diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 69f6d30dd..93585c20b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,3 +11,7 @@ updates: schedule: interval: "daily" versioning-strategy: increase + - package-ecosystem: "github-actions" + directory: "/" # Scans .github/workflows for action/reusable-workflow refs + schedule: + interval: "weekly" diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 7f40d4f93..7232c32bb 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -9,7 +9,10 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: call-workflow-passing-data: name: Documentation - uses: ROCm/rocm-docs-core/.github/workflows/linting.yml@develop + uses: ROCm/rocm-docs-core/.github/workflows/linting.yml@b623885e7e4fe2f87bd2898d8ea0e2c4ded2eca1 # v1.35.0 diff --git a/.gitignore b/.gitignore index 8d7f51911..1c27b74c5 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,9 @@ /helm-charts-k8s/charts/*.tgz *.out -# node app for e2e test -id_rsa* -nodeapp +# node app for e2e test (ephemeral build artifacts, not the source dir) +/tests/e2e/nodeapp/id_rsa* +/tests/e2e/nodeapp/nodeapp # Sphinx documentation _build/ diff --git a/Dockerfile.build b/Dockerfile.build index 7d3b5bb96..8cf306fcf 100644 --- a/Dockerfile.build +++ b/Dockerfile.build @@ -54,9 +54,12 @@ RUN wget https://go.dev/dl/go1.26.4.linux-amd64.tar.gz && \ ENV PATH="/usr/local/go/bin:${PATH}" -RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \ - chmod 700 get_helm.sh && \ - ./get_helm.sh && rm get_helm.sh +ARG HELM_VERSION=v3.19.0 +ARG HELM_SHA256=a7f81ce08007091b86d8bd696eb4d86b8d0f2e1b9f6c714be62f82f96a594496 +RUN curl -fsSL -o helm.tar.gz "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" && \ + echo "${HELM_SHA256} helm.tar.gz" | sha256sum -c - && \ + tar -xzf helm.tar.gz --strip-components=1 -C /usr/local/bin linux-amd64/helm && \ + rm helm.tar.gz RUN curl -sSL https://github.com/arttor/helmify/releases/download/v0.4.13/helmify_Linux_x86_64.tar.gz \ -o helmify_Linux_x86_64.tar.gz && \ diff --git a/Makefile b/Makefile index 762ef0701..9cb55fa9f 100644 --- a/Makefile +++ b/Makefile @@ -132,6 +132,10 @@ DOCKER_CACHE_FROM ?= DOCKER_CACHE_TO ?= GOLANG_BASE_IMG ?= golang:1.26.4 OPERATOR_CONTROLLER_BASE_IMAGE ?= registry.access.redhat.com/ubi9/ubi-minimal:9.7 +# Helm binary installed into the build-shell image (Dockerfile.build). Pin the +# version and its published sha256 together; bump both when upgrading. +HELM_VERSION ?= v3.19.0 +HELM_SHA256 ?= a7f81ce08007091b86d8bd696eb4d86b8d0f2e1b9f6c714be62f82f96a594496 ################## # Documentation website build variables @@ -376,6 +380,8 @@ docker-build-env: ## Build the docker shell container. -t $(DOCKER_BUILDER_IMAGE) \ --build-arg BUILD_BASE_IMG=$(BUILD_BASE_IMG) \ --build-arg INSECURE_REGISTRY=$(INSECURE_REGISTRY) \ + --build-arg HELM_VERSION=$(HELM_VERSION) \ + --build-arg HELM_SHA256=$(HELM_SHA256) \ $(if $(DOCKER_CACHE_FROM),--cache-from=$(DOCKER_CACHE_FROM)) \ $(if $(DOCKER_CACHE_TO),--cache-to=$(DOCKER_CACHE_TO)) \ --load \ diff --git a/tests/e2e/nodeapp/.dockerignore b/tests/e2e/nodeapp/.dockerignore new file mode 100644 index 000000000..2909d9754 --- /dev/null +++ b/tests/e2e/nodeapp/.dockerignore @@ -0,0 +1,10 @@ +# Keep the build context minimal — only the runtime artifacts referenced by +# COPY in the Dockerfile are needed. The ephemeral, per-build SSH keypair +# (id_rsa/id_rsa.pub, regenerated by `make docker-build`) is intentionally +# copied in and must NOT be excluded here. +* +!nodeapp +!id_rsa +!id_rsa.pub +!docker-entrypoint.sh +!docker-exitpoint.sh diff --git a/tests/e2e/nodeapp/Dockerfile b/tests/e2e/nodeapp/Dockerfile index 2eb39b356..0bafbfc9e 100644 --- a/tests/e2e/nodeapp/Dockerfile +++ b/tests/e2e/nodeapp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.7 +FROM alpine:3.22@sha256:14358309a308569c32bdc37e2e0e9694be33a9d99e68afb0f5ff33cc1f695dce RUN apk update && apk add openssh-client bash