Skip to content

fix: [CLI-792] moving image building process to a private docker repo #6110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 11, 2025
Merged

fix: [CLI-792] moving image building process to a private docker repo #6110

merged 6 commits into from
Sep 11, 2025

Conversation

dotkas
Copy link
Contributor

@dotkas dotkas commented Aug 18, 2025
edited
Loading

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages
    are release-note ready, emphasizing
    what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

We used to publish our build images to a public Docker Hub repo. This made our CircleCI configuration easier to maintain but in turn made our build images public which needn't be. This change moves the CircleCI executor images to a private Docker Hub repository, and modifies our image build script to reflect that.

Also paralleled the image building process.

Where should the reviewer start?

The CircleCI config.

e2e pipeline: https://app.circleci.com/pipelines/github/snyk/cli?branch=dotkas/CLI-792/move-to-private-docker-repo-e2e

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

N/A, internal change.

@snyk-io Snyk.io
Copy link

snyk-io bot commented Aug 18, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

code/snyk check is complete. No issues have been found. (View Details)

@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch 4 times, most recently from eaba0bf to af35941 Compare August 18, 2025 11:28
dotkas
dotkas commented Aug 18, 2025
View reviewed changes
.circleci/config.yml Outdated
docker-amd64:
docker:
- image: snyklabs/cli-build:20250429-091242
- image: snyklabs/cli-build-private:20250818-112438
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not awesome naming, but to not break the pipelines I didn't want to make the existing repository private.

@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch from af35941 to 7f4df73 Compare August 20, 2025 14:07
@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch from 7f4df73 to dec1485 Compare September 8, 2025 10:47
dotkas
dotkas commented Sep 8, 2025
View reviewed changes
.github/workflows/create-build-image.yml
steps:
- uses: actions/checkout@v3
- uses: docker/setup-buildx-action@v2
- uses: docker/setup-buildx-action@v3
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not breaking things

@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch 4 times, most recently from 34c7ad1 to 7912168 Compare September 9, 2025 08:35
dotkas
dotkas commented Sep 9, 2025
View reviewed changes
.circleci/config.yml
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Every step that needs the private docker images now needs credentials attached, thus the long list of new contexts in this file.

@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch 2 times, most recently from b64b572 to 4e97969 Compare September 9, 2025 10:44
dotkas
dotkas commented Sep 9, 2025
View reviewed changes
scripts/create-build-image.sh
Comment on lines 3 to 11
if [[ -n "${CI:-}" ]]; then
# In CI: don't echo every command to reduce noise
set -euo pipefail
else
# Local development: echo all commands for debugging
set -exuo pipefail
fi
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Github actions throws error about too long logs and starts to reduce the output on each run. I've taken the decision to handle it like this. Opinions welcome.

@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch 7 times, most recently from 5e791b1 to 86e8adc Compare September 9, 2025 13:45
dotkas
dotkas commented Sep 9, 2025
View reviewed changes
.github/workflows/create-build-image.yml
runner: ubuntu-24.04
docker_arch: x86_64
- arch: arm64
runner: ubuntu-24.04-arm
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/actions/partner-runner-images

@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch 3 times, most recently from 4e0e080 to dc89e48 Compare September 9, 2025 14:00
dotkas
dotkas commented Sep 9, 2025
View reviewed changes
.github/workflows/create-build-image.yml
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Building a arm64 image on a amd64 runner took more than 2 hours, so I paralleled the script instead, now it takes 10 minutes to create both. The downside was that the complexity of Bash script and GH yaml increased a tad.

This now generated a tag outside the runner, to keep it the same for both images.

The bash script now takes the architecture and the tag as arguments.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Praise: Really nice!

@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch from dc89e48 to d91ee79 Compare September 9, 2025 14:04
@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch 2 times, most recently from f9f58ea to b237c9a Compare September 9, 2025 15:19
@dotkas dotkas marked this pull request as ready for review September 9, 2025 15:19
@dotkas dotkas requested review from a team as code owners September 9, 2025 15:19
@dotkas dotkas changed the title fix: [CLI-792] moving to a private docker repo fix: [CLI-792] moving image building process to a private docker repo Sep 9, 2025
PeterSchafer
PeterSchafer reviewed Sep 9, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 9, 2025
edited
Loading

Warnings
⚠️ There are multiple commits on your branch, please squash them locally before merging!

Generated by 🚫 dangerJS against 5604157

dotkas
dotkas commented Sep 10, 2025
View reviewed changes
scripts/jvm-install.sh
source /home/circleci/.sdkman/bin/sdkman-init.sh
CANDIDATE=$(sdk list java | grep tem | grep 17.0. | head -1 | cut -f 6 