Start building with bake

.github/workflows/ci.yml

@@ -0,0 +1,73 @@
+name: ci
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+jobs:
+  # Job to run change detection
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      # Expose matched filters as job 'images' output variable
+      images: ${{ steps.filter.outputs.changes }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          # Use context to get the branch where commits were pushed.
+          # If there is only one long-lived branch (e.g. master),
+          # you can specify it directly.
+          # If it's not configured, the repository default branch is used.
+          base: ${{ github.ref }}
+          filters: |
+            aws-cli: 'aws-cli/**'
+            
+  # Job to build and test each of the modified images
+  build:
+    needs: changes
+    strategy:
+      matrix:
+        # Parse JSON array containing names of all filters matching any of changed files
+        # e.g. ['image1', 'image2'] if both image folders contains changes
+        image: ${{ fromJSON(needs.changes.outputs.images) }}
+    if: ${{ needs.changes.outputs.images != '[]' && needs.changes.outputs.images != '' }}
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ matrix.image }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check the Containerfile with hadolint
+        run: |
+          $(git rev-parse --show-toplevel)/bin/lint.sh
+      
+      - name: Install QEMU static binaries
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build locally for testing
+        uses: docker/bake-action@v4
+        with:
+          workdir: ${{ matrix.image }}
+          targets: local
+
+      - name: Build locally for testing
+        uses: docker/build-push-action@v3
+        with:
+          load: true
+          context: ${{ matrix.image }}
+          file: ${{ matrix.image }}/Containerfile
+          tags: ${{ env.tags }}
+
+      - name: Run tests on the image with cinc-auditor
+        run: |
+          $(git rev-parse --show-toplevel)/bin/test.sh
+          

aws-cli/.dockerignore

@@ -1,3 +1,2 @@
 README.md
 Polly.toml
-test/

aws-cli/Containerfile

@@ -19,8 +19,8 @@ RUN yum update -y \
       ;; \
     *) echo "unsupported architecture"; exit 1 ;; \
     esac \
-  && curl -fsSL -o /tmp/aws-cli/awscliv2.zip ${AWS_CLI_URL} \
-  && curl -fsSL -o /tmp/aws-cli/awscliv2.sig ${AWS_CLI_URL}.sig \
+  && curl -fsSL -o /tmp/aws-cli/awscliv2.zip "${AWS_CLI_URL}" \
+  && curl -fsSL -o /tmp/aws-cli/awscliv2.sig "${AWS_CLI_URL}.sig" \
   && gpg --verify /tmp/aws-cli/awscliv2.sig /tmp/aws-cli/awscliv2.zip \
   && unzip  /tmp/aws-cli/awscliv2.zip -d /tmp/aws-cli/awscliv2 \
   # The --bin-dir is specified so that we can copy the
@@ -31,17 +31,12 @@ RUN yum update -y \
   && /tmp/aws-cli/awscliv2/aws/install --bin-dir /aws-cli-bin/ \
   && yum clean all
 
-FROM amazonlinux:2
-
-LABEL \
-    org.opencontainers.image.source="https://github.com/boxcutter/oci" \
-    org.opencontainers.image.licenses="Apache-2.0" \
-    org.opencontainers.image.description="AWS command-line interface."
+FROM installer as release
 
 RUN yum update -y \
   && yum install -y less groff \
   && yum clean all
 COPY --from=installer /usr/local/aws-cli/ /usr/local/aws-cli/
 COPY --from=installer /aws-cli-bin/ /usr/local/bin/
 WORKDIR /aws
-ENTRYPOINT ["/usr/local/bin/aws"]
+ENTRYPOINT ["/usr/local/bin/aws"]

