Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into alex-patch-1
Browse files Browse the repository at this point in the history
alex authored Jun 17, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
2 parents 0c89da3 + 03a8016 commit 1369d40
Showing 12 changed files with 127 additions and 85 deletions.
11 changes: 8 additions & 3 deletions .github/workflows/build-docker-images.yml
Original file line number Diff line number Diff line change
@@ -46,6 +46,7 @@ jobs:

- {TAG_NAME: "cryptography-runner-ubuntu-focal", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=focal", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-jammy", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=jammy", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-noble", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=noble", RUNNER: "ubuntu-latest"}
- {TAG_NAME: "cryptography-runner-ubuntu-rolling", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=rolling", RUNNER: "ubuntu-latest"}

- {TAG_NAME: "cryptography-manylinux2014:x86_64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=manylinux2014_x86_64", RUNNER: "ubuntu-latest"}
@@ -57,20 +58,24 @@ jobs:
- {TAG_NAME: "cryptography-manylinux_2_28:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=manylinux_2_28_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-musllinux_1_1:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=musllinux_1_1_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-musllinux_1_2:aarch64", DOCKERFILE_PATH: "cryptography-linux", BUILD_ARGS: "--build-arg PYCA_RELEASE=musllinux_1_2_aarch64", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-runner-ubuntu-jammy:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=jammy", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-runner-ubuntu-rolling:aarch64", DOCKERFILE_PATH: "runners/ubuntu", BUILD_ARGS: "--build-arg RELEASE=rolling", RUNNER: [self-hosted, Linux, ARM64]}
- {TAG_NAME: "cryptography-runner-alpine:aarch64", DOCKERFILE_PATH: "runners/alpine", RUNNER: [self-hosted, Linux, ARM64]}

name: "${{ matrix.IMAGE.TAG_NAME }}"
steps:
- uses: actions/[email protected]
- uses: actions/[email protected]
- run: |
source ./staticnode/node-version.sh
arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
echo "NODE_ARCH_RELEASE=$arch:$NODE_VERSION" >> $GITHUB_ENV
# Pull the previous image, but if it fails return true anyway.
# Sometimes we add new docker images and if they've never been pushed
# they can't be pulled.
- name: Pull existing image
run: docker pull ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} || true
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
- name: Build image
run: docker build --pull --cache-from ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} -t ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} ${{ matrix.IMAGE.DOCKERFILE_PATH }} ${{ matrix.IMAGE.BUILD_ARGS }}
run: docker build --pull --cache-from ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} -t ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} ${{ matrix.IMAGE.DOCKERFILE_PATH }} ${{ matrix.IMAGE.BUILD_ARGS }} --build-arg NODE_ARCH_RELEASE=${{ env.NODE_ARCH_RELEASE }}
- name: Login to docker
run: 'docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD" ghcr.io'
env:
12 changes: 6 additions & 6 deletions .github/workflows/build-macos-openssl.yml
Original file line number Diff line number Diff line change
@@ -32,11 +32,11 @@ jobs:
OPENSSLDIR: "/opt/homebrew/etc/openssl@3"
name: "Build OpenSSL for macOS (${{ matrix.ARCH.NAME }})"
steps:
- uses: actions/[email protected].2
- uses: actions/[email protected].7
- name: Download OpenSSL
run: |
source ./cryptography-linux/openssl-version.sh
curl -o openssl.tar.gz https://www.openssl.org/source/$OPENSSL_VERSION.tar.gz
curl -Lo openssl.tar.gz https://www.openssl.org/source/$OPENSSL_VERSION.tar.gz
shasum -a 256 -c <<< "$OPENSSL_SHA256 *openssl.tar.gz"
- name: Extract OpenSSL
run: |
@@ -61,7 +61,7 @@ jobs:
env:
CFLAGS: ${{ matrix.ARCH.CFLAGS }}

