From e9b2d1c2a969ee894a106f3d266bd0f403072a12 Mon Sep 17 00:00:00 2001 From: Ro Santalla Date: Fri, 12 Jul 2024 13:46:30 +0200 Subject: [PATCH] Dockerfile: prepare for updating through renovate --- .github/renovate.json5 | 5 +++-- Dockerfile | 8 +++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 79e9b72..3941a9b 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -35,8 +35,9 @@ "customType": "regex", "fileMatch": [ "Dockerfile" ], "matchStrings": [ - // Lines that loosely look like "apk add something=version #repo=community". - "apk.+add.* (?[a-z0-9-]+?)=(?[a-z0-9-.]+)(.+#repo=(?[a-z]+))" + // Lines that loosely look like "apk add --repository community something=version". + // To keep this regex simple, only one package per "apk add" is supported. + "apk .*add .*(--repository|-X)[= ](?[a-z]+)\\s+(?[a-z0-9-]+?)=(?[a-z0-9-.]+)" ], "versioningTemplate": "loose", // The most lenient versioning renovate supports. // We use two different datasources for main and community, as alpine serves them in different URLs. diff --git a/Dockerfile b/Dockerfile index def5140..476cf03 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,9 +26,11 @@ FROM alpine:3.20.0 RUN adduser --home / --uid 6666 --shell /bin/nologin --disabled-password k6 -# Tini reaps leftover processes. -RUN apk --no-cache add tini -RUN apk --no-cache add chromium-swiftshader +# Renovate updates the pinned packages below. +# The --repository arg is required for renovate to know which alpine repo it should look for updates in. +# To keep the renovate regex simple, only keep one package installation per line. +RUN apk --no-cache add --repository community tini=0.19.0-r3 && \ + apk --no-cache add --repository community chromium-swiftshader=126.0.6478.126-r1 # As we rely on file capabilities, we cannot set `allowPrivilegeEscalation: false` in k8s. As a workaround, and to lower # potential attack surface, we get rid of any file that has the setuid bit set, such as