Dockerfile: prepare for updating through renovate

grafana · Jul 12, 2024 · e9b2d1c · e9b2d1c
1 parent f34597b
commit e9b2d1c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -35,8 +35,9 @@
       "customType": "regex",
       "fileMatch": [ "Dockerfile" ],
       "matchStrings": [
-        // Lines that loosely look like "apk add something=version #repo=community".
-        "apk.+add.* (?<depName>[a-z0-9-]+?)=(?<currentValue>[a-z0-9-.]+)(.+#repo=(?<alpineRepo>[a-z]+))"
+        // Lines that loosely look like "apk add --repository community something=version".
+        // To keep this regex simple, only one package per "apk add" is supported.
+        "apk .*add .*(--repository|-X)[= ](?<alpineRepo>[a-z]+)\\s+(?<depName>[a-z0-9-]+?)=(?<currentValue>[a-z0-9-.]+)"
       ],
       "versioningTemplate": "loose", // The most lenient versioning renovate supports.
       // We use two different datasources for main and community, as alpine serves them in different URLs.

diff --git a/Dockerfile b/Dockerfile
@@ -26,9 +26,11 @@ FROM alpine:3.20.0
 
 RUN adduser --home / --uid 6666 --shell /bin/nologin --disabled-password k6
 
-# Tini reaps leftover processes.
-RUN apk --no-cache add tini
-RUN apk --no-cache add chromium-swiftshader
+# Renovate updates the pinned packages below.
+# The --repository arg is required for renovate to know which alpine repo it should look for updates in.
+# To keep the renovate regex simple, only keep one package installation per line.
+RUN apk --no-cache add --repository community tini=0.19.0-r3 && \
+  apk --no-cache add --repository community chromium-swiftshader=126.0.6478.126-r1
 
 # As we rely on file capabilities, we cannot set `allowPrivilegeEscalation: false` in k8s. As a workaround, and to lower
 # potential attack surface, we get rid of any file that has the setuid bit set, such as