Dockerfile.updater-core

FROM ubuntu:22.04

LABEL org.opencontainers.image.source="https://github.com/dependabot/dependabot-core"

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

ENV DEBIAN_FRONTEND="noninteractive" \
  LC_ALL="en_US.UTF-8" \
  LANG="en_US.UTF-8"

RUN apt-get update \
  && apt-get upgrade -y \
  && apt-get install -y --no-install-recommends \
    # dev dependencies for CI
    build-essential \
    curl \
    zlib1g-dev \
    libgmp-dev \
    unzip \
    # VCS section
    git \
    git-lfs \
    bzr \
    mercurial \
    # needed to sign commits
    gnupg2 \
    # Installs certs in dependabot-action and CLI
    ca-certificates \
    # used to check if a file is binary in the VendorUpdater
    file \
    # used by Ruby to parse YAML
    libyaml-dev \
    locales \
  && locale-gen en_US.UTF-8 \
  && rm -rf /var/lib/apt/lists/*

ARG USER_UID=1000
ARG USER_GID=$USER_UID

RUN if ! getent group "$USER_GID"; then groupadd --gid "$USER_GID" dependabot ; \
     else GROUP_NAME=$(getent group $USER_GID | awk -F':' '{print $1}'); groupmod -n dependabot "$GROUP_NAME" ; fi \
  && useradd --uid "${USER_UID}" --gid "${USER_GID}" -m dependabot \
  && mkdir -p /opt && chown dependabot:dependabot /opt && chgrp dependabot /etc/ssl/certs && chmod g+w /etc/ssl/certs

USER dependabot
ENV DEPENDABOT_HOME="/home/dependabot"
WORKDIR $DEPENDABOT_HOME

# For users to determine if dependabot is running
ENV DEPENDABOT=true

# Disable automatic pulling of files stored with Git LFS
# This avoids downloading large files not necessary for the dependabot scripts
ENV GIT_LFS_SKIP_SMUDGE=1

# Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-amd64.tar.gz"
RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz

COPY --chown=dependabot:dependabot omnibus omnibus
COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependabot-updater/

COPY --chown=dependabot:dependabot common/Gemfile common/dependabot-common.gemspec common/
COPY --chown=dependabot:dependabot common/lib/dependabot.rb common/lib/dependabot.rb
COPY --chown=dependabot:dependabot bundler/Gemfile bundler/dependabot-bundler.gemspec bundler/
COPY --chown=dependabot:dependabot cargo/Gemfile cargo/dependabot-cargo.gemspec cargo/
COPY --chown=dependabot:dependabot composer/Gemfile composer/dependabot-composer.gemspec composer/
COPY --chown=dependabot:dependabot docker/Gemfile docker/dependabot-docker.gemspec docker/
COPY --chown=dependabot:dependabot elm/Gemfile elm/dependabot-elm.gemspec elm/
COPY --chown=dependabot:dependabot git_submodules/Gemfile git_submodules/dependabot-git_submodules.gemspec git_submodules/
COPY --chown=dependabot:dependabot github_actions/Gemfile github_actions/dependabot-github_actions.gemspec github_actions/
COPY --chown=dependabot:dependabot go_modules/Gemfile go_modules/dependabot-go_modules.gemspec go_modules/
COPY --chown=dependabot:dependabot gradle/Gemfile gradle/dependabot-gradle.gemspec gradle/
COPY --chown=dependabot:dependabot hex/Gemfile hex/dependabot-hex.gemspec hex/
COPY --chown=dependabot:dependabot maven/Gemfile maven/dependabot-maven.gemspec maven/
COPY --chown=dependabot:dependabot npm_and_yarn/Gemfile npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
COPY --chown=dependabot:dependabot nuget/Gemfile nuget/dependabot-nuget.gemspec nuget/
COPY --chown=dependabot:dependabot pub/Gemfile pub/dependabot-pub.gemspec pub/
COPY --chown=dependabot:dependabot python/Gemfile python/dependabot-python.gemspec python/
COPY --chown=dependabot:dependabot swift/Gemfile swift/dependabot-swift.gemspec swift/
COPY --chown=dependabot:dependabot terraform/Gemfile terraform/dependabot-terraform.gemspec terraform/

# prevent having all the source in every ecosystem image
RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler swift; do \
    mkdir -p $ecosystem/lib/dependabot; \
    touch $ecosystem/lib/dependabot/$ecosystem.rb; \
  done

WORKDIR $DEPENDABOT_HOME/dependabot-updater

# Install Ruby from official Docker image
# When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb`
COPY --from=ruby:3.1.4-bookworm --chown=dependabot:dependabot /usr/local /usr/local

# When bumping Bundler, need to also regenerate `updater/Gemfile.lock` via `bundle update --lock --bundler`
# Generally simplest to match the bundler version to the one that comes by default with whatever Ruby version we install.
# This way other projects that import this library don't have to futz around with installing new / unexpected bundler versions.
ARG BUNDLER_V2_VERSION=2.4.17

# We had to explicitly bump this as the bundled version `0.2.2` in ubuntu 22.04 has a bug.
# Once Ubuntu base image pulls in a new enough yaml version, we may not need to
# explicitly manage this. However, if we do opt to pull it back out, see all changes
# required in https://github.com/dependabot/dependabot-core/pull/7112
ARG LIBYAML_VERSION=0.2.5
RUN curl -sL https://pyyaml.org/download/libyaml/yaml-$LIBYAML_VERSION.tar.gz -o libyaml.tar.gz && \
  mkdir -p $DEPENDABOT_HOME/src/libyaml && \
  tar -xvf libyaml.tar.gz -C $DEPENDABOT_HOME/src/libyaml && \
  rm libyaml.tar.gz

RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \
 rm -rf /var/lib/gems/*/cache/* && \
 bundle config set --global build.psych --with-libyaml-source-dir=$DEPENDABOT_HOME/src/libyaml/yaml-$LIBYAML_VERSION && \
 bundle config set --local path 'vendor' && \
 bundle config set --local frozen 'true' && \
 bundle config set --local without 'development' && \
 bundle install && \
 rm -rf ~/.bundle/cache

COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME

ENV PATH="$DEPENDABOT_HOME/bin:$PATH"
ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"

USER root

CMD ["bin/run"]