aws-cli/docker-bake.hcl

@@ -1,8 +1,40 @@
-target "default" {
+variable "IMAGE_NAME" {
+  default = "aws-cli"
+}
+
+variable "VERSION" {
+  default = "2.13.28"
+}
+
+variable "CONTAINER_REGISTRY" {
+  default = "docker.io/boxcutter"
+}
+
+# There's no darwin-based Docker, so if we're running on macOS, change the platform to linux
+variable "LOCAL_PLATFORM" {
+  default = regex_replace("${BAKE_LOCAL_PLATFORM}", "^(darwin)", "linux")
+}
+
+target "_common" {
+  dockerfile = "Containerfile"
   tags = [
-    "docker.io/boxcutter/aws-cli:2.13.28",
-    "docker.io/boxcutter/aws-cli:latest"
+    "${CONTAINER_REGISTRY}/${IMAGE_NAME}:${VERSION}",
+    "${CONTAINER_REGISTRY}/${IMAGE_NAME}:latest"
   ]
-  dockerfile = "Containerfile"
+}
+
+target "local" {
+  inherits = ["_common"]
+  platforms = ["${LOCAL_PLATFORM}"]
+}
+
+target "default" {
+  inherits = ["_common"]
+  target = "release"
   platforms = ["linux/amd64", "linux/arm64/v8"]
+  labels = {
+    "org.opencontainers.image.source" = "https://github.com/polymathrobotics/oci"
+    "org.opencontainers.image.licenses" = "Apache-2.0"
+    "org.opencontainers.image.description" = "AWS command-line interface."
+  }
 }

bin.old/lint.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -eu
+set -o pipefail
+
+HADOLINT_CONTAINER_IMAGE=boxcutter/hadolint:2.10.0
+
+BIN_DIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
+
+"${BIN_DIR}/check-image.sh" "${HADOLINT_CONTAINER_IMAGE}"
+
+# shellcheck disable=SC2086
+if [[ -f "${BIN_DIR}/hadolint-ignore" ]]; then
+  lints_to_ignore=$(sed "s/#.*//" "${BIN_DIR}/hadolint-ignore" | sed '/^[[:space:]]*$/d' | sed 's/^/--ignore / ' | tr '\n' ' ')
+  docker container run --rm -i "${HADOLINT_CONTAINER_IMAGE}" hadolint ${lints_to_ignore} - < "Containerfile"
+  exit 0
+fi
+
+docker container run --rm -i "${HADOLINT_CONTAINER_IMAGE}" hadolint - < "Containerfile"

bin.old/test.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+set -eu
+set -o pipefail
+
+CINC_AUDITOR_CONTAINER_IMAGE=boxcutter/cinc-auditor:5.18.14
+
+BIN_DIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
+DEFAULT_TAG="$("${BIN_DIR}/list-tags.sh" | head -n 1)"
+CONTAINERFILE_DIR=$(pwd)
+CINC_PROFILE_DIR="${CONTAINERFILE_DIR}/test"
+
+usage() {
+  cat <<EOF
+Usage:  $0 [IMAGE_NAME] [ENTRYPOINT_COMMAND]
+
+Test image with cinc-auditor
+
+  -h    Print help
+  -e    Return error if profile does not exist
+EOF
+}
+
+args() {
+  ERROR_IF_PROFILE_DOES_NOT_EXIST=0
+  while getopts he opt; do
+    case "$opt" in
+      h)
+        usage
+        exit
+        ;;
+      e)
+        ERROR_IF_PROFILE_DOES_NOT_EXIST=1
+        ;;
+      *)
+        usage
+        ;;
+    esac
+  done
+
+  if [ "$*" == "" ]; then
+    TEST_CONTAINER_IMAGE="${DEFAULT_TAG}"
+  else
+    TEST_CONTAINER_IMAGE=$1
+  fi
+
+  ENTRYPOINT_COMMAND="/bin/bash"
+  if [ "$#" -gt 1 ]; then
+    ENTRYPOINT_COMMAND="$2"
+  fi
+}
+
+check_profile() {
+  if [ ! -d "${CINC_PROFILE_DIR}" ]; then
+    echo "==> ${CINC_PROFILE_DIR} does not exist."
+    exit ${ERROR_IF_PROFILE_DOES_NOT_EXIST}
+  fi
+}
+
+start_image_under_test() {
+  CONTAINER_ID=$(docker container run --interactive --entrypoint "${ENTRYPOINT_COMMAND}" --detach "$TEST_CONTAINER_IMAGE" )
+}
+
+run_cinc_auditor() {
+  echo "==> running cinc-auditor against ${TEST_CONTAINER_IMAGE}"
+  echo "==> with command: '${ENTRYPOINT_COMMAND}'"
+  docker container run -t --rm \
+    -v "${CINC_PROFILE_DIR}:/share" \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    "${CINC_AUDITOR_CONTAINER_IMAGE}" exec . --no-create-lockfile -t "docker://${CONTAINER_ID}"
+}
+
+cleanup_image_under_test() {
+  set +u
+  if [ -n "$CONTAINER_ID" ]; then
+    echo "==> stopping ${CONTAINER_ID}"
+    docker container stop "${CONTAINER_ID}"
+    echo "==> removing ${CONTAINER_ID}"
+    docker container rm "${CONTAINER_ID}"
+  fi
+  set -u
+}
+
+trap cleanup_image_under_test EXIT
+
+"${BIN_DIR}/check-image.sh" "${CINC_AUDITOR_CONTAINER_IMAGE}"
+args "$@"
+check_profile
+start_image_under_test
+run_cinc_auditor
+

