Merge branch '5.x' into build/datapipeline-env-vars

merge base branch 5.x.

.github/workflows/build-deploy.yml

@@ -21,10 +21,10 @@ jobs:
         images: ${{ fromJson(vars.IMAGES) }}
     steps:
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - uses: actions/checkout@v3
 
@@ -53,6 +53,23 @@ jobs:
             org.opencontainers.image.title=${{ matrix.images }}
             org.opencontainers.image.description=${{ matrix.images }} image for Bay container platform
 
+      - name: Create the AWX-EE context
+        if: matrix.images == 'awx-ee'
+        run: |
+          pip install --upgrade ansible-builder
+          ansible-builder create \
+            --output-filename Dockerfile \
+            --verbosity 3
+        working-directory: ./images/awx-ee
+
+      - name: Upload AWX-EE context for review
+        if: matrix.images == 'awx-ee'
+        uses: actions/upload-artifact@v4
+        with:
+          name: awx-ee-context
+          path: ./images/awx-ee/context
+          retention-days: 1
+
       - name: Build and push the images
         uses: docker/[email protected]
         with:

.github/workflows/vulnerability-scan-build.yml

@@ -21,7 +21,7 @@ jobs:
           echo "SANITISED-REF-NAME=${{ github.ref_name }}" | tr  '/' '-' >> "$GITHUB_OUTPUT"
       - name: Scan for vulnerabilities
         id: scan
-        uses: crazy-max/ghaction-container-scan@v2
+        uses: crazy-max/ghaction-container-scan@v3
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ steps.sanitise-ref-name.outputs.SANITISED-REF-NAME }}
           dockerfile: ./images/${{ matrix.images }}

.github/workflows/vulnerability-scan-schedule.yml

@@ -4,7 +4,7 @@ env:
   REGISTRY: ghcr.io
 on:
   schedule:
-    - cron: '14 0 * * 4'
+    - cron: '0 22 * * 3'
 jobs:
   vulnerability-scan-schedule:
     if: github.event_name == 'schedule'
@@ -35,12 +35,12 @@ jobs:
     steps:
       - name: Scan for vulnerabilities
         id: scan
-        uses: crazy-max/ghaction-container-scan@v2
+        uses: crazy-max/ghaction-container-scan@v3
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{matrix.branches}}
           dockerfile: ./images/${{ matrix.images }}
       - name: Upload SARIF file
         if: ${{ steps.scan.outputs.sarif != '' }}
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          sarif_file: ${{ steps.scan.outputs.sarif }}

gh-actions-bake.hcl

@@ -86,4 +86,12 @@ target "ripple-static" {
     "org.opencontainers.image.description" = "Ripple static site generator image optimised for the Bay container platform"
   }
 }
-
+target "awx-ee" {
+    inherits = ["docker-metadata-action"]
+    context = "${CONTEXT}/awx-ee/context"
+    platforms = ["linux/amd64", "linux/arm64"]
+    args = {
+        PYCMD = "/usr/local/bin/python3"
+        PKGMGR = "/usr/bin/apt-get"
+    }
+}

images/awx-ee/README.md

@@ -9,7 +9,7 @@ The AWX execution environment is a container image that AWX will use to execute
 - `requirements.txt`: Defined python dependencies
 - `requirements.yml`: Ansible collections to install
 
-AWX has `singledigital/awx-ee:latest` added as an execution environment with a pull policy of always, when the image is updated kuberenetes will pull a new image to run the plays in.
+AWX has `ghcr.io/dpc-sdp/bay/awx-ee:5.x` added as an execution environment with a pull policy of always, when the image is updated kuberenetes will pull a new image to run the plays in.
 
 ## Dependencies
 
@@ -20,7 +20,7 @@ AWX has `singledigital/awx-ee:latest` added as an execution environment with a p
 Commands run from this directory if you have ansible-builder installed locally.
 
 ```
-$ ansible-builder build --tag singledigital/awx-ee:latest --container-runtime docker
+$ ansible-builder build --tag ghcr.io/dpc-sdp/bay/awx-ee:5.x --container-runtime docker
 ```
 
 OR run with docker.
@@ -31,14 +31,14 @@ $ docker run --rm -it \
     -v $(pwd):/data \
     -w /data \
     quay.io/ansible/ansible-builder:latest \
-      ansible-builder build --tag singledigital/awx-ee:latest --container-runtime docker
+      ansible-builder build --tag ghcr.io/dpc-sdp/bay/awx-ee:5.x --container-runtime docker
 
 # Build the image
-$ docker build -f context/Dockerfile -t singledigital/awx-ee:latest context
+$ docker build -f context/Dockerfile -t ghcr.io/dpc-sdp/bay/awx-ee:5.x context
 ```
 
 ## Deploying the image
 
