Merge branch '6.x' into build/fix-ghcr-pkg-metadata

.github/workflows/build-deploy.yml

@@ -24,7 +24,7 @@ jobs:
         uses: docker/setup-qemu-action@v2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - uses: actions/checkout@v3
 
@@ -56,6 +56,23 @@ jobs:
             org.opencontainers.image.source=https://github.com/${{ github.repository }}/tree/${{ (contains(fromJson('["opened","synchronize"]'), github.event.action)) && github.head_ref || github.event.action == 'closed' && github.base_ref || github.ref_name }}/images/${{ matrix.images }}/Dockerfile
             org.opencontainers.image.description=Test annotation description for ghcr
 
+      - name: Create the AWX-EE context
+        if: matrix.images == 'awx-ee'
+        run: |
+          pip install --upgrade ansible-builder
+          ansible-builder create \
+            --output-filename Dockerfile \
+            --verbosity 3
+        working-directory: ./images/awx-ee
+
+      - name: Upload AWX-EE context for review
+        if: matrix.images == 'awx-ee'
+        uses: actions/upload-artifact@v4
+        with:
+          name: awx-ee-context
+          path: ./images/awx-ee/context
+          retention-days: 1
+
       - name: Build and push the images
         uses: docker/[email protected]
         with:

.github/workflows/vulnerability-scan-build.yml

@@ -21,7 +21,7 @@ jobs:
           echo "SANITISED-REF-NAME=${{ github.ref_name }}" | tr  '/' '-' >> "$GITHUB_OUTPUT"
       - name: Scan for vulnerabilities
         id: scan
-        uses: crazy-max/ghaction-container-scan@v2
+        uses: crazy-max/ghaction-container-scan@v3
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ steps.sanitise-ref-name.outputs.SANITISED-REF-NAME }}
           dockerfile: ./images/${{ matrix.images }}

.github/workflows/vulnerability-scan-schedule.yml

@@ -32,10 +32,12 @@ jobs:
             branches: 4.x
           - images: ripple-static
             branches: 4.x
+          - images: mailpit
+            branches: 5.x
     steps:
       - name: Scan for vulnerabilities
         id: scan
-        uses: crazy-max/ghaction-container-scan@v2
+        uses: crazy-max/ghaction-container-scan@v3
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{matrix.branches}}
           dockerfile: ./images/${{ matrix.images }}

gh-actions-bake.hcl

@@ -20,7 +20,14 @@ target "elasticsearch" {
 }
 target "mailhog" {
   inherits = ["docker-metadata-action"]
-  context       = "${CONTEXT}/mailhog"
+  context       = "${CONTEXT}/mailpit"
+  dockerfile    = "Dockerfile"
+
+  platforms     = ["linux/amd64", "linux/arm64"]
+}
+target "mailpit" {
+  inherits = ["docker-metadata-action"]
+  context       = "${CONTEXT}/mailpit"
   dockerfile    = "Dockerfile"
 
   platforms     = ["linux/amd64", "linux/arm64"]
@@ -86,4 +93,12 @@ target "ripple-static" {
     "org.opencontainers.image.description" = "Ripple static site generator image optimised for the Bay container platform"
   }
 }
-
+target "awx-ee" {
+    inherits = ["docker-metadata-action"]
+    context = "${CONTEXT}/awx-ee/context"
+    platforms = ["linux/amd64", "linux/arm64"]
+    args = {
+        PYCMD = "/usr/local/bin/python3"
+        PKGMGR = "/usr/bin/apt-get"
+    }
+}

images/awx-ee/README.md

@@ -9,7 +9,7 @@ The AWX execution environment is a container image that AWX will use to execute
 - `requirements.txt`: Defined python dependencies
 - `requirements.yml`: Ansible collections to install
 
-AWX has `singledigital/awx-ee:latest` added as an execution environment with a pull policy of always, when the image is updated kuberenetes will pull a new image to run the plays in.
+AWX has `ghcr.io/dpc-sdp/bay/awx-ee:6.x` added as an execution environment with a pull policy of always, when the image is updated kuberenetes will pull a new image to run the plays in.
 
 ## Dependencies
 
@@ -20,7 +20,7 @@ AWX has `singledigital/awx-ee:latest` added as an execution environment with a p
 Commands run from this directory if you have ansible-builder installed locally.
 
 ```
-$ ansible-builder build --tag singledigital/awx-ee:latest --container-runtime docker
+$ ansible-builder build --tag ghcr.io/dpc-sdp/bay/awx-ee:6.x --container-runtime docker
 ```
 
 OR run with docker.
@@ -31,14 +31,14 @@ $ docker run --rm -it \
     -v $(pwd):/data \
     -w /data \
     quay.io/ansible/ansible-builder:latest \
-      ansible-builder build --tag singledigital/awx-ee:latest --container-runtime docker
+      ansible-builder build --tag ghcr.io/dpc-sdp/bay/awx-ee:6.x --container-runtime docker
 
 # Build the image
-$ docker build -f context/Dockerfile -t singledigital/awx-ee:latest context
+$ docker build -f context/Dockerfile -t ghcr.io/dpc-sdp/bay/awx-ee:6.x context
 ```
 
 ## Deploying the image
 
