Merge branch 'main' into alex-patch-1

pyca · Jun 17, 2024 · 1369d40 · 1369d40
2 parents 0c89da3 + 03a8016
commit 1369d40
Show file tree

Hide file tree

Showing 12 changed files with 127 additions and 85 deletions.
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
@@ -46,6 +46,7 @@ jobs:
 
           - {TAG_NAME: "cryptography-runner-ubuntu-focal", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=focal", RUNNER: "ubuntu-latest"}
           - {TAG_NAME: "cryptography-runner-ubuntu-jammy", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=jammy", RUNNER: "ubuntu-latest"}
+          - {TAG_NAME: "cryptography-runner-ubuntu-noble", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=noble", RUNNER: "ubuntu-latest"}
           - {TAG_NAME: "cryptography-runner-ubuntu-rolling", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=rolling", RUNNER: "ubuntu-latest"}
 
           - {TAG_NAME: "cryptography-manylinux2014:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=manylinux2014_x86_64", RUNNER: "ubuntu-latest"}
@@ -57,20 +58,24 @@ jobs:
           - {TAG_NAME: "cryptography-manylinux_2_28:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=manylinux_2_28_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
           - {TAG_NAME: "cryptography-musllinux_1_1:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=musllinux_1_1_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
           - {TAG_NAME: "cryptography-musllinux_1_2:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=musllinux_1_2_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
-          - {TAG_NAME: "cryptography-runner-ubuntu-jammy:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=jammy", RUNNER: [self-hosted, Linux, ARM64]}
+          - {TAG_NAME: "cryptography-runner-ubuntu-rolling:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=rolling", RUNNER: [self-hosted, Linux, ARM64]}
           - {TAG_NAME: "cryptography-runner-alpine:aarch64", DOCKERFILE_PATH: "runners/alpine", RUNNER: [self-hosted, Linux, ARM64]}
 
     name: "${{ matrix.IMAGE.TAG_NAME }}"
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/[email protected]
+      - run: |
+          source ./staticnode/node-version.sh
+          arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
+          echo "NODE_ARCH_RELEASE=$arch:$NODE_VERSION" >> $GITHUB_ENV
       # Pull the previous image, but if it fails return true anyway.
       # Sometimes we add new docker images and if they've never been pushed
       # they can't be pulled.
       - name: Pull existing image
         run: docker pull ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} || true
         if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
       - name: Build image
-        run: docker build --pull --cache-from ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} -t ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} ${{ matrix.IMAGE.DOCKERFILE_PATH }} ${{ matrix.IMAGE.BUILD_ARGS }}
+        run: docker build --pull --cache-from ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} -t ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} ${{ matrix.IMAGE.DOCKERFILE_PATH }} ${{ matrix.IMAGE.BUILD_ARGS }} --build-arg NODE_ARCH_RELEASE=${{ env.NODE_ARCH_RELEASE }}
       - name: Login to docker
         run: 'docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD" ghcr.io'
         env:

diff --git a/.github/workflows/build-macos-openssl.yml b/.github/workflows/build-macos-openssl.yml
@@ -32,11 +32,11 @@ jobs:
             OPENSSLDIR: "/opt/homebrew/etc/openssl@3"
     name: "Build OpenSSL for macOS (${{ matrix.ARCH.NAME }})"
     steps:
-      - uses: actions/[email protected].2
+      - uses: actions/[email protected].7
       - name: Download OpenSSL
         run: |
           source ./cryptography-linux/openssl-version.sh
-          curl -o openssl.tar.gz https://www.openssl.org/source/$OPENSSL_VERSION.tar.gz
+          curl -Lo openssl.tar.gz https://www.openssl.org/source/$OPENSSL_VERSION.tar.gz
           shasum -a 256 -c <<< "$OPENSSL_SHA256 *openssl.tar.gz"
       - name: Extract OpenSSL
         run: |
@@ -61,7 +61,7 @@ jobs:
         env:
           CFLAGS: ${{ matrix.ARCH.CFLAGS }}
 