- uses: actions/[email protected].1
- uses: actions/[email protected].3
with:
name: "openssl-macos-${{ matrix.ARCH.ARTIFACT_NAME }}"
path: artifact/
@@ -71,11 +71,11 @@ jobs:
name: "Build OpenSSL for macOS universal2"
needs: [ build ]
steps:
- uses: actions/[email protected].4
- uses: actions/[email protected].7
with:
name: openssl-macos-x86-64
path: x86-64
- uses: actions/[email protected].4
- uses: actions/[email protected].7
with:
name: openssl-macos-arm64
path: arm64
@@ -88,7 +88,7 @@ jobs:
cp -r ../x86-64/lib/pkgconfig lib/
lipo -create -output lib/libssl.a ../x86-64/lib/libssl.a ../arm64/lib/libssl.a
lipo -create -output lib/libcrypto.a ../x86-64/lib/libcrypto.a ../arm64/lib/libcrypto.a
- uses: actions/[email protected].1
- uses: actions/[email protected].3
with:
name: "openssl-macos-universal2"
path: artifact/
54 changes: 54 additions & 0 deletions .github/workflows/build-static-node.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Build Static Node.js Container
permissions:
contents: read
packages: write

on:
pull_request:
paths:
- '.github/workflows/build-static-node.yml'
- 'staticnode/**'
push:
branches:
- main
paths:
- '.github/workflows/build-static-node.yml'
- 'staticnode/**'

jobs:
build:
name: Build node.js
runs-on: ${{ matrix.IMAGE.RUNNER }}
strategy:
fail-fast: false
matrix:
IMAGE:
- {RUNNER: "ubuntu-latest", MANYLINUX_ARCH: "x86_64"}
- {RUNNER: [self-hosted, Linux, ARM64], MANYLINUX_ARCH: "aarch64"}
steps:
- uses: actions/[email protected]
- name: Set Node.js version
run: |
source ./staticnode/node-version.sh
echo "NODE_VERSION=$NODE_VERSION" >> $GITHUB_ENV
echo "NODE_SHA256SUM=$NODE_SHA256SUM" >> $GITHUB_ENV
arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
echo "NODE_ARCH=$arch" >> $GITHUB_ENV
- name: Build the Docker image
run: |
echo building node.js $NODE_VERSION
docker build --tag ghcr.io/pyca/static-nodejs-$NODE_ARCH:$NODE_VERSION --build-arg VERSION=$NODE_VERSION --build-arg ARCH=$NODE_ARCH --build-arg SHA256SUM=$NODE_SHA256SUM staticnode
- name: Test static node.js on manylinux2014
run: |
cd staticnode
docker build -f Dockerfile-test -t test-node --build-arg MANYLINUX_ARCH=${{ matrix.IMAGE.MANYLINUX_ARCH }} --build-arg CONTAINER_NAME=ghcr.io/pyca/static-nodejs-$NODE_ARCH:$NODE_VERSION .
docker run test-node /staticnode/bin/node -e "console.log('hello world'); console.log(process.version)"
- name: Login to docker
run: 'docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD" ghcr.io'
env:
DOCKER_USERNAME: ${{ github.actor }}
DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
- name: Push image
run: docker push ghcr.io/pyca/static-nodejs-${{ env.NODE_ARCH }}:${{ env.NODE_VERSION }}
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
4 changes: 2 additions & 2 deletions .github/workflows/build-windows-openssl.yml
Original file line number Diff line number Diff line change
@@ -26,7 +26,7 @@ jobs:
ARCH: ["win32", "win64"]
name: "Build OpenSSL for ${{ matrix.ARCH }} on MSVC 2022"
steps:
- uses: actions/[email protected].2
- uses: actions/[email protected].7
- run: choco install -y nasm winrar
- name: Export OpenSSL version
run: |
@@ -46,7 +46,7 @@ jobs:
shell: cmd
- run: windows\openssl\build_openssl.bat ${{ matrix.ARCH }}
shell: cmd
- uses: actions/[email protected].1
- uses: actions/[email protected].3
with:
name: "openssl-${{ matrix.ARCH }}"
path: build\
3 changes: 1 addition & 2 deletions .github/workflows/terraform.yml
Original file line number Diff line number Diff line change
@@ -13,11 +13,10 @@ on:
- '.github/workflows/terraform.yml'

jobs:
# Build containers for x86
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected].2
- uses: actions/[email protected].7
- run: terraform -chdir=terraform/ fmt -check
- run: terraform -chdir=terraform/ init -backend=false
# Need to have a values.yaml for validate to pass.
50 changes: 4 additions & 46 deletions cryptography-linux/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
ARG NODE_ARCH_RELEASE
ARG PYCA_RELEASE
FROM ghcr.io/pyca/static-nodejs-${NODE_ARCH_RELEASE} as staticnodejs
FROM quay.io/pypa/${PYCA_RELEASE}
ARG PYCA_RELEASE
MAINTAINER Python Cryptographic Authority
LABEL org.opencontainers.image.authors="Python Cryptographic Authority"
WORKDIR /root
RUN \
if [ $(uname -m) = "x86_64" ]; \
@@ -10,28 +11,6 @@ RUN \
yum -y install binutils perl-IPC-Cmd && \
yum -y clean all && \
rm -rf /var/cache/yum; \
elif stat /etc/debian_version 1>&2 2>/dev/null; then \
export DEBIAN_FRONTEND=noninteractive && \
apt-get update -qq && \
apt-get install -qq -y --no-install-recommends prelink && \
apt-get clean -qq && \
rm -rf /var/lib/apt/lists/*; \
else \
# gcompat's latest release (as of 2024-02-04) doesn't support features we need for GH's node20 \
# so instead we build the entire thing ourselves from source. \
# Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable \
# and pinned to the latest gcompat at the time this was written \
apk add --no-cache make libucontext-dev musl-obstack-dev; \
_ld="ld-linux-x86_64.so.2"; \
_arch="aarch64"; \
curl -O https://git.adelielinux.org/adelie/gcompat/-/archive/8e300a60/gcompat-ae300a60.tar.gz && \
tar xf gcompat*.tar.gz && \
cd gcompat* && \
make WITH_LIBUCONTEXT=1 WITH_OBSTACK=musl-obstack LINKER_PATH="/lib/ld-musl-${_arch}.so.1" LOADER_NAME="${_ld}" install && \
mkdir /lib64 &&\
ln -s "/lib/${_ld}" "/lib64/${_ld}" &&\
ln -s "/lib/${_ld}" /lib/libresolv.so.2 && \
cd .. && rm -rf gcompat*; \
fi; \
fi

@@ -44,31 +23,10 @@ RUN \
yum -y install libffi-devel perl-IPC-Cmd && \
yum -y clean all && \
rm -rf /var/cache/yum; \
elif stat /etc/debian_version 1>&2 2>/dev/null; then \
export DEBIAN_FRONTEND=noninteractive && \
apt-get update -qq && \
apt-get install -qq -y --no-install-recommends libffi-dev && \
apt-get clean -qq && \
rm -rf /var/lib/apt/lists/*; \
else \
# gcompat's latest release (as of 2024-02-04) doesn't support features we need for GH's node20 \
# so instead we build the entire thing ourselves from source. \
# Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable \
# and pinned to the latest gcompat at the time this was written \
apk add --no-cache make libucontext-dev musl-obstack-dev; \
_ld="ld-linux-aarch64.so.1"; \
_arch="aarch64"; \
curl -O https://git.adelielinux.org/adelie/gcompat/-/archive/8e300a60/gcompat-ae300a60.tar.gz && \
tar xf gcompat*.tar.gz && \
cd gcompat* && \
make WITH_LIBUCONTEXT=1 WITH_OBSTACK=musl-obstack LINKER_PATH="/lib/ld-musl-${_arch}.so.1" LOADER_NAME="${_ld}" install && \
mkdir /lib64 &&\
ln -s "/lib/${_ld}" "/lib64/${_ld}" &&\
ln -s "/lib/${_ld}" /lib/libresolv.so.2 && \
cd .. && rm -rf gcompat*; \
fi; \
fi