 ```
-$ docker push singledigital/awx-ee:latest
+$ docker push ghcr.io/dpc-sdp/bay/awx-ee:6.x
 ```

images/awx-ee/bindep.txt

@@ -22,3 +22,4 @@ curl
 openssl
 jq
 rsync
+apache2-utils

images/awx-ee/docker-bake.hcl

@@ -7,17 +7,15 @@ variable "IMAGE_TAG" {
 }
 
 group "default" {
-    targets = ["ee"]
+    targets = ["awx-ee"]
 }
 
-target "ee" {
+target "docker-metadata-action" {}
+
+target "awx-ee" {
+    inherits = ["docker-metadata-action"]
     context = "./context"
-    dockerfile = "Dockerfile"
     platforms = ["linux/amd64", "linux/arm64"]
-    tags = [
-        // "singledigital/awx-ee:${IMAGE_TAG}",
-        "${GHCR}/dpc-sdp/bay/awx-ee:${IMAGE_TAG}"
-    ]
     args = {
         PYCMD = "/usr/local/bin/python3"
         PKGMGR = "/usr/bin/apt-get"

images/awx-ee/execution-environment.yml

@@ -19,30 +19,36 @@ additional_build_steps:
   append_base: []
 
   prepend_final:
-    - LABEL org.opencontainers.image.authors="Digital Victoria"
-    - LABEL org.opencontainers.image.description="Provides an AWX execution environment image optimised for use with SDP."
-    - LABEL org.opencontainers.image.source="https://github.com/dpc-sdp/bay/blob/6.x/images/awx-ee/context/Dockerfile"
-    - ARG LAGOON_CLI_VERSION=v0.15.4
-    - ARG NVM_INSTALL_VERSION=v0.39.1
-    - ARG NODE_VERSION=v14.15.1
+    - LABEL maintainer="Department of Government Services (Victoria)"
+    - LABEL org.opencontainers.image.title="SDP AWX Execution Environment image."
+    - LABEL org.opencontainers.image.description="Provides an AWX execution environment image optimised for use with SDP. Built with ansible-builder."
+    - LABEL org.opencontainers.image.source="https://github.com/dpc-sdp/bay/blob/6.x/images/awx-ee/"
+    - ARG LAGOON_CLI_VERSION=v0.21.3
+    - ARG NVM_INSTALL_VERSION=v0.39.7
+    - ARG NODE_VERSION=v20.9.0
+    - ARG NVM_DIR="/runner/.nvm"
+    - ARG PHP_VERSION="8.3"
 
   append_final:
     - | # Required dependencies.
       RUN set -eux; \
-          apt-get update && apt-get install -y \
+          apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
               git git-lfs \
               jq \
+              apache2-utils \
               rsync \
               zip unzip; \
           rm -rf /var/lib/apt/lists/*;
 
     - | # Install php & composer.
       RUN set -eux; \
           curl -sSL https://packages.sury.org/php/README.txt | bash -x; \
-          apt-get update && apt-get install -y \
-              php8.3-cli \
-              php8.3-gd \
-              php8.3-zip; \
+          apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+              php${PHP_VERSION}-cli \
+              php${PHP_VERSION}-curl \
+              php${PHP_VERSION}-gd \
+              php${PHP_VERSION}-xml \
+              php${PHP_VERSION}-zip; \
           rm -rf /var/lib/apt/lists/*;
 
     - | # Install cli tools.
@@ -66,11 +72,20 @@ additional_build_steps:
     - RUN tar -C /tmp -xvf /tmp/gojq_v0.12.4_linux_amd64.tar.gz
     - RUN chmod +x /tmp/gojq_v0.12.4_linux_amd64/gojq
     - RUN mv /tmp/gojq_v0.12.4_linux_amd64/gojq /usr/local/bin
-    - RUN touch $HOME/.bashrc && chmod +x $HOME/.bashrc
-    - RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_INSTALL_VERSION/install.sh | bash
+    - RUN touch /runner/.bashrc && chmod +x /runner/.bashrc
+    - RUN mkdir -p /runner/.nvm && chgrp 0 /runner/.nvm && chmod -R ug+rwx /runner/.nvm
+    - RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_INSTALL_VERSION/install.sh | PROFILE="/runner/.bashrc" bash
     - RUN curl -L "https://get.helm.sh/helm-v3.12.2-linux-amd64.tar.gz" -o /tmp/helm && tar -xvf /tmp/helm -C /tmp && mv /tmp/linux-amd64/helm /usr/local/bin
     - RUN chmod +x /usr/local/bin/helm
-    - RUN curl -L https://github.com/google/yamlfmt/releases/download/v0.10.0/yamlfmt_0.10.0_Linux_x86_64.tar.gz --output /tmp/yamlfmt_0.10.0_Linux_x86_64.tar.gz
-    - RUN tar -C /tmp -xvf /tmp/yamlfmt_0.10.0_Linux_x86_64.tar.gz
+    - RUN curl -L https://github.com/google/yamlfmt/releases/download/v0.12.1/yamlfmt_0.12.1_Linux_x86_64.tar.gz --output /tmp/yamlfmt_0.12.1_Linux_x86_64.tar.gz
+    - RUN tar -C /tmp -xvf /tmp/yamlfmt_0.12.1_Linux_x86_64.tar.gz
     - RUN chmod +x /tmp/yamlfmt
-    - RUN mv /tmp/yamlfmt /usr/local/bin
+    - RUN mv /tmp/yamlfmt /usr/local/bin
+    - | # Install GitHub gh cli tool
+      SHELL ["/bin/bash", "-c"]
+      RUN set -eux; \
+        curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+        && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+        && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+        && apt update \
+        && DEBIAN_FRONTEND=noninteractive apt install gh -y

images/awx-ee/requirements.txt

@@ -8,10 +8,11 @@ yamllint
 kubernetes
 lxml
 gql
-# Dependencies for the gql requests transport.
-requests-toolbelt<1,>=0.9.1
-urllib3>=1.26
-requests<3,>=2.26
 ruamel.yaml
 pygithub
-azure-cli
+azure-cli
+
+# Dependencies for the gql requests transport.
+requests<3,>=2.26
+requests-toolbelt<1,>=0.10.1
+urllib3<2.0.0

images/ci-builder/Dockerfile

@@ -3,7 +3,7 @@ FROM php:8.3-cli-alpine
 ARG AHOY_VERSION=2.1.1
 ARG GOJQ_VERSION=0.12.4
 ARG HUB_VERSION=2.14.2
-ARG LAGOON_CLI_VERSION=0.19.0
+ARG LAGOON_CLI_VERSION=0.21.3
 
 # Ensure temp files dont end up in image.
 VOLUME /tmp

images/mailpit/Dockerfile

@@ -0,0 +1,33 @@
+#
+# mailpit Dockerfile
+#
+
+FROM alpine:latest
+ARG MAILPIT_VERSION=1.19.0
+
+# Install ca-certificates, required for the "release message" feature:
+RUN apk --no-cache add \
+    ca-certificates \
+    curl
+
+# Install mailpit.
+VOLUME /tmp
+WORKDIR /tmp
+RUN curl -L "https://github.com/axllent/mailpit/releases/download/v${MAILPIT_VERSION}/mailpit-$(echo ${TARGETPLATFORM:-linux-amd64} | tr '/' '-').tar.gz" --output mailpit.tar.gz && \
+    tar -vxxzf mailpit.tar.gz && \
+    mv mailpit /bin/mailpit && \
+    chmod +x /bin/mailpit
+
+# Add mailpit user/group with uid/gid 1000.
+# This is a workaround for boot2docker issue #581, see
+# https://github.com/boot2docker/boot2docker/issues/581
+RUN adduser -D -u 1000 mailpit
+
+USER mailpit
+
+WORKDIR /home/mailpit
+
+ENTRYPOINT ["mailpit"]
+
+# Expose the SMTP and HTTP ports:
+EXPOSE 1025 8025

images/mailhog/README.md → images/mailpit/README.md

@@ -1,6 +1,6 @@
-# Container Image - bay-mailhog
+# Container Image - bay-mailpit
 
-Provides a mailhog image for local development.
+Provides a [mailpit](https://github.com/axllent/mailpit) image for local development.
 
 ## Usage
 
@@ -12,8 +12,8 @@ You can also use it in your Docker Compose stack with the following snippet:
 