-      - uses: actions/[email protected].1
+      - uses: actions/[email protected].3
         with:
           name: "openssl-macos-${{ matrix.ARCH.ARTIFACT_NAME }}"
           path: artifact/
@@ -71,11 +71,11 @@ jobs:
     name: "Build OpenSSL for macOS universal2"
     needs: [ build ]
     steps:
-      - uses: actions/[email protected].4
+      - uses: actions/[email protected].7
         with:
           name: openssl-macos-x86-64
           path: x86-64
-      - uses: actions/[email protected].4
+      - uses: actions/[email protected].7
         with:
           name: openssl-macos-arm64
           path: arm64
@@ -88,7 +88,7 @@ jobs:
           cp -r ../x86-64/lib/pkgconfig lib/
           lipo -create -output lib/libssl.a ../x86-64/lib/libssl.a ../arm64/lib/libssl.a
           lipo -create -output lib/libcrypto.a ../x86-64/lib/libcrypto.a ../arm64/lib/libcrypto.a
-      - uses: actions/[email protected].1
+      - uses: actions/[email protected].3
         with:
           name: "openssl-macos-universal2"
           path: artifact/
diff --git a/.github/workflows/build-static-node.yml b/.github/workflows/build-static-node.yml
@@ -0,0 +1,54 @@
+name: Build Static Node.js Container
+permissions:
+  contents: read
+  packages: write
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/build-static-node.yml'
+      - 'staticnode/**'
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/build-static-node.yml'
+      - 'staticnode/**'
+
+jobs:
+  build:
+    name: Build node.js
+    runs-on: ${{ matrix.IMAGE.RUNNER }}
+    strategy:
+      fail-fast: false
+      matrix:
+        IMAGE:
+          - {RUNNER: "ubuntu-latest", MANYLINUX_ARCH: "x86_64"}
+          - {RUNNER: [self-hosted, Linux, ARM64], MANYLINUX_ARCH: "aarch64"}
+    steps:
+    - uses: actions/[email protected]
+    - name: Set Node.js version
+      run: |
+        source ./staticnode/node-version.sh
+        echo "NODE_VERSION=$NODE_VERSION" >> $GITHUB_ENV
+        echo "NODE_SHA256SUM=$NODE_SHA256SUM" >> $GITHUB_ENV
+        arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
+        echo "NODE_ARCH=$arch" >> $GITHUB_ENV
+    - name: Build the Docker image
+      run: |
+        echo building node.js $NODE_VERSION
+        docker build --tag ghcr.io/pyca/static-nodejs-$NODE_ARCH:$NODE_VERSION --build-arg VERSION=$NODE_VERSION --build-arg ARCH=$NODE_ARCH --build-arg SHA256SUM=$NODE_SHA256SUM staticnode
+    - name: Test static node.js on manylinux2014
+      run: |
+        cd staticnode
+        docker build -f Dockerfile-test -t test-node --build-arg MANYLINUX_ARCH=${{ matrix.IMAGE.MANYLINUX_ARCH }} --build-arg CONTAINER_NAME=ghcr.io/pyca/static-nodejs-$NODE_ARCH:$NODE_VERSION .
+        docker run test-node /staticnode/bin/node -e "console.log('hello world'); console.log(process.version)"
+    - name: Login to docker
+      run: 'docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD" ghcr.io'
+      env:
+        DOCKER_USERNAME: ${{ github.actor }}
+        DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+      if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
+    - name: Push image
+      run: docker push ghcr.io/pyca/static-nodejs-${{ env.NODE_ARCH }}:${{ env.NODE_VERSION }}
+      if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
diff --git a/.github/workflows/build-windows-openssl.yml b/.github/workflows/build-windows-openssl.yml
@@ -26,7 +26,7 @@ jobs:
         ARCH: ["win32", "win64"]
     name: "Build OpenSSL for ${{ matrix.ARCH }} on MSVC 2022"
     steps:
-      - uses: actions/[email protected].2
+      - uses: actions/[email protected].7
       - run: choco install -y nasm winrar
       - name: Export OpenSSL version
         run: |
@@ -46,7 +46,7 @@ jobs:
         shell: cmd
       - run: windows\openssl\build_openssl.bat ${{ matrix.ARCH }}
         shell: cmd
-      - uses: actions/[email protected].1
+      - uses: actions/[email protected].3
         with:
           name: "openssl-${{ matrix.ARCH }}"
           path: build\
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -13,11 +13,10 @@ on:
       - '.github/workflows/terraform.yml'
 
 jobs:
-  # Build containers for x86
   terraform:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/[email protected].2
+      - uses: actions/[email protected].7
       - run: terraform -chdir=terraform/ fmt -check
       - run: terraform -chdir=terraform/ init -backend=false
       # Need to have a values.yaml for validate to pass.

