Skip to content

halve the amount of layers in Updater images #13608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jakecoffman wants to merge 1 commit into from
Closed

halve the amount of layers in Updater images #13608

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 62 additions & 13 deletions Dockerfile.updater-core
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@
FROM docker.io/library/ubuntu:24.04

ARG TARGETARCH
ARG USER_UID=1000
ARG USER_GID=$USER_UID

FROM docker.io/library/ubuntu:24.04 AS base_system

ARG USER_UID
ARG USER_GID

LABEL org.opencontainers.image.source="https://github.com/dependabot/dependabot-core"

Expand Down Expand Up @@ -108,9 +115,6 @@ RUN apt-get update \
&& apt purge software-properties-common apt-transport-https -y && apt-get autoremove -y \
&& rm -rf /var/lib/apt/lists/*

ARG USER_UID=1000
ARG USER_GID=$USER_UID

RUN <<EOT
# Check if the group and user already exist, if not create them
if ! getent group "$USER_GID"; then
Expand Down Expand Up @@ -142,25 +146,64 @@ USER dependabot
ENV DEPENDABOT_HOME="/home/dependabot"
WORKDIR $DEPENDABOT_HOME

# Install Ruby from official Docker image
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v2/monkey_patches/definition_ruby_version_patch.rb`
COPY --from=docker.io/library/ruby:3.4.7-bookworm --chown=dependabot:dependabot /usr/local /usr/local

# For users to determine if dependabot is running
ENV DEPENDABOT=true

# Disable automatic pulling of files stored with Git LFS
# This avoids downloading large files not necessary for the dependabot scripts
ENV GIT_LFS_SKIP_SMUDGE=1
ENV PATH="$DEPENDABOT_HOME/bin:$PATH"

# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-${TARGETARCH}.tar.gz"
RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
FROM docker.io/library/ruby:3.4.7-bookworm AS ruby_home

ARG TARGETARCH
ARG USER_UID
ARG USER_GID

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

ENV DEBIAN_FRONTEND="noninteractive" \
DEPENDABOT_HOME="/home/dependabot"

RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
git \
libgmp-dev \
libyaml-dev \
curl \
ca-certificates \
unzip \
zstd \
&& rm -rf /var/lib/apt/lists/*

RUN <<EOT
if ! getent group "$USER_GID"; then
groupadd --gid "$USER_GID" dependabot
fi

if ! getent passwd "$USER_UID"; then
useradd --uid "$USER_UID" --gid "$USER_GID" -m dependabot
fi

mkdir -p /opt
chown dependabot:dependabot /opt
EOT

USER dependabot
WORKDIR $DEPENDABOT_HOME
ENV DEPENDABOT=true
ENV GIT_LFS_SKIP_SMUDGE=1
ENV PATH="$DEPENDABOT_HOME/bin:$PATH"

COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependabot-updater/

COPY --chown=dependabot:dependabot --parents */.bundle */*.gemspec common/lib/dependabot.rb LICENSE omnibus $DEPENDABOT_HOME

# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-${TARGETARCH}.tar.gz"
RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz

# prevent having all the source in every ecosystem image
RUN for ecosystem in git_submodules terraform github_actions hex elm docker docker_compose nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler silent swift devcontainers dotnet_sdk bun uv helm julia vcpkg rust_toolchain conda bazel opentofu; do \
mkdir -p $ecosystem/lib/dependabot; \
Expand Down Expand Up @@ -188,14 +231,20 @@ RUN if [[ "$GEM_ENABLED" == "true" ]]; then \
rm -rf ~/.bundle; \
fi

FROM base_system

USER root
# Install Ruby from official Docker image
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v2/monkey_patches/definition_ruby_version_patch.rb`
COPY --from=ruby_home --chown=dependabot:dependabot /usr/local /usr/local
COPY --from=ruby_home --chown=dependabot:dependabot /home/dependabot /home/dependabot

WORKDIR $DEPENDABOT_HOME/dependabot-updater

ENV PATH="$DEPENDABOT_HOME/bin:$PATH"
ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"

# Make the build arg available inside the Dependabot container
ARG DEPENDABOT_UPDATER_VERSION=development
ENV DEPENDABOT_UPDATER_VERSION=$DEPENDABOT_UPDATER_VERSION

USER root

CMD ["bin/run"]
Loading