COPY --from=staticnodejs /out/ /staticnode/
ADD install_openssl.sh /root/install_openssl.sh
ADD openssl-version.sh /root/openssl-version.sh
RUN ./install_openssl.sh
12 changes: 2 additions & 10 deletions cryptography-linux/install_openssl.sh
Original file line number Diff line number Diff line change
@@ -4,16 +4,8 @@ set -xe
OPENSSL_URL="https://www.openssl.org/source/"
source /root/openssl-version.sh

function check_sha256sum {
local fname=$1
local sha256=$2
echo "${sha256} ${fname}" > "${fname}.sha256"
sha256sum -c "${fname}.sha256"
rm "${fname}.sha256"
}

curl -#O "${OPENSSL_URL}/${OPENSSL_VERSION}.tar.gz"
check_sha256sum ${OPENSSL_VERSION}.tar.gz ${OPENSSL_SHA256}
curl -#LO "${OPENSSL_URL}/${OPENSSL_VERSION}.tar.gz"
echo "${OPENSSL_SHA256} ${OPENSSL_VERSION}.tar.gz" | sha256sum -c -
tar zxf ${OPENSSL_VERSION}.tar.gz
pushd ${OPENSSL_VERSION}
./config $OPENSSL_BUILD_FLAGS --prefix=/opt/pyca/cryptography/openssl --openssldir=/opt/pyca/cryptography/openssl
5 changes: 5 additions & 0 deletions runners/alpine/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
ARG NODE_ARCH_RELEASE
FROM ghcr.io/pyca/static-nodejs-${NODE_ARCH_RELEASE} as staticnodejs

FROM alpine:latest

# Increment this to blow away the docker cache
@@ -10,6 +13,8 @@ ENV LANG C.UTF-8
RUN apk add --no-cache git libffi-dev curl \
python3-dev openssl-dev bash gcc musl-dev tar pkgconfig zstd libucontext-dev musl-obstack-dev make

COPY --from=staticnodejs /out/ /staticnode/

# Derived from https://git.alpinelinux.org/aports/tree/community/gcompat/APKBUILD?h=3.18-stable and pinned to the
# latest gcompat at the time this was written
RUN if [ $(uname -m) = "x86_64" ]; \
21 changes: 21 additions & 0 deletions staticnode/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
FROM alpine:latest
ARG VERSION
# One of x64 or arm64
ARG ARCH
# The sha256sum for the node source tarball
ARG SHA256SUM

RUN mkdir -p /build
WORKDIR /build

RUN apk add --no-cache binutils-gold curl g++ gcc gnupg libgcc linux-headers make python3 libstdc++
RUN mkdir -p /out/bin

RUN curl -O https://nodejs.org/dist/$VERSION/node-$VERSION.tar.gz
RUN echo "$SHA256SUM node-$VERSION.tar.gz" | sha256sum -c -
RUN tar -zxvf node-$VERSION.tar.gz
RUN cd node-$VERSION && ./configure --dest-cpu=$ARCH --fully-static && make -j$(nproc)
RUN cp /build/node-$VERSION/LICENSE /out/LICENSE && cp /build/node-$VERSION/out/Release/node /out/bin/node

FROM scratch
COPY --from=0 /out/ /out
6 changes: 6 additions & 0 deletions staticnode/Dockerfile-test
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
ARG MANYLINUX_ARCH
ARG CONTAINER_NAME
FROM ${CONTAINER_NAME} as staticnodejs
FROM quay.io/pypa/manylinux2014_${MANYLINUX_ARCH}

COPY --from=staticnodejs /out /staticnode/
2 changes: 2 additions & 0 deletions staticnode/node-version.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
export NODE_VERSION="v20.13.1"
export NODE_SHA256SUM="a85ee53aa0a5c2f5ca94fa414cdbceb91eb7d18a77fc498358512c14cc6c6991"
32 changes: 16 additions & 16 deletions terraform/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 1369d40

Please sign in to comment.