Backport of updates to OCI workflows from master branchoci-workflow-updates-from-master

6 files changed, 93 insertions, 57 deletions

diff --git a/.github/workflows/oci-base.yaml b/.github/workflows/oci-base.yaml
new file mode 100644
index 0000000000..93f3576f7c
--- /dev/null
+++ b/.github/workflows/oci-base.yaml
@@ -0,0 +1,58 @@
+# https://github.com/marketplace/actions/build-and-push-docker-images
+name: OCI Base Image
+on:
+  schedule:
+  - cron: '0 3 * * *'
+  workflow_dispatch:
+jobs:
+  build-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3.0.5
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-${{ matrix.image_tag_suffix }}-buildx-${{ github.event.pull_request.head.sha || github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-${{ matrix.image_tag_suffix }}-buildx-
+
+      - name: Check for Push Credentials
+        id: authorized
+        run: |
+          if [ -n "${{ secrets.DOCKERHUB_USERNAME }}" ]; then
+            echo "::set-output name=PUSH::true"
+          else
+            echo "::set-output name=PUSH::false"
+          fi
+
+      - name: Login to DockerHub
+        if: steps.authorized.outputs.PUSH == 'true'
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: packaging/base-image
+          pull: true
+          push: ${{ steps.authorized.outputs.PUSH }}
+          tags: |
+            pivotalrabbitmq/ubuntu:20.04
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
diff --git a/.github/workflows/oci.yaml b/.github/workflows/oci.yaml
index 39107ce920..5da1bc4441 100644
--- a/.github/workflows/oci.yaml
+++ b/.github/workflows/oci.yaml
@@ -27,23 +27,15 @@ jobs:
       matrix:
           # Build image for every supported Erlang major version.
           # Source of truth for OTP versions (min & max): https://www.rabbitmq.com/which-erlang.html
-          image_tag_suffix:
-            - otp-min
-            - otp-max
+          include:
+          - image_tag_suffix: otp-min
+            otp_major: 24
+          - image_tag_suffix: otp-max
+            otp_major: 25
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Load version info
-        id: load-info
-        run: |
-          # TODO: de-duplicate the info these files and MODULE.bazel
-          FILE=packaging/docker-image/otp-versions/${{ matrix.image_tag_suffix }}.yaml
-          echo "::set-output name=otp::$(yq eval '.otp' $FILE)"
-          echo "::set-output name=otp_major::$(yq eval '.otp_major' $FILE)"
-          echo "::set-output name=otp_sha256::$(yq eval '.otp_sha256' $FILE)"
-          echo "::set-output name=elixir::$(yq eval '.elixir' $FILE)"
-
       - name: Mount Bazel Cache
         uses: actions/cache@v3.0.5
         with:
@@ -67,26 +59,17 @@ jobs:
             build:buildbuddy --remote_download_toplevel
           EOF
 
-      - name: Check for otp & elixir version exact match
+      - name: Load version info
+        id: load-info
         run: |
-          bazelisk build :otp_version --config=rbe-${{ steps.load-info.outputs.otp_major }}
-          if [ ! "$(cat bazel-bin/otp_version.txt)" == "${{ steps.load-info.outputs.otp }}" ]; then
-            echo "The version of erlang specified via bazel is $(cat bazel-bin/otp_version.txt),
-            echo "but ${{ steps.load-info.outputs.otp }} is expected."
-            exit 1
-          fi
-          bazelisk build :elixir_version --config=rbe-${{ steps.load-info.outputs.otp_major }}
-          if [ ! "$(cat bazel-bin/elixir_version.txt)" == "${{ steps.load-info.outputs.elixir }}" ]; then
-            echo "The version of elixir specified via bazel is $(cat bazel-bin/elixir_version.txt),
-            echo "but ${{ steps.load-info.outputs.elixir }} is expected."
-            exit 1
-          fi
+          bazelisk build :otp_version --config=rbe-${{ matrix.otp_major }}
+          echo "::set-output name=otp::$(cat bazel-bin/otp_version.txt)"
 
       - name: Build generic unix package
         run: |
           sed -i"_orig" -E '/APP_VERSION/ s/3\.[0-9]+\.[0-9]+/${{ github.event.pull_request.head.sha || github.sha }}/' rabbitmq.bzl
           bazelisk build :package-generic-unix \
-            --config=rbe-${{ steps.load-info.outputs.otp_major }}
+            --config=rbe-${{ matrix.otp_major }}
 
       - name: Resolve generic unix package path
         run: |
@@ -120,7 +103,7 @@ jobs:
           fi
 