 ```
 services:
-  mailhog:
-    image: singledigital/bay-mailhog:6.x
+  mailpit:
+    image: ghcr.io/dpc-sdp/bay/mailpit:6.x
     ports:
       - 1025
       - 8025

images/nginx/README.md

@@ -18,7 +18,7 @@ You can also use it in your Docker Compose stack with the following snippet:
 ```
 services:
   nginx:
-    image: singledigital/bay-nginx:6.x
+    image: ghcr.io/dpc-sdp/bay/nginx:6.x
     volumes: 
       - path/to/app:/app
     ports:

images/node/Dockerfile

@@ -1,6 +1,18 @@
 FROM uselagoon/node-20:latest
+ARG BAY_CLI_VERSION=v0.1.1
 
-RUN apk --update add curl git
+
+RUN apk --update add curl git findutils openssh-client && \
+    rm -rf /var/cache/apk/*
+
+# Install bay-cli.
+RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/${BAY_CLI_VERSION}/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz
+RUN tar -C /tmp -xvf /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz
+RUN chmod +x /tmp/bay
+RUN mv /tmp/bay /bin/bay
+
+# Bay entrypoints.
+COPY entrypoints/ /lagoon/entrypoints
 
 # Prevents installation of large binaries only used for development.
 ENV CYPRESS_INSTALL_BINARY 0

images/node/README.md

@@ -14,7 +14,7 @@ You can also use it in your Docker Compose stack with the following snippet:
 ```
 services:
   app:
-    image: singledigital/bay-node:6.x
+    image: ghcr.io/dpc-sdp/bay/node:6.x
     volumes:
       - path/to/app:/app
     ports: