Merge branch 'release/v1.26.2-3'

Author: kahoona77

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.26.2-3] - 2025-01-28
+### Changed
+- update Makefiles to 9.5.3
+
+### Fixed
+- adapt font stack for warp menu to ces-theme-tailwind
+- better screenreader support for submenus as links
+
 ## [v1.26.2-2] - 2024-12-06
 ### Changed
 - Update ces-about to v0.7.0 for updated license information

Dockerfile

@@ -2,7 +2,7 @@ FROM node:lts-alpine as templating
 
 ENV WORKDIR=/template \
     # Used in template to invalidate caches - do not remove. The release script will auto update this line
-    VERSION="1.26.2-2"
+    VERSION="1.26.2-3"
 
 RUN mkdir -p ${WORKDIR}
 WORKDIR ${WORKDIR}
@@ -14,16 +14,16 @@ RUN yarn install
 RUN node template-colors.js  ${WORKDIR}/resources/var/www/html/styles/default.css.tpl ${WORKDIR}/build/default.css
 RUN node template-error-pages.js ${WORKDIR}/resources/var/www/html/errors/error-page.html.tpl ${WORKDIR}/build/errors
 
-FROM registry.cloudogu.com/official/base:3.20.3-3 as builder
+FROM registry.cloudogu.com/official/base:3.21.0-1 as builder
 LABEL maintainer="[email protected]"
 
 # dockerfile is based on https://github.com/dockerfile/nginx and https://github.com/bellycard/docker-loadbalancer
 ENV NGINX_VERSION=1.26.2 \
     NGINX_TAR_SHA256="627fe086209bba80a2853a0add9d958d7ebbdffa1a8467a5784c9a6b4f03d738" \
-    CES_CONFD_VERSION=0.9.0 \
-    CES_CONFD_TAR_SHA256="8507f40824562b8d2c1f32afb43ce1aad576a82febd2f97bd2cf31b0753a8cbd" \
-    WARP_MENU_VERSION=2.0.0 \
-    WARP_MENU_TAR_SHA256="51a1010ec0f82b634999e48976d7fec98e6eb574a4401a841cd53f8cd0e14040" \
+    CES_CONFD_VERSION=0.11.0 \
+    CES_CONFD_TAR_SHA256="85809a3e9e0b56d58c53f958872809eab1026124a73a06eedfcdeba9ca73ec9a" \
+    WARP_MENU_VERSION=2.0.3 \
+    WARP_MENU_ZIP_SHA256="8dfd023579728b6786bdb4664fb6d3e629717d9d2d27cdd4b365f9a844f1858c" \
     CES_ABOUT_VERSION="0.7.0" \
     CES_ABOUT_TAR_SHA256="fcfdfb86dac75d5ae751cc0e8c3436ecee12f0d5ed830897c4f61029ae1df27e"
 
@@ -62,17 +62,17 @@ RUN wget --progress=bar:force:noscroll -O /tmp/ces-about-v${CES_ABOUT_VERSION}.t
 
 # install warp menu
 RUN wget --progress=bar:force:noscroll -O /tmp/warp.zip https://github.com/cloudogu/warp-menu/releases/download/v${WARP_MENU_VERSION}/warp-v${WARP_MENU_VERSION}.zip \
-    && echo "${WARP_MENU_TAR_SHA256} */tmp/warp.zip" | sha256sum -c - \
+    && echo "${WARP_MENU_ZIP_SHA256} */tmp/warp.zip" | sha256sum -c - \
     && unzip /tmp/warp.zip -d /build/var/www/html
 
-FROM registry.cloudogu.com/official/base:3.20.3-3
+FROM registry.cloudogu.com/official/base:3.21.0-1
 LABEL maintainer="[email protected]" \
       NAME="official/nginx" \
-      VERSION="1.26.2-2"
+      VERSION="1.26.2-3"
 
 ENV CES_MAINTENANCE_MODE=false \
     # Used in template to invalidate caches - do not remove. The release script will auto update this line
-    VERSION="1.26.2-2"
+    VERSION="1.26.2-3"
 
 RUN set -x -o errexit \
  && set -o nounset \

Jenkinsfile

@@ -1,5 +1,5 @@
 #!groovy
-@Library(['github.com/cloudogu/dogu-build-lib@v2.5.0', 'github.com/cloudogu/ces-build-lib@3.0.0']) _
+@Library(['github.com/cloudogu/dogu-build-lib@v3.0.0', 'github.com/cloudogu/ces-build-lib@4.0.1']) _
 import com.cloudogu.ces.dogubuildlib.*
 import com.cloudogu.ces.cesbuildlib.*
 
@@ -16,7 +16,9 @@ node('vagrant') {
                         booleanParam(defaultValue: true, description: 'Enables cypress to record video of the integration tests.', name: 'EnableVideoRecording'),
                         booleanParam(defaultValue: true, description: 'Enables cypress to take screenshots of failing integration tests.', name: 'EnableScreenshotRecording'),
                         booleanParam(defaultValue: false, description: 'Test dogu upgrade from latest release or optionally from defined version below', name: 'TestDoguUpgrade'),
-                        string(defaultValue: '', description: 'Old Dogu version for the upgrade test (optional; e.g. 3.23.0-1)', name: 'OldDoguVersionForUpgradeTest')
+                        string(defaultValue: '', description: 'Old Dogu version for the upgrade test (optional; e.g. 3.23.0-1)', name: 'OldDoguVersionForUpgradeTest'),
+                        choice(name: 'TrivySeverityLevels', choices: [TrivySeverityLevel.CRITICAL, TrivySeverityLevel.HIGH_AND_ABOVE, TrivySeverityLevel.MEDIUM_AND_ABOVE, TrivySeverityLevel.ALL], description: 'The levels to scan with trivy', defaultValue: TrivySeverityLevel.CRITICAL),
+                        choice(name: 'TrivyStrategy', choices: [TrivyScanStrategy.UNSTABLE, TrivyScanStrategy.FAIL, TrivyScanStrategy.IGNORE], description: 'Define whether the build should be unstable, fail or whether the error should be ignored if any vulnerability was found.', defaultValue: TrivyScanStrategy.UNSTABLE),
                 ])
         ])
 
@@ -49,6 +51,10 @@ node('vagrant') {
         try {
 
             stage('Provision') {
+                // change namespace to prerelease_namespace if in develop-branch
+                if (gitflow.isPreReleaseBranch()) {
+                    sh "make prerelease_namespace"
+                }
                 ecoSystem.provision("/dogu")
             }
 
@@ -61,6 +67,15 @@ node('vagrant') {
                 ecoSystem.build("/dogu")
             }
 
+            stage('Trivy scan') {
+                ecoSystem.copyDoguImageToJenkinsWorker("/dogu")
+                Trivy trivy = new Trivy(this)
+                trivy.scanDogu(".", params.TrivySeverityLevels, params.TrivyStrategy)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.TABLE)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.JSON)
+                trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML)
+            }
+
             stage('Prepare integration tests') {
                 setIntegrationTestKeys(ecoSystem)
             }
@@ -118,6 +133,11 @@ node('vagrant') {
                 stage ('Add Github-Release'){
                     github.createReleaseWithChangelog(releaseVersion, changelog)
                 }
+            } else if (gitflow.isPreReleaseBranch()) {
+                // push to registry in prerelease_namespace
+                stage('Push Prerelease Dogu to registry') {
+                    ecoSystem.pushPreRelease("/dogu")
+                }
             }
 
         } finally {

Makefile

@@ -1,10 +1,11 @@
-MAKEFILES_VERSION=7.8.0
+MAKEFILES_VERSION=9.5.3
 
 .DEFAULT_GOAL:=dogu-release
 
 include build/make/variables.mk
 include build/make/self-update.mk
 include build/make/release.mk
+include build/make/prerelease.mk
 include build/make/version-sha.mk
 
 NGINX_VERSION=$(shell grep NGINX_VERSION= Dockerfile | sed 's/.*NGINX_VERSION=\([^ ]*\).*/\1/g')

build/make/bats.mk

@@ -9,7 +9,7 @@ BATS_SUPPORT=$(BATS_LIBRARY_DIR)/bats-support
 BATS_FILE=$(BATS_LIBRARY_DIR)/bats-file
 BATS_BASE_IMAGE?=bats/bats
 BATS_CUSTOM_IMAGE?=cloudogu/bats
-BATS_TAG?=1.2.1
+BATS_TAG?=1.11.0
 BATS_DIR=build/make/bats
 BATS_WORKDIR="${WORKDIR}"/"${BATS_DIR}"
 

build/make/bats/Dockerfile

@@ -1,7 +1,9 @@
 ARG BATS_BASE_IMAGE
 ARG BATS_TAG
 
-FROM ${BATS_BASE_IMAGE}:${BATS_TAG}
+FROM ${BATS_BASE_IMAGE:-bats/bats}:${BATS_TAG:-1.11.0}
 
 # Make bash more findable by scripts and tests
-RUN apk add make git bash
+RUN apk add make git bash
+# suppress git "detected dubious ownership" error/warning for repos which are checked out later
+RUN git config --global --add safe.directory /workspace

build/make/build.mk

@@ -3,7 +3,7 @@
 ADDITIONAL_LDFLAGS?=-extldflags -static
 LDFLAGS?=-ldflags "$(ADDITIONAL_LDFLAGS) -X main.Version=$(VERSION) -X main.CommitID=$(COMMIT_ID)"
 GOIMAGE?=golang
-GOTAG?=1.14.13
+GOTAG?=1.23
 GOOS?=linux
 GOARCH?=amd64
 PRE_COMPILE?=

build/make/coder-lib.sh

@@ -0,0 +1,182 @@
+#!/bin/bash
+# a collection of helpful functions to update coder workspaces for rapid development
+set -e -u -x -o pipefail
+
+function getContainerBin() {
+  if [ -x "$(command -v podman)" ]; then
+    echo "podman";
+  else
+    echo "docker";
+  fi
+}
+
+function getCoderUser() {
+  # check if coder is installed, so that there is no problem with build and release targets if this is called before
+  if [ -x "$(command -v coder)" ]; then
+    coder users show me -o json | jq -r '.username';
+  fi
+}
+
+function getAllWorkspaces() {
+  coder list -c workspace | tail -n+2
+}
+
+function doesWorkspaceExist() {
+  coderUser="$1"
+  workspaceName="$2"
+
+  workspace=$(coder list -a -o json | jq -r "select(.[].owner_name == \"${coderUser}\" and  .[].name == \"${workspaceName}\") | .[0].name")
+  if [ -z "$workspace" ]; then
+    return 1 #workspace does not exist
+  else
+    return 0
+  fi
+}
+
+function generateUniqueWorkspaceName() {
+  local wantedWorkspacePrefix="$1"
+  # use time to make name unique
+  local time
+  time=$(date +'%H-%M-%S')
+  local lengthOfTime=${#time}
+  local delimiter='-'
+  local lengthOfDelimiter=${#delimiter}
+  # trim prefix, as workspace names are limited to 32 chars
+  local trimmedPrefix="${wantedWorkspacePrefix:0:$((32 - lengthOfDelimiter - lengthOfTime))}"
+  local uniqueName="${trimmedPrefix}${delimiter}${time}"
+  # '--' is forbidden in coder, replace multiple '-' with a single one.
+  echo "${uniqueName}" | awk '{gsub(/[-]+/,"-")}1'
+  # returns sth like 'myPrefix-12-45-23'
+}
+
+function buildImage() {
+  local tag="$1"
+  local containerBuildDir="${2:-./container}"
+  local secretDir="${3:-./secrets}"
+  local containerExec="${4:-podman}"
+
+  # include build-secrets if there are any
+  local secretArgs=()
+  if [ -d "$secretDir" ]; then
+    # shellcheck disable=SC2231
+    for secretPath in $secretDir/*; do
+      # do not match .sh scripts
+      [[ $secretPath == *.sh ]] && continue
+      local secretName
+      secretName=$(basename "$secretPath")
+      secretArgs+=("--secret=id=$secretName,src=$secretDir/$secretName")
+    done
+  fi
+
+  if [ "$containerExec" = "podman" ]; then
+    $containerExec build -t "$tag" --pull=newer "$containerBuildDir" "${secretArgs[@]}"
+  else
+    $containerExec build -t "$tag" --pull "$containerBuildDir" "${secretArgs[@]}"
+  fi
+}
+
+function doTrivyConvert() {
+  local trivyFlags=$1
+  local outputFile=$2
+  local containerExec=$3
+  local jsonScanToConvert=$4
+
+  local containerJsonScanFile="/tmp/scan.json"
+
+  # shellcheck disable=SC2086
+  # as globbing is what we want here
+  "$containerExec" run --rm --pull=always \
+    -v trivy-cache:/root/.cache \
+    -v "$jsonScanToConvert:$containerJsonScanFile" \
+    aquasec/trivy -q \
+    convert $trivyFlags "$containerJsonScanFile"  > "$outputFile"
+}
+
+function uploadTemplate() {
+  local templateDir="${1:?"Error. you need to add the template directory as the first parameter"}"
+  local templateName="${2:?"Error. you need to add the template name as the second parameter"}"
+  # for terraform variables (not editable by workspace users)
+  local variablesFile="${templateDir}/variables.yaml"
+  if [ -f "$variablesFile" ]; then
+    local doesVariablesFileExist=1
+  fi
+  if ! coder template push -y -d "$templateDir" ${doesVariablesFileExist:+--variables-file "$variablesFile"} "$templateName"; then
+    # if template does not exist yet, create it in coder
+    coder template create -y -d "$templateDir" ${doesVariablesFileExist:+--variables-file "$variablesFile"} "$templateName"
+  fi
+}
+
+function createNewWorkspace() {
+  local templateName="$1"
+  local workspaceName="$2"
+  # 3. param is optional, set it to autofill prompts for coder params
+  local templateDir="${3-unset}"
+  local richParametersFile="${templateDir}/rich-parameters.yaml"
+  if [ -n "${templateDir+x}" ] && [ -f "$richParametersFile" ]; then
+    local doesRichParametersFileExist=1
+  fi
+  coder create -t "$templateName" -y "$workspaceName" ${doesRichParametersFileExist:+--rich-parameter-file "$richParametersFile"}
+}
+
+function removeAllOtherWorkspaces() {
+  local CODER_USER="$1"
+  local WORKSPACE_PREFIX="$2"
+  local IGNORED_WORKSPACE="$3"
+  WORKSPACES="$(getAllWorkspaces)"
+  for ws in $WORKSPACES; do
+    if [ "$ws" != "$CODER_USER/$IGNORED_WORKSPACE" ] && [[ "$ws" =~ ^"$CODER_USER/$WORKSPACE_PREFIX" ]]; then
+      echo "delete $ws"
+      if ! coder delete "$ws" -y; then
+        #do it twice as podman always throws an error at the first time
+        coder delete "$ws" -y
+      fi
+    fi
+  done
+}
+
+function updateWorkspace() {
+  local coderUser="$1"
+  local workspaceName="$2"
+  local qualifiedWorkspaceName="$coderUser/$workspaceName"
+  if ! coder stop "$qualifiedWorkspaceName" -y; then
+    #do it twice as podman always throws an error at the first time
+    coder stop "$qualifiedWorkspaceName" -y
+  fi
+  coder update "$qualifiedWorkspaceName"
+}
+
+function startTestWorkspace() {
+  local coderUser="$1"
+  local templateDir="$2"
+  local workspacePrefix="$3"
+  local templateName="$4"
+  local reuseTestWorkspace="$5"
+
+  local newWorkspaceName
+  if [ "$reuseTestWorkspace" = false ]; then
+    newWorkspaceName="$(generateUniqueWorkspaceName "$workspacePrefix")"
+    # do that before deleting others, so that i don't need to wait
+    createNewWorkspace "$templateName" "$newWorkspaceName" "$templateDir"
+    # trim prefix as the name of the workspace can also get trimmed
+    removeAllOtherWorkspaces "$coderUser" "${workspacePrefix:0:22}" "$newWorkspaceName"
+  else
+    newWorkspaceName="$workspacePrefix"
+    if ! doesWorkspaceExist "$coderUser" "$newWorkspaceName"; then
+      createNewWorkspace "$templateName" "$newWorkspaceName" "$templateDir"
+    else
+      updateWorkspace "$coderUser" "$newWorkspaceName"
+    fi
+  fi
+}
+
+function uploadToNexus() {
+  local fileToUpload="$1"
+  local fileNameNexus="${fileToUpload##*/}"
+  local templateName="$2"
+  local releaseVersion="$3"
+  local nexusUrl="${4:-https://ecosystem.cloudogu.com/nexus/repository/itz-bund/coder}"
+  set +x #disable command printing because of the password
+  curl --progress-bar -u "$(cat secrets/nexus-user):$(cat secrets/nexus-pw)" --upload-file "$fileToUpload" \
+    "$nexusUrl/$templateName/$releaseVersion/$fileNameNexus"
+  set -x
+}