variable # Permissions: agent pools (read & manage); build (read & execute); pipeline resources (use & manage); project and team (read, write, & manage); service connections (read, query, & manage) # Recommended group membership: Project Collection Build Service Accounts AZURE_DEVOPS_EXT_PAT: ${{ secrets.AZURE_DEVOPS_PAT }} + # See: https://learn.microsoft.com/en-us/cli/azure/devops/service-endpoint/github?view=azure-cli-latest#az-devops-service-endpoint-github-create # Scope: clemlesne/blue-agent # Permissions: contents (read-only); metadata (read-only); webhooks (read & write) AZURE_DEVOPS_EXT_GITHUB_PAT: ${{ secrets.AZURE_DEVOPS_GITHUB_PAT }} @@ -953,6 +955,7 @@ jobs: - name: Cleanup if: always() env: + # See: https://learn.microsoft.com/en-us/azure/devops/cli/log-in-via-pat?view=azure-devops&tabs=windows#use-the-azure_devops_ext_pat-environment-variable # Permissions: agent pools (read & manage); build (read & execute); pipeline resources (use & manage); project and team (read, write, & manage); service connections (read, query, & manage) # Recommended group membership: Project Collection Build Service Accounts AZURE_DEVOPS_EXT_PAT: ${{ secrets.AZURE_DEVOPS_PAT }}