bin/lint.sh

@@ -3,17 +3,9 @@
 set -eu
 set -o pipefail
 
-HADOLINT_CONTAINER_IMAGE=boxcutter/hadolint:2.10.0
+HADOLINT_CONTAINER_IMAGE=docker.io/boxcutter/hadolint:2.12.0
 
 BIN_DIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 
-"${BIN_DIR}/check-image.sh" "${HADOLINT_CONTAINER_IMAGE}"
-
-# shellcheck disable=SC2086
-if [[ -f "${BIN_DIR}/hadolint-ignore" ]]; then
-  lints_to_ignore=$(sed "s/#.*//" "${BIN_DIR}/hadolint-ignore" | sed '/^[[:space:]]*$/d' | sed 's/^/--ignore / ' | tr '\n' ' ')
-  docker container run --rm -i "${HADOLINT_CONTAINER_IMAGE}" hadolint ${lints_to_ignore} - < "Containerfile"
-  exit 0
-fi
-
-docker container run --rm -i "${HADOLINT_CONTAINER_IMAGE}" hadolint - < "Containerfile"
+docker container run --rm -i \
+  "${HADOLINT_CONTAINER_IMAGE}" hadolint - < "Containerfile"

bin/test.sh

@@ -3,12 +3,12 @@
 set -eu
 set -o pipefail
 
-CINC_AUDITOR_CONTAINER_IMAGE=boxcutter/cinc-auditor:5.18.14
+CINC_AUDITOR_CONTAINER_IMAGE=docker.io/boxcutter/cinc-auditor:6.6.0
 
 BIN_DIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
-DEFAULT_TAG="$("${BIN_DIR}/list-tags.sh" | head -n 1)"
 CONTAINERFILE_DIR=$(pwd)
 CINC_PROFILE_DIR="${CONTAINERFILE_DIR}/test"
+DEFAULT_TAG="$(docker buildx bake local --print 2>/dev/null | jq -r '.target.local.tags | first')"
 
 usage() {
   cat <<EOF
@@ -65,8 +65,8 @@ run_cinc_auditor() {
   echo "==> running cinc-auditor against ${TEST_CONTAINER_IMAGE}"
   echo "==> with command: '${ENTRYPOINT_COMMAND}'"
   docker container run -t --rm \
-    -v "${CINC_PROFILE_DIR}:/share" \
-    -v /var/run/docker.sock:/var/run/docker.sock \
+    --mount type=bind,source="${CINC_PROFILE_DIR}",target=/share \
+    --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
     "${CINC_AUDITOR_CONTAINER_IMAGE}" exec . --no-create-lockfile -t "docker://${CONTAINER_ID}"
 }
 
@@ -83,9 +83,7 @@ cleanup_image_under_test() {
 
 trap cleanup_image_under_test EXIT
 
-"${BIN_DIR}/check-image.sh" "${CINC_AUDITOR_CONTAINER_IMAGE}"
 args "$@"
 check_profile
 start_image_under_test
 run_cinc_auditor
-