 ```
-$ docker push singledigital/awx-ee:latest
+$ docker push ghcr.io/dpc-sdp/bay/awx-ee:5.x
 ```

images/awx-ee/docker-bake.hcl

@@ -7,17 +7,15 @@ variable "IMAGE_TAG" {
 }
 
 group "default" {
-    targets = ["ee"]
+    targets = ["awx-ee"]
 }
 
-target "ee" {
+target "docker-metadata-action" {}
+
+target "awx-ee" {
+    inherits = ["docker-metadata-action"]
     context = "./context"
-    dockerfile = "Dockerfile"
     platforms = ["linux/amd64", "linux/arm64"]
-    tags = [
-        // "singledigital/awx-ee:${IMAGE_TAG}",
-        "${GHCR}/dpc-sdp/bay/awx-ee:${IMAGE_TAG}"
-    ]
     args = {
         PYCMD = "/usr/local/bin/python3"
         PKGMGR = "/usr/bin/apt-get"

images/awx-ee/execution-environment.yml

@@ -19,17 +19,20 @@ additional_build_steps:
   append_base: []
 
   prepend_final:
-    - LABEL org.opencontainers.image.authors="Digital Victoria"
-    - LABEL org.opencontainers.image.description="Provides an AWX execution environment image optimised for use with SDP."
-    - LABEL org.opencontainers.image.source="https://github.com/dpc-sdp/bay/blob/5.x/images/awx-ee/context/Dockerfile"
+    - LABEL maintainer="Digital Victoria"
+    - LABEL org.opencontainers.image.title="SDP AWX Execution Environment image."
+    - LABEL org.opencontainers.image.description="Provides an AWX execution environment image optimised for use with SDP. Built with ansible-builder."
+    - LABEL org.opencontainers.image.source="https://github.com/dpc-sdp/bay/blob/5.x/images/awx-ee/"
     - ARG LAGOON_CLI_VERSION=v0.15.4
-    - ARG NVM_INSTALL_VERSION=v0.39.1
-    - ARG NODE_VERSION=v14.15.1
+    - ARG NVM_INSTALL_VERSION=v0.39.7
+    - ARG NODE_VERSION=v18.17.0
+    - ARG NVM_DIR="/runner/.nvm"
+    - ARG PHP_VERSION="8.2"
 
   append_final:
     - | # Required dependencies.
       RUN set -eux; \
-          apt-get update && apt-get install -y \
+          apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
               git git-lfs \
               jq \
               rsync \
@@ -39,10 +42,12 @@ additional_build_steps:
     - | # Install php & composer.
       RUN set -eux; \
           curl -sSL https://packages.sury.org/php/README.txt | bash -x; \
-          apt-get update && apt-get install -y \
-              php8.1-cli \
-              php8.1-gd \
-              php8.1-zip; \
+          apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+              php${PHP_VERSION}-cli \
+              php${PHP_VERSION}-curl \
+              php${PHP_VERSION}-gd \
+              php${PHP_VERSION}-xml \
+              php${PHP_VERSION}-zip; \
           rm -rf /var/lib/apt/lists/*;
 
     - | # Install cli tools.
@@ -66,11 +71,20 @@ additional_build_steps:
     - RUN tar -C /tmp -xvf /tmp/gojq_v0.12.4_linux_amd64.tar.gz
     - RUN chmod +x /tmp/gojq_v0.12.4_linux_amd64/gojq
     - RUN mv /tmp/gojq_v0.12.4_linux_amd64/gojq /usr/local/bin
-    - RUN touch $HOME/.bashrc && chmod +x $HOME/.bashrc
-    - RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_INSTALL_VERSION/install.sh | bash
+    - RUN touch /runner/.bashrc && chmod +x /runner/.bashrc
+    - RUN mkdir -p /runner/.nvm && chgrp 0 /runner/.nvm && chmod -R ug+rwx /runner/.nvm
+    - RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/$NVM_INSTALL_VERSION/install.sh | PROFILE="/runner/.bashrc" bash
     - RUN curl -L "https://get.helm.sh/helm-v3.12.2-linux-amd64.tar.gz" -o /tmp/helm && tar -xvf /tmp/helm -C /tmp && mv /tmp/linux-amd64/helm /usr/local/bin
     - RUN chmod +x /usr/local/bin/helm
     - RUN curl -L https://github.com/google/yamlfmt/releases/download/v0.10.0/yamlfmt_0.10.0_Linux_x86_64.tar.gz --output /tmp/yamlfmt_0.10.0_Linux_x86_64.tar.gz
     - RUN tar -C /tmp -xvf /tmp/yamlfmt_0.10.0_Linux_x86_64.tar.gz
     - RUN chmod +x /tmp/yamlfmt
-    - RUN mv /tmp/yamlfmt /usr/local/bin
+    - RUN mv /tmp/yamlfmt /usr/local/bin
+    - | # Install GitHub gh cli tool
+      SHELL ["/bin/bash", "-c"]
+      RUN set -eux; \
+        curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+        && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+        && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+        && apt update \
+        && DEBIAN_FRONTEND=noninteractive apt install gh -y

images/ci-builder/Dockerfile

@@ -1,5 +1,5 @@
 FROM hashicorp/terraform:latest AS terraform
-FROM php:8.1-cli-alpine
+FROM php:8.2-cli-alpine
 ARG AHOY_VERSION=2.1.1
 ARG GOJQ_VERSION=0.12.4
 ARG HUB_VERSION=2.14.2
@@ -38,15 +38,12 @@ RUN curl -L "https://github.com/github/hub/releases/download/v${HUB_VERSION}/hub
     chmod +x /tmp/hub-linux-386-${HUB_VERSION}/bin/hub && \
     mv /tmp/hub-linux-386-${HUB_VERSION}/bin/hub /usr/local/bin
 
-# Install Python dependencies not available in apk.
-RUN pip install --ignore-installed \
-    flake8 \
-    yamllint \
-    ansible-lint \
-    boto3
-
-## Install required PHP extensions for Drupal
+## Install required PHP extensions for Drupal and python packages.
 RUN apk add --no-cache \
+    py3-flake8 \
+    py3-ansible-lint \
+    py3-boto3 \
+    yamllint \
     libpng \
     libpng-dev \
     libjpeg-turbo-dev \

images/mailhog/README.md

@@ -13,7 +13,7 @@ You can also use it in your Docker Compose stack with the following snippet:
 ```
 services:
   mailhog:
-    image: singledigital/bay-mailhog:5.x
+    image: ghcr.io/dpc-sdp/bay/mailhog:5.x
     ports:
       - 1025
       - 8025

images/nginx/README.md

@@ -18,7 +18,7 @@ You can also use it in your Docker Compose stack with the following snippet:
 ```
 services:
   nginx:
-    image: singledigital/bay-nginx:5.x
+    image: ghcr.io/dpc-sdp/bay/nginx:5.x
     volumes: 
       - path/to/app:/app
     ports:

images/node/README.md

@@ -14,7 +14,7 @@ You can also use it in your Docker Compose stack with the following snippet:
 ```
 services:
   app:
-    image: singledigital/bay-node:5.x
+    image: ghcr.io/dpc-sdp/bay/node:5.x
     volumes:
       - path/to/app:/app
     ports:

images/php/Dockerfile.cli

@@ -1,4 +1,4 @@
-ARG PHP_VERSION=8.1
+ARG PHP_VERSION=8.2
 FROM php:${PHP_VERSION}-cli-alpine AS php-cli
 FROM ghcr.io/skpr/mtk:latest AS mtk
 FROM uselagoon/php-${PHP_VERSION}-cli-drupal:latest
@@ -22,8 +22,10 @@ RUN wget -O /usr/local/bin/dockerize https://github.com/dpc-sdp/dockerize/releas
 RUN apk add redis --no-cache
 
 # Install bay-cli.
-RUN wget "https://github.com/dpc-sdp/bay-cli/releases/download/v0.0.2/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_')" -O /bin/bay && \
-    chmod +x /bin/bay
+RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/v0.1.1/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz
+RUN tar -C /tmp -xvf /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz
+RUN chmod +x /tmp/bay
+RUN mv /tmp/bay /bin/bay
 
 RUN mkdir /bay
 

images/php/Dockerfile.fpm

@@ -1,4 +1,4 @@
-ARG PHP_VERSION=8.1
+ARG PHP_VERSION=8.2
 FROM uselagoon/php-${PHP_VERSION}-fpm:latest
 
 RUN mkdir /bay
@@ -24,8 +24,10 @@ RUN  apk add --no-cache tzdata \
     && echo $TZ > /etc/timezone
 
 # Install bay-cli.
-RUN wget "https://github.com/dpc-sdp/bay-cli/releases/download/v0.0.1/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_')" -O /bin/bay && \
-    chmod +x /bin/bay
+RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/v0.1.1/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz
+RUN tar -C /tmp -xvf /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz
+RUN chmod +x /tmp/bay
+RUN mv /tmp/bay /bin/bay
 
 ONBUILD ARG BAY_DISABLE_FUNCTIONS=phpinfo,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,system,exec,shell_exec,passthru,phpinfo,show_source,highlight_file,popen,fopen_with_path,dbmopen,dbase_open,filepro,filepro_rowcount,filepro_retrieve,posix_mkfifo
 ONBUILD ARG BAY_UPLOAD_LIMIT=100M

images/php/README.md

@@ -19,7 +19,7 @@ You can also use it in your Docker Compose stack with the following snippet:
 ```
 services:
   nginx:
-    image: singledigital/bay-php-fpm:5.x
+    image: ghcr.io/dpc-sdp/bay/php-fpm:5.x
     volumes:
       - path/to/app:/app
     ports: