diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml index de18e5e6..adbe9170 100644 --- a/.github/workflows/build-docker-images.yml +++ b/.github/workflows/build-docker-images.yml @@ -46,6 +46,7 @@ jobs: - {TAG_NAME: "cryptography-runner-ubuntu-focal", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=focal", RUNNER: "ubuntu-latest"} - {TAG_NAME: "cryptography-runner-ubuntu-jammy", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=jammy", RUNNER: "ubuntu-latest"} + - {TAG_NAME: "cryptography-runner-ubuntu-noble", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=noble", RUNNER: "ubuntu-latest"} - {TAG_NAME: "cryptography-runner-ubuntu-rolling", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=rolling", RUNNER: "ubuntu-latest"} - {TAG_NAME: "cryptography-manylinux2014:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=manylinux2014_x86_64", RUNNER: "ubuntu-latest"} @@ -57,12 +58,16 @@ jobs: - {TAG_NAME: "cryptography-manylinux_2_28:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=manylinux_2_28_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - {TAG_NAME: "cryptography-musllinux_1_1:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=musllinux_1_1_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - {TAG_NAME: "cryptography-musllinux_1_2:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=musllinux_1_2_aarch64", RUNNER: [self-hosted, Linux, ARM64]} - - {TAG_NAME: "cryptography-runner-ubuntu-jammy:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=jammy", RUNNER: [self-hosted, Linux, ARM64]} + - {TAG_NAME: "cryptography-runner-ubuntu-rolling:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=rolling", RUNNER: [self-hosted, Linux, ARM64]} - {TAG_NAME: "cryptography-runner-alpine:aarch64", DOCKERFILE_PATH: "runners/alpine", RUNNER: [self-hosted, Linux, ARM64]} name: "${{ matrix.IMAGE.TAG_NAME }}" steps: - - uses: actions/checkout@v4.1.2 + - uses: actions/checkout@v4.1.7 + - run: | + source ./staticnode/node-version.sh + arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]') + echo "NODE_ARCH_RELEASE=$arch:$NODE_VERSION" >> $GITHUB_ENV # Pull the previous image, but if it fails return true anyway. # Sometimes we add new docker images and if they've never been pushed # they can't be pulled. @@ -70,7 +75,7 @@ jobs: run: docker pull ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} || true if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' - name: Build image - run: docker build --pull --cache-from ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} -t ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} ${{ matrix.IMAGE.DOCKERFILE_PATH }} ${{ matrix.IMAGE.BUILD_ARGS }} + run: docker build --pull --cache-from ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} -t ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} ${{ matrix.IMAGE.DOCKERFILE_PATH }} ${{ matrix.IMAGE.BUILD_ARGS }} --build-arg NODE_ARCH_RELEASE=${{ env.NODE_ARCH_RELEASE }} - name: Login to docker run: 'docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD" ghcr.io' env: diff --git a/.github/workflows/build-macos-openssl.yml b/.github/workflows/build-macos-openssl.yml index 429caabb..18c654fa 100644 --- a/.github/workflows/build-macos-openssl.yml +++ b/.github/workflows/build-macos-openssl.yml @@ -32,11 +32,11 @@ jobs: OPENSSLDIR: "/opt/homebrew/etc/openssl@3" name: "Build