diff --git a/cryptography-linux/Dockerfile b/cryptography-linux/Dockerfile
@@ -1,7 +1,8 @@
+ARG NODE_ARCH_RELEASE
 ARG PYCA_RELEASE
+FROM ghcr.io/pyca/static-nodejs-${NODE_ARCH_RELEASE} as staticnodejs
 FROM quay.io/pypa/${PYCA_RELEASE}
-ARG PYCA_RELEASE
-MAINTAINER Python Cryptographic Authority
+LABEL org.opencontainers.image.authors="Python Cryptographic Authority"
 WORKDIR /root
 RUN \
   if [ $(uname -m) = "x86_64" ]; \
@@ -10,28 +11,6 @@ RUN \
       yum -y install binutils perl-IPC-Cmd && \
       yum -y clean all && \
       rm -rf /var/cache/yum; \
-    elif stat /etc/debian_version 1>&2 2>/dev/null; then \
-      export DEBIAN_FRONTEND=noninteractive && \
-      apt-get update -qq && \
-      apt-get install -qq -y --no-install-recommends prelink && \
-      apt-get clean -qq && \
-      rm -rf /var/lib/apt/lists/*; \
-    else \
-      # gcompat's latest release (as of 2024-02-04) doesn't support features we need for GH's node20 \
-      # so instead we build the entire thing ourselves from source. \
-      # Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable  \
-      # and pinned to the latest gcompat at the time this was written \
-      apk add --no-cache make libucontext-dev musl-obstack-dev; \
-      _ld="ld-linux-x86_64.so.2"; \
-      _arch="aarch64"; \
-      curl -O https://git.adelielinux.org/adelie/gcompat/-/archive/8e300a60/gcompat-ae300a60.tar.gz && \
-      tar xf gcompat*.tar.gz && \
-      cd gcompat* && \
-      make WITH_LIBUCONTEXT=1 WITH_OBSTACK=musl-obstack LINKER_PATH="/lib/ld-musl-${_arch}.so.1" LOADER_NAME="${_ld}" install && \
-      mkdir /lib64 &&\
-      ln -s "/lib/${_ld}" "/lib64/${_ld}" &&\
-      ln -s "/lib/${_ld}" /lib/libresolv.so.2 && \
-      cd .. && rm -rf gcompat*; \
     fi; \
   fi
 
@@ -44,31 +23,10 @@ RUN \
       yum -y install libffi-devel perl-IPC-Cmd && \
       yum -y clean all && \
       rm -rf /var/cache/yum; \
-    elif stat /etc/debian_version 1>&2 2>/dev/null; then \
-      export DEBIAN_FRONTEND=noninteractive && \
-      apt-get update -qq && \
-      apt-get install -qq -y --no-install-recommends libffi-dev && \
-      apt-get clean -qq && \
-      rm -rf /var/lib/apt/lists/*; \
-    else \
-      # gcompat's latest release (as of 2024-02-04) doesn't support features we need for GH's node20 \
-      # so instead we build the entire thing ourselves from source. \
-      # Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable  \
-      # and pinned to the latest gcompat at the time this was written \
-      apk add --no-cache make libucontext-dev musl-obstack-dev; \
-      _ld="ld-linux-aarch64.so.1"; \
-      _arch="aarch64"; \
-      curl -O https://git.adelielinux.org/adelie/gcompat/-/archive/8e300a60/gcompat-ae300a60.tar.gz && \
-      tar xf gcompat*.tar.gz && \
-      cd gcompat* && \
-      make WITH_LIBUCONTEXT=1 WITH_OBSTACK=musl-obstack LINKER_PATH="/lib/ld-musl-${_arch}.so.1" LOADER_NAME="${_ld}" install && \
-      mkdir /lib64 &&\
-      ln -s "/lib/${_ld}" "/lib64/${_ld}" &&\
-      ln -s "/lib/${_ld}" /lib/libresolv.so.2 && \
-      cd .. && rm -rf gcompat*; \
     fi; \
   fi
 
+COPY --from=staticnodejs /out/ /staticnode/
 ADD install_openssl.sh /root/install_openssl.sh
 ADD openssl-version.sh /root/openssl-version.sh
 RUN ./install_openssl.sh

diff --git a/cryptography-linux/install_openssl.sh b/cryptography-linux/install_openssl.sh
@@ -4,16 +4,8 @@ set -xe
 OPENSSL_URL="https://www.openssl.org/source/"
 source /root/openssl-version.sh
 
-function check_sha256sum {
-    local fname=$1
-    local sha256=$2
-    echo "${sha256}  ${fname}" > "${fname}.sha256"
-    sha256sum -c "${fname}.sha256"
-    rm "${fname}.sha256"
-}
-
-curl -#O "${OPENSSL_URL}/${OPENSSL_VERSION}.tar.gz"
-check_sha256sum ${OPENSSL_VERSION}.tar.gz ${OPENSSL_SHA256}
+curl -#LO "${OPENSSL_URL}/${OPENSSL_VERSION}.tar.gz"
+echo "${OPENSSL_SHA256}  ${OPENSSL_VERSION}.tar.gz" | sha256sum -c -
 tar zxf ${OPENSSL_VERSION}.tar.gz
 pushd ${OPENSSL_VERSION}
 ./config $OPENSSL_BUILD_FLAGS --prefix=/opt/pyca/cryptography/openssl --openssldir=/opt/pyca/cryptography/openssl

diff --git a/runners/alpine/Dockerfile b/runners/alpine/Dockerfile
@@ -1,3 +1,6 @@
+ARG NODE_ARCH_RELEASE
+FROM ghcr.io/pyca/static-nodejs-${NODE_ARCH_RELEASE} as staticnodejs
+
 FROM alpine:latest
 
 # Increment this to blow away the docker cache
@@ -10,6 +13,8 @@ ENV LANG C.UTF-8
 RUN apk add --no-cache git libffi-dev curl \
     python3-dev openssl-dev bash gcc musl-dev tar pkgconfig zstd libucontext-dev musl-obstack-dev make
 
+COPY --from=staticnodejs /out/ /staticnode/
+
 # Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable and pinned to the
 # latest gcompat at the time this was written
 RUN if [ $(uname -m) = "x86_64" ]; \

diff --git a/staticnode/Dockerfile b/staticnode/Dockerfile
@@ -0,0 +1,21 @@
+FROM alpine:latest
+ARG VERSION
+# One of x64 or arm64
+ARG ARCH
+# The sha256sum for the node source tarball
+ARG SHA256SUM
+
+RUN mkdir -p /build
+WORKDIR /build
+
+RUN apk add --no-cache binutils-gold curl g++ gcc gnupg libgcc linux-headers make python3 libstdc++
+RUN mkdir -p /out/bin
+
+RUN curl -O https://nodejs.org/dist/$VERSION/node-$VERSION.tar.gz
+RUN echo "$SHA256SUM  node-$VERSION.tar.gz" | sha256sum -c -
+RUN tar -zxvf node-$VERSION.tar.gz
+RUN cd node-$VERSION && ./configure --dest-cpu=$ARCH --fully-static && make -j$(nproc)
+RUN cp /build/node-$VERSION/LICENSE /out/LICENSE && cp /build/node-$VERSION/out/Release/node /out/bin/node
+
+FROM scratch
+COPY --from=0 /out/ /out
diff --git a/staticnode/Dockerfile-test b/staticnode/Dockerfile-test
@@ -0,0 +1,6 @@
+ARG MANYLINUX_ARCH
+ARG CONTAINER_NAME
+FROM ${CONTAINER_NAME} as staticnodejs
+FROM quay.io/pypa/manylinux2014_${MANYLINUX_ARCH}
+
+COPY --from=staticnodejs /out /staticnode/
diff --git a/staticnode/node-version.sh b/staticnode/node-version.sh
@@ -0,0 +1,2 @@
+export NODE_VERSION="v20.13.1"
+export NODE_SHA256SUM="a85ee53aa0a5c2f5ca94fa414cdbceb91eb7d18a77fc498358512c14cc6c6991"
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl