diff --git a/.gitlab/ci/pipelines/before_merging.yml b/.gitlab/ci/pipelines/before_merging.yml index 71a0d90fc828a6dc2ea8638e61a69daa74927bb9..e01f2464f773553b9103a6df7deb8e348161ac20 100644 --- a/.gitlab/ci/pipelines/before_merging.yml +++ b/.gitlab/ci/pipelines/before_merging.yml @@ -76,7 +76,7 @@ nix: when: on_failure oc.docker:rust-toolchain: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -114,7 +114,7 @@ oc.docker:rust-toolchain: dotenv: rust_toolchain_image_tag.env oc.docker:client-libs-dependencies: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -6423,7 +6423,7 @@ opam:tezt-tezos: retry: 2 oc.docker-build-debian-dependencies: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - $TAGS @@ -6458,7 +6458,7 @@ oc.docker-build-debian-dependencies: - gcp_arm64 oc.docker-build-ubuntu-dependencies: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - $TAGS @@ -8275,7 +8275,7 @@ documentation:linkcheck: - make -C docs linkcheck oc.docker:amd64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: manual tags: - gcp @@ -8300,7 +8300,7 @@ oc.docker:amd64: when: manual oc.docker:arm64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: manual tags: - gcp_arm64 diff --git a/.gitlab/ci/pipelines/etherlink_release_tag.yml b/.gitlab/ci/pipelines/etherlink_release_tag.yml index bb9334466c1262fac66e42ffb3fd1325baad1558..d545ad8dd8c14267a8f1046457ae78660c471257 100644 --- a/.gitlab/ci/pipelines/etherlink_release_tag.yml +++ b/.gitlab/ci/pipelines/etherlink_release_tag.yml @@ -2,7 +2,7 @@ # Edit file ci/bin/main.ml instead. docker:prepare-etherlink-release: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: prepare_release tags: - gcp @@ -21,7 +21,7 @@ docker:prepare-etherlink-release: - kernels.tar.gz gitlab:etherlink-release: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.4.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.6.0 stage: publish_package_gitlab tags: - gcp diff --git a/.gitlab/ci/pipelines/master_branch.yml b/.gitlab/ci/pipelines/master_branch.yml index 7c37491f1f0123191d59c2c4117beceb60d3dacc..25a6f8132cd31a0848343eb9e1f9d4d8cf07e38b 100644 --- a/.gitlab/ci/pipelines/master_branch.yml +++ b/.gitlab/ci/pipelines/master_branch.yml @@ -2,7 +2,7 @@ # Edit file ci/bin/main.ml instead. oc.docker:rust-toolchain: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -123,7 +123,7 @@ oc.build_arm64-exp-dev-extra: when: on_success oc.docker:amd64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -147,7 +147,7 @@ oc.docker:amd64: RUST_TOOLCHAIN_ALWAYS_REBUILD: "true" oc.docker:arm64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp_arm64 @@ -233,7 +233,7 @@ publish:documentation: - ./scripts/ci/doc_publish.sh docker:merge_manifests: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: prepare_release tags: - gcp diff --git a/.gitlab/ci/pipelines/non_release_tag.yml b/.gitlab/ci/pipelines/non_release_tag.yml index 95dc73d228aa8ffeab3cece0339ccb71cd29259d..695d7dac347380a94774b2cd6a17b777c6550864 100644 --- a/.gitlab/ci/pipelines/non_release_tag.yml +++ b/.gitlab/ci/pipelines/non_release_tag.yml @@ -40,7 +40,7 @@ oc.build:static-arm64-linux-binaries: - octez-binaries/$ARCH/* oc.docker:amd64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -60,7 +60,7 @@ oc.docker:amd64: rust_toolchain_image_tag: is-never-pulled oc.docker:arm64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp_arm64 @@ -169,7 +169,7 @@ oc.build:rpm:amd64: - rockylinux:9.3 docker:merge_manifests: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: prepare_release tags: - gcp @@ -188,7 +188,7 @@ docker:merge_manifests: CI_DOCKER_HUB: "true" gitlab:publish: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.4.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.6.0 stage: publish_package_gitlab tags: - gcp diff --git a/.gitlab/ci/pipelines/non_release_tag_test.yml b/.gitlab/ci/pipelines/non_release_tag_test.yml index e6c30d86e7c204452863bc3c3fbe8bfb7dda0aa9..6966a9cc653e5c948a81152b36ff89946f081af3 100644 --- a/.gitlab/ci/pipelines/non_release_tag_test.yml +++ b/.gitlab/ci/pipelines/non_release_tag_test.yml @@ -40,7 +40,7 @@ oc.build:static-arm64-linux-binaries: - octez-binaries/$ARCH/* oc.docker:amd64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -60,7 +60,7 @@ oc.docker:amd64: rust_toolchain_image_tag: is-never-pulled oc.docker:arm64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp_arm64 @@ -169,7 +169,7 @@ oc.build:rpm:amd64: - rockylinux:9.3 docker:merge_manifests: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: prepare_release tags: - gcp @@ -188,7 +188,7 @@ docker:merge_manifests: CI_DOCKER_HUB: "false" gitlab:publish: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.4.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.6.0 stage: publish_package_gitlab tags: - gcp diff --git a/.gitlab/ci/pipelines/octez_beta_release_tag.yml b/.gitlab/ci/pipelines/octez_beta_release_tag.yml index 5a2db2902b43a515aca1081ea92e181a0b329e5b..a3bb6d67d80087fe15393b13579a55b70f5680f5 100644 --- a/.gitlab/ci/pipelines/octez_beta_release_tag.yml +++ b/.gitlab/ci/pipelines/octez_beta_release_tag.yml @@ -40,7 +40,7 @@ oc.build:static-arm64-linux-binaries: - octez-binaries/$ARCH/* oc.docker:amd64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -60,7 +60,7 @@ oc.docker:amd64: rust_toolchain_image_tag: is-never-pulled oc.docker:arm64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp_arm64 @@ -169,7 +169,7 @@ oc.build:rpm:amd64: - rockylinux:9.3 docker:merge_manifests: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: prepare_release tags: - gcp @@ -188,7 +188,7 @@ docker:merge_manifests: CI_DOCKER_HUB: "true" gitlab:release: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.4.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.6.0 stage: publish_release_gitlab tags: - gcp diff --git a/.gitlab/ci/pipelines/octez_latest_release.yml b/.gitlab/ci/pipelines/octez_latest_release.yml index a735a2a81e88779e16acb13bd6c3f33187431151..2dbeeab7fd82b21b3f8fded405e34a7356e1dd4f 100644 --- a/.gitlab/ci/pipelines/octez_latest_release.yml +++ b/.gitlab/ci/pipelines/octez_latest_release.yml @@ -2,7 +2,7 @@ # Edit file ci/bin/main.ml instead. docker:promote_to_latest: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: publish_release tags: - gcp diff --git a/.gitlab/ci/pipelines/octez_latest_release_test.yml b/.gitlab/ci/pipelines/octez_latest_release_test.yml index a9c8a797376f18e416652bfc87a1477247774382..8410cd0a9fbeb47f9e1429619a837d20537432e0 100644 --- a/.gitlab/ci/pipelines/octez_latest_release_test.yml +++ b/.gitlab/ci/pipelines/octez_latest_release_test.yml @@ -2,7 +2,7 @@ # Edit file ci/bin/main.ml instead. docker:promote_to_latest: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: publish_release tags: - gcp diff --git a/.gitlab/ci/pipelines/octez_release_tag.yml b/.gitlab/ci/pipelines/octez_release_tag.yml index d15ce45457d00d1557b4b31987bcd4314568144f..fdde43c82f9054c62e7ef51e6dd2b2c1054795bb 100644 --- a/.gitlab/ci/pipelines/octez_release_tag.yml +++ b/.gitlab/ci/pipelines/octez_release_tag.yml @@ -40,7 +40,7 @@ oc.build:static-arm64-linux-binaries: - octez-binaries/$ARCH/* oc.docker:amd64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -60,7 +60,7 @@ oc.docker:amd64: rust_toolchain_image_tag: is-never-pulled oc.docker:arm64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp_arm64 @@ -169,7 +169,7 @@ oc.build:rpm:amd64: - rockylinux:9.3 docker:merge_manifests: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: prepare_release tags: - gcp @@ -188,7 +188,7 @@ docker:merge_manifests: CI_DOCKER_HUB: "true" gitlab:release: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.4.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.6.0 stage: publish_release_gitlab tags: - gcp diff --git a/.gitlab/ci/pipelines/octez_release_tag_test.yml b/.gitlab/ci/pipelines/octez_release_tag_test.yml index 461c2c32b0895d5eb00bfedc0185b990ee301a26..5c8a16fa149946f1339982b6df4351018e8df7ee 100644 --- a/.gitlab/ci/pipelines/octez_release_tag_test.yml +++ b/.gitlab/ci/pipelines/octez_release_tag_test.yml @@ -40,7 +40,7 @@ oc.build:static-arm64-linux-binaries: - octez-binaries/$ARCH/* oc.docker:amd64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -60,7 +60,7 @@ oc.docker:amd64: rust_toolchain_image_tag: is-never-pulled oc.docker:arm64: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp_arm64 @@ -169,7 +169,7 @@ oc.build:rpm:amd64: - rockylinux:9.3 docker:merge_manifests: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: prepare_release tags: - gcp @@ -188,7 +188,7 @@ docker:merge_manifests: CI_DOCKER_HUB: "false" gitlab:release: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.4.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.6.0 stage: publish_release_gitlab tags: - gcp diff --git a/.gitlab/ci/pipelines/schedule_extended_test.yml b/.gitlab/ci/pipelines/schedule_extended_test.yml index abb7a238f5ef3c11d3618a31a05f3b070bb9e5d8..b2439a9a1e1b866296c1749dee4dfd0671f11862 100644 --- a/.gitlab/ci/pipelines/schedule_extended_test.yml +++ b/.gitlab/ci/pipelines/schedule_extended_test.yml @@ -29,7 +29,7 @@ docker:hadolint-schedule_extended_test: - hadolint Dockerfile oc.docker:rust-toolchain: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp @@ -49,7 +49,7 @@ oc.docker:rust-toolchain: dotenv: rust_toolchain_image_tag.env oc.docker:client-libs-dependencies: - image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0 + image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0 stage: build tags: - gcp diff --git a/ci/bin/common.ml b/ci/bin/common.ml index 58cd57a008452777b79bec4ee268f0e910da1863..f3c8293261ba701d7e8c8969e3af7163f3e20723 100644 --- a/ci/bin/common.ml +++ b/ci/bin/common.ml @@ -132,7 +132,7 @@ module Images = struct let docker = Image.register ~name:"docker" - ~image_path:"${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.10.0" + ~image_path:"${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.12.0" (* The Alpine version should be kept up to date with the version used for the [build_deps_image_name] images and specified in the @@ -179,7 +179,7 @@ module Images = struct let ci_release = Image.register ~name:"ci_release" - ~image_path:"${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.4.0" + ~image_path:"${GCP_REGISTRY}/tezos/docker-images/ci-release:v1.6.0" let hadolint = Image.register ~name:"hadolint" ~image_path:"hadolint/hadolint:2.9.3-debian" diff --git a/ci/bin/main.ml b/ci/bin/main.ml index 5c03973ee15ebb76fae4761c7cc31fff516c5848..892a2016ae3018c45ffe3f91822469ebaf981ad9 100644 --- a/ci/bin/main.ml +++ b/ci/bin/main.ml @@ -25,6 +25,12 @@ let variables : variables = [ (* /!\ This value MUST be the same as `opam_repository_tag` in `scripts/version.sh` *) ("build_deps_image_version", Common.build_deps_image_version); + (* /!\ GCP_REGISTRY is the variable containing the name of the registry to and from + which docker images are produced and consumed. This variable is defined at tezos + level with the value unprotected registry and at tezos/tezos level in its protected + version. This mechanism allows pipelines from a protected tezos/tezos branch to + read the protected variable from tezos/tezos and for others to not have access to + the variable tezos/tezos but tezos. *) ("build_deps_image_name", "${GCP_REGISTRY}/tezos/opam-repository"); ( "rust_toolchain_image_name", "${GCP_REGISTRY}/${CI_PROJECT_PATH}/rust-toolchain" ); diff --git a/scripts/ci/docker_registry_auth.sh b/scripts/ci/docker_registry_auth.sh index 3649dfa83f242e563e426c13a9a223ee86c14752..c5fd4b60f8763fc93ab669ead5e2b7b8f5f818d5 100755 --- a/scripts/ci/docker_registry_auth.sh +++ b/scripts/ci/docker_registry_auth.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -eu current_dir=$(cd "$(dirname "${0}")" && pwd) @@ -29,6 +29,7 @@ echo "CI_PROJECT_NAMESPACE=${CI_PROJECT_NAMESPACE}" echo "IMAGE_ARCH_PREFIX=${IMAGE_ARCH_PREFIX:-}" echo "DOCKER_BUILD_TARGET=${DOCKER_BUILD_TARGET:-}" echo "RUST_TOOLCHAIN_IMAGE=${RUST_TOOLCHAIN_IMAGE:-}" +echo "CI_COMMIT_REF_PROTECTED=${CI_COMMIT_REF_PROTECTED:-}" # CI_DOCKER_HUB is used to switch to Docker Hub if credentials are available with CI_DOCKER_AUTH # /!\ CI_DOCKER_HUB can be unset, CI_DOCKER_AUTH is only available on protected branches @@ -64,9 +65,22 @@ fi # Allow to push to private GCP Artifact Registry if the CI/CD variable is defined if [ -n "${GCP_REGISTRY:-}" ]; then - echo "### Logging into GCP Artifact Registry for pushing images" - GCP_ARTIFACT_REGISTRY_TOKEN=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token | cut -d'"' -f4) - echo "${GCP_ARTIFACT_REGISTRY_TOKEN}" | docker login us-central1-docker.pkg.dev -u oauth2accesstoken --password-stdin + # There are two registries for storing Docker images. The first allows pushes from + # Tezos CI jobs on unprotected branches. The second is accessible for push + # operation only from protected branches for security reasons. Finally, both + # registries are publicly accessible for pulls. + if [ "${CI_COMMIT_REF_PROTECTED:-false}" = true ]; then + echo "### Logging into protected GCP Artifact Registry for pushing images" + echo "${GCP_PROTECTED_SERVICE_ACCOUNT}" | base64 -d > protected_sa.json + gcloud auth activate-service-account --key-file=protected_sa.json + gcloud auth configure-docker us.gcr.io + gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev + rm protected_sa.json + else + echo "### Logging into standard GCP Artifact Registry for pushing images" + GCP_ARTIFACT_REGISTRY_TOKEN=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token | cut -d'"' -f4) + echo "${GCP_ARTIFACT_REGISTRY_TOKEN}" | docker login us-central1-docker.pkg.dev -u oauth2accesstoken --password-stdin + fi fi # shellcheck source=scripts/ci/docker_registry.inc.sh