OpenSSL for macOS (${{ matrix.ARCH.NAME }})" steps: - - uses: actions/checkout@v4.1.2 + - uses: actions/checkout@v4.1.7 - name: Download OpenSSL run: | source ./cryptography-linux/openssl-version.sh - curl -o openssl.tar.gz https://www.openssl.org/source/$OPENSSL_VERSION.tar.gz + curl -Lo openssl.tar.gz https://www.openssl.org/source/$OPENSSL_VERSION.tar.gz shasum -a 256 -c <<< "$OPENSSL_SHA256 *openssl.tar.gz" - name: Extract OpenSSL run: | @@ -61,7 +61,7 @@ jobs: env: CFLAGS: ${{ matrix.ARCH.CFLAGS }} - - uses: actions/upload-artifact@v4.3.1 + - uses: actions/upload-artifact@v4.3.3 with: name: "openssl-macos-${{ matrix.ARCH.ARTIFACT_NAME }}" path: artifact/ @@ -71,11 +71,11 @@ jobs: name: "Build OpenSSL for macOS universal2" needs: [ build ] steps: - - uses: actions/download-artifact@v4.1.4 + - uses: actions/download-artifact@v4.1.7 with: name: openssl-macos-x86-64 path: x86-64 - - uses: actions/download-artifact@v4.1.4 + - uses: actions/download-artifact@v4.1.7 with: name: openssl-macos-arm64 path: arm64 @@ -88,7 +88,7 @@ jobs: cp -r ../x86-64/lib/pkgconfig lib/ lipo -create -output lib/libssl.a ../x86-64/lib/libssl.a ../arm64/lib/libssl.a lipo -create -output lib/libcrypto.a ../x86-64/lib/libcrypto.a ../arm64/lib/libcrypto.a - - uses: actions/upload-artifact@v4.3.1 + - uses: actions/upload-artifact@v4.3.3 with: name: "openssl-macos-universal2" path: artifact/ diff --git a/.github/workflows/build-static-node.yml b/.github/workflows/build-static-node.yml new file mode 100644 index 00000000..55135484 --- /dev/null +++ b/.github/workflows/build-static-node.yml @@ -0,0 +1,54 @@ +name: Build Static Node.js Container +permissions: + contents: read + packages: write + +on: + pull_request: + paths: + - '.github/workflows/build-static-node.yml' + - 'staticnode/**' + push: + branches: + - main + paths: + - '.github/workflows/build-static-node.yml' + - 'staticnode/**' + +jobs: + build: + name: Build node.js + runs-on: ${{ matrix.IMAGE.RUNNER }} + strategy: + fail-fast: false + matrix: + IMAGE: + - {RUNNER: "ubuntu-latest", MANYLINUX_ARCH: "x86_64"} + - {RUNNER: [self-hosted, Linux, ARM64], MANYLINUX_ARCH: "aarch64"} + steps: + - uses: actions/checkout@v4.1.7 + - name: Set Node.js version + run: | + source ./staticnode/node-version.sh + echo "NODE_VERSION=$NODE_VERSION" >> $GITHUB_ENV + echo "NODE_SHA256SUM=$NODE_SHA256SUM" >> $GITHUB_ENV + arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]') + echo "NODE_ARCH=$arch" >> $GITHUB_ENV + - name: Build the Docker image + run: | + echo building node.js $NODE_VERSION + docker build --tag ghcr.io/pyca/static-nodejs-$NODE_ARCH:$NODE_VERSION --build-arg VERSION=$NODE_VERSION --build-arg ARCH=$NODE_ARCH --build-arg SHA256SUM=$NODE_SHA256SUM staticnode + - name: Test static node.js on manylinux2014 + run: | + cd staticnode + docker build -f Dockerfile-test -t test-node --build-arg MANYLINUX_ARCH=${{ matrix.IMAGE.MANYLINUX_ARCH }} --build-arg CONTAINER_NAME=ghcr.io/pyca/static-nodejs-$NODE_ARCH:$NODE_VERSION . + docker run test-node /staticnode/bin/node -e "console.log('hello world'); console.log(process.version)" + - name: Login to docker + run: 'docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD" ghcr.io' + env: + DOCKER_USERNAME: ${{ github.actor }} + DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' + - name: Push image + run: docker push ghcr.io/pyca/static-nodejs-${{ env.NODE_ARCH }}:${{ env.NODE_VERSION }} + if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main' diff --git a/.github/workflows/build-windows-openssl.yml b/.github/workflows/build-windows-openssl.yml index e1552897..0eb11625 100644 --- a/.github/workflows/build-windows-openssl.yml +++ b/.github/workflows/build-windows-openssl.yml @@ -26,7 +26,7 @@ jobs: ARCH: ["win32", "win64"] name: "Build OpenSSL for ${{ matrix.ARCH }} on MSVC 2022" steps: - - uses: actions/checkout@v4.1.2 + - uses: actions/checkout@v4.1.7 - run: choco install -y nasm winrar - name: Export OpenSSL version run: | @@ -46,7 +46,7 @@ jobs: shell: cmd - run: windows\openssl\build_openssl.bat ${{ matrix.ARCH }} shell: cmd - - uses: actions/upload-artifact@v4.3.1 + - uses: actions/upload-artifact@v4.3.3 with: name: "openssl-${{ matrix.ARCH }}" path: build\ diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 2dd42eea..9e25a60f 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -13,11 +13,10 @@ on: - '.github/workflows/terraform.yml' jobs: - # Build containers for x86 terraform: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.1.2 + - uses: actions/checkout@v4.1.7 - run: terraform -chdir=terraform/ fmt -check - run: terraform -chdir=terraform/ init -backend=false # Need to have a values.yaml for validate to pass. diff --git a/cryptography-linux/Dockerfile b/cryptography-linux/Dockerfile index 3e27089c..59696bd9 100644 --- a/cryptography-linux/Dockerfile +++ b/cryptography-linux/Dockerfile @@ -1,7 +1,8 @@ +ARG NODE_ARCH_RELEASE ARG PYCA_RELEASE +FROM ghcr.io/pyca/static-nodejs-${NODE_ARCH_RELEASE} as staticnodejs FROM quay.io/pypa/${PYCA_RELEASE} -ARG PYCA_RELEASE -MAINTAINER Python Cryptographic Authority +LABEL org.opencontainers.image.authors="Python Cryptographic Authority" WORKDIR /root RUN \ if [ $(uname -m) = "x86_64" ]; \ @@ -10,28 +11,6 @@ RUN \ yum -y install binutils perl-IPC-Cmd && \ yum -y clean all && \ rm -rf /var/cache/yum; \ - elif stat /etc/debian_version 1>&2 2>/dev/null; then \ - export DEBIAN_FRONTEND=noninteractive && \ - apt-get update -qq && \ - apt-get install -qq -y --no-install-recommends prelink && \ - apt-get clean -qq && \ - rm -rf /var/lib/apt/lists/*; \ - else \ - # gcompat's latest release (as of 2024-02-04) doesn't support features we need for GH's node20 \ - # so instead we build the entire thing ourselves from source. \ - # Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable \ - # and pinned to the latest gcompat at the time this was written \ - apk add --no-cache make libucontext-dev musl-obstack-dev; \ - _ld="ld-linux-x86_64.so.2"; \ - _arch="aarch64"; \ - curl -O https://git.adelielinux.org/adelie/gcompat/-/archive/8e300a60/gcompat-ae300a60.tar.gz && \ - tar xf gcompat*.tar.gz && \ - cd gcompat* && \ - make WITH_LIBUCONTEXT=1 WITH_OBSTACK=musl-obstack LINKER_PATH="/lib/ld-musl-${_arch}.so.1" LOADER_NAME="${_ld}" install && \ - mkdir /lib64 &&\ - ln -s "/lib/${_ld}" "/lib64/${_ld}" &&\ - ln -s "/lib/${_ld}" /lib/libresolv.so.2 && \ - cd .. && rm -rf gcompat*; \ fi; \ fi @@ -44,31 +23,10 @@ RUN \ yum -y install libffi-devel perl-IPC-Cmd && \ yum -y clean all && \ rm -rf /var/cache/yum; \ - elif stat /etc/debian_version 1>&2 2>/dev/null; then \ - export DEBIAN_FRONTEND=noninteractive && \ - apt-get update -qq && \ - apt-get install -qq -y --no-install-recommends libffi-dev && \ - apt-get clean -qq && \ - rm -rf /var/lib/apt/lists/*; \ - else \ - # gcompat's latest release (as of 2024-02-04) doesn't support features we need for GH's node20 \ - # so instead we build the entire thing ourselves from source. \ - # Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable \ - # and pinned to the latest gcompat at the time this was written \ - apk add --no-cache make libucontext-dev musl-obstack-dev; \ - _ld="ld-linux-aarch64.so.1"; \ - _arch="aarch64"; \ - curl -O https://git.adelielinux.org/adelie/gcompat/-/archive/8e300a60/gcompat-ae300a60.tar.gz && \ - tar xf gcompat*.tar.gz && \ - cd gcompat* && \ - make WITH_LIBUCONTEXT=1 WITH_OBSTACK=musl-obstack LINKER_PATH="/lib/ld-musl-${_arch}.so.1" LOADER_NAME="${_ld}" install && \ - mkdir /lib64 &&\ - ln -s "/lib/${_ld}" "/lib64/${_ld}" &&\ - ln -s "/lib/${_ld}" /lib/libresolv.so.2 && \ - cd .. && rm -rf gcompat*; \ fi; \ fi +COPY --from=staticnodejs /out/ /staticnode/ ADD install_openssl.sh /root/install_openssl.sh ADD openssl-version.sh /root/openssl-version.sh RUN ./install_openssl.sh diff --git a/cryptography-linux/install_openssl.sh b/cryptography-linux/install_openssl.sh index 109e75c6..d8d567d7 100755 --- a/cryptography-linux/install_openssl.sh +++ b/cryptography-linux/install_openssl.sh @@ -4,16 +4,8 @@ set -xe OPENSSL_URL="https://www.openssl.org/source/" source /root/openssl-version.sh -function check_sha256sum { - local fname=$1 - local sha256=$2 - echo "${sha256} ${fname}" > "${fname}.sha256" - sha256sum -c "${fname}.sha256" - rm "${fname}.sha256" -} - -curl -#O "${OPENSSL_URL}/${OPENSSL_VERSION}.tar.gz" -check_sha256sum ${OPENSSL_VERSION}.tar.gz ${OPENSSL_SHA256} +curl -#LO "${OPENSSL_URL}/${OPENSSL_VERSION}.tar.gz" +echo "${OPENSSL_SHA256} ${OPENSSL_VERSION}.tar.gz" | sha256sum -c - tar zxf ${OPENSSL_VERSION}.tar.gz pushd ${OPENSSL_VERSION} ./config $OPENSSL_BUILD_FLAGS --prefix=/opt/pyca/cryptography/openssl --openssldir=/opt/pyca/cryptography/openssl diff --git a/runners/alpine/Dockerfile b/runners/alpine/Dockerfile index f91737b8..a1eb870e 100644 --- a/runners/alpine/Dockerfile +++ b/runners/alpine/Dockerfile @@ -1,3 +1,6 @@ +ARG NODE_ARCH_RELEASE +FROM ghcr.io/pyca/static-nodejs-${NODE_ARCH_RELEASE} as staticnodejs + FROM alpine:latest # Increment this to blow away the docker cache @@ -10,6 +13,8 @@ ENV LANG C.UTF-8 RUN apk add --no-cache git libffi-dev curl \ python3-dev openssl-dev bash gcc musl-dev tar pkgconfig zstd libucontext-dev musl-obstack-dev make +COPY --from=staticnodejs /out/ /staticnode/ + # Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable and pinned to the # latest gcompat at the time this was written RUN if [ $(uname -m) = "x86_64" ]; \ diff --git a/staticnode/Dockerfile b/staticnode/Dockerfile new file mode 100644 index 00000000..52e7fda4 --- /dev/null +++ b/staticnode/Dockerfile @@ -0,0 +1,21 @@ +FROM alpine:latest +ARG VERSION +# One of x64 or arm64 +ARG ARCH +# The sha256sum for the node source tarball +ARG SHA256SUM + +RUN mkdir -p /build +WORKDIR /build + +RUN apk add --no-cache binutils-gold curl g++ gcc gnupg libgcc linux-headers make python3 libstdc++ +RUN mkdir -p /out/bin + +RUN curl -O https://nodejs.org/dist/$VERSION/node-$VERSION.tar.gz +RUN echo "$SHA256SUM node-$VERSION.tar.gz" | sha256sum -c - +RUN tar -zxvf node-$VERSION.tar.gz +RUN cd node-$VERSION && ./configure --dest-cpu=$ARCH --fully-static && make -j$(nproc) +RUN cp /build/node-$VERSION/LICENSE /out/LICENSE && cp /build/node-$VERSION/out/Release/node /out/bin/node + +FROM scratch +COPY --from=0 /out/ /out diff --git a/staticnode/Dockerfile-test b/staticnode/Dockerfile-test new file mode 100644 index 00000000..d1d3dcc1 --- /dev/null +++ b/staticnode/Dockerfile-test @@ -0,0 +1,6 @@ +ARG MANYLINUX_ARCH +ARG CONTAINER_NAME +FROM ${CONTAINER_NAME} as staticnodejs +FROM quay.io/pypa/manylinux2014_${MANYLINUX_ARCH} + +COPY --from=staticnodejs /out /staticnode/ diff --git a/staticnode/node-version.sh b/staticnode/node-version.sh new file mode 100644 index 00000000..1a433609 --- /dev/null +++ b/staticnode/node-version.sh @@ -0,0 +1,2 @@ +export NODE_VERSION="v20.13.1" +export NODE_SHA256SUM="a85ee53aa0a5c2f5ca94fa414cdbceb91eb7d18a77fc498358512c14cc6c6991" diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 262fead6..bf62815a 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -58,24 +58,24 @@ provider "registry.terraform.io/hashicorp/local" { } provider "registry.terraform.io/oracle/oci" { - version = "5.36.0" + version = "5.46.0" constraints = ">= 4.67.3" hashes = [ - "h1:UAh0wGPAa8p/A8YQ/UUcFpkwdtj7AGE/WZyqQfQqwig=", - "zh:1fe8a3fc210bae48658c703dd8aa458f794aab983dca1d591f9158e12e2dd5a2", - "zh:2d2bc52560cd87403f4ab287c0cc1577e3735028d1028a54830113b8537c36f4", - "zh:4783b0db1ad0882abf4637e30db3cfbd69a23d72355fe1fe5c580606b9c67ea5", - "zh:48e07c4a8c085b68f5cdaaeef218578dc3e4ede068542e0aef16a5eaa6a37cd5", - "zh:61a4cb9a0d7f0e02abe5049cc0a47167371b1391a0b94e5f21a99b80cd0a9bcc", - "zh:6a2206590a8aad7b091a496f80aee84e1da682ead2f3e98e79f895d0dc75e328", - "zh:83bb26f43377ec0bc12d74046e857d40696567defb43927e30a108c81126d4a9", - "zh:914d03e361a49fd296bafa7e10b0c228a5fb5e4f374078670f656166e8026700", - "zh:9749c9638c520e341726f981884d70f81025e368cb150a9b7cde7dc3f1f9c22b", + "h1:YnxOoKaBVUxvyEAcRrc8/amNglrtGTzxeTDmzm3R+LY=", + "zh:0dac7eba4d556d209627d11e2af6ae564a579617b548f411b5282952632d6820", + "zh:1b2d3e2282de8252ed6c017fc693c65747a0bf078b01423d6455df4723f5db60", + "zh:27763b8525aa2561adfb7c10f879e06fed71b4862f0f4d19086a0e22c05d6b49", + "zh:30cb5dca2edbfe4d31a73004ef049bde4b9f91ea85fdc188fc12f8e660563a45", + "zh:33b46e57b2d5a81e9bca7b6c7cd1a56dd0dc90f47f0624834e7eb1092a19a2d4", + "zh:3944bb473e7ed85fd08f6d47d65b5796f0da7714b51748c3e1c4854e9bc328a5", + "zh:3f2a950cd9604b00f03fb5ecdf0597b682fb9928a05e58d55c59c4b044824ba2", + "zh:47c85fc844dc0d685d5f3e513494ada8d785bb94188faad2ae00124ef10b319c", + "zh:5fc8235fb0be1192cfbd22b2cd14d20037b6611c3e783b9881ba3810befff805", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9ceb0432160c11143e2556170f11c093ebbb088c2161a99eea105f6cb0c7e26a", - "zh:b7289a754153995187c887012f35c010bb8b23aed14bd5806c43ecc51602e266", - "zh:c5e81ed93f94361d8edc528250353f51e842e16ea1731d98919349b7bb30bd27", - "zh:e38b7a6d0b10fd01d6234c7e2c3f7595df791ea96c1f57ee24294f8758ee8fa6", - "zh:e3b6dbf42223d9f87f12345f74996932c56ae941fa4186ae7f7a1f3695284b4f", + "zh:ac6537a460a506b6e09a7c90b1e26020fea4f621acc340a45286c9259a1e8a6f", + "zh:b4e4bc61eca8b7ee631976d40a506d67c4036c5ba63e74e2e19a28de57a13f77", + "zh:f0d67a9b83ad23b8083a9be648522b4e2f76fe302c782a0f5ece740e27111fb1", + "zh:f1daa463d29a83b97b51fa43e128abfae86613bedd4e214f085646c7702f8ee6", + "zh:fbc09b3f713baf0f0525a70dcabd774b05f494ad9773870bcf6fe104c46feb92", ] }