       - name: Login to DockerHub
-        if: steps.authorized.outputs.PUSH
+        if: steps.authorized.outputs.PUSH == 'true'
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -141,6 +124,7 @@ jobs:
         uses: docker/build-push-action@v2
         with:
           context: packaging/docker-image
+          pull: true
           push: ${{ steps.authorized.outputs.PUSH }}
           tags: |
             pivotalrabbitmq/rabbitmq:${{ steps.compute-tags.outputs.TAG_1 }}
@@ -149,7 +133,7 @@ jobs:
             SKIP_PGP_VERIFY=true
             PGP_KEYSERVER=pgpkeys.eu
             OTP_VERSION=${{ steps.load-info.outputs.otp }}
-            OTP_SHA256=${{ steps.load-info.outputs.otp_sha256 }}
+            SKIP_OTP_VERIFY=true
             RABBITMQ_BUILD=rabbitmq_server-${{ github.event.pull_request.head.sha || github.sha }}
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
diff --git a/packaging/base-image/Dockerfile b/packaging/base-image/Dockerfile
new file mode 100644
index 0000000000..74257bad8d
--- /dev/null
+++ b/packaging/base-image/Dockerfile
@@ -0,0 +1,18 @@
+# The official Canonical Ubuntu Bionic image is ideal from a security perspective,
+# especially for the enterprises that we, the RabbitMQ team, have to deal with
+FROM ubuntu:20.04
+
+RUN set -eux; \
+        apt-get update; \
+        apt-get install -y lsb-release ubuntu-dbgsym-keyring; \
+        echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse" > /etc/apt/sources.list.d/ddebs.list; \
+        echo "deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse" >> /etc/apt/sources.list.d/ddebs.list; \
+        echo "deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" >> /etc/apt/sources.list.d/ddebs.list; \
+        apt-get update; \
+        apt-get install -y --no-install-recommends \
+ # grab gosu for easy step-down from root
+        libc6-dbg \
+        libgcc-s1-dbgsym \
+        libstdc++6-dbgsym \
+        libtinfo6-dbgsym \
+        zlib1g-dbgsym
diff --git a/packaging/docker-image/Dockerfile b/packaging/docker-image/Dockerfile
index 4e0b8671ba..ced2a49e76 100644
--- a/packaging/docker-image/Dockerfile
+++ b/packaging/docker-image/Dockerfile
@@ -1,22 +1,13 @@
 # The official Canonical Ubuntu Bionic image is ideal from a security perspective,
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
-FROM ubuntu:20.04
+ARG BASE=ubuntu
+FROM ${BASE}:20.04
 
 RUN set -eux; \
         apt-get update; \
-        apt-get install -y lsb-release ubuntu-dbgsym-keyring; \
-        echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse" > /etc/apt/sources.list.d/ddebs.list; \
-        echo "deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse" >> /etc/apt/sources.list.d/ddebs.list; \
-        echo "deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" >> /etc/apt/sources.list.d/ddebs.list; \
-        apt-get update; \
         apt-get install -y --no-install-recommends \
 # grab gosu for easy step-down from root
         gosu \
-        libc6-dbg \
-        libgcc-s1-dbgsym \
-        libstdc++6-dbgsym \
-        libtinfo6-dbgsym \
-        zlib1g-dbgsym \
         ; \
 	rm -rf /var/lib/apt/lists/*; \
 # verify that the "gosu" binary works
@@ -44,6 +35,7 @@ ENV OTP_VERSION ${OTP_VERSION}
 # http://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ARG OTP_SHA256
 ENV OTP_SOURCE_SHA256=${OTP_SHA256}
+ARG SKIP_OTP_VERIFY=false
 
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
@@ -116,7 +108,7 @@ RUN set -eux; \
 # Download, verify & extract OTP_SOURCE
 	mkdir -p "$OTP_PATH"; \
 	wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \
-	echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \
+	test "$SKIP_OTP_VERIFY" = "true" || echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \
 	tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \
 	\
 # Configure Erlang/OTP for compilation, disable unused features & applications
diff --git a/packaging/docker-image/otp-versions/otp-max.yaml b/packaging/docker-image/otp-versions/otp-max.yaml
deleted file mode 100644
index 0380682781..0000000000
--- a/packaging/docker-image/otp-versions/otp-max.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-otp: '25.0'
-otp_major: '25'
-# make -C packaging/docker-image find-otp-sha256 OTP_VERSION_MATCH=24.0
-otp_sha256: 5988e3bca208486494446e885ca2149fe487ee115cbc3770535fd22a795af5d2
-# Which is the max supported Elixir?
-# https://github.com/rabbitmq/rabbitmq-server/blob/master/deps/rabbitmq_cli/mix.exs#L14
-# Which is the latest Elixir release?
-# https://github.com/elixir-lang/elixir/tags
-elixir: '1.12.2'
\ No newline at end of file
diff --git a/packaging/docker-image/otp-versions/otp-min.yaml b/packaging/docker-image/otp-versions/otp-min.yaml
deleted file mode 100644
index acfec5d561..0000000000
--- a/packaging/docker-image/otp-versions/otp-min.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-otp: '24.3.4'
-otp_major: '24'
-# make -C packaging/docker-image find-otp-sha256 OTP_VERSION_MATCH=24.0
-otp_sha256: e59bedbb871af52244ca5284fd0a572d52128abd4decf4347fe2aef047b65c58
-# Which is the max supported Elixir?
-# https://github.com/rabbitmq/rabbitmq-server/blob/master/deps/rabbitmq_cli/mix.exs#L14
-elixir: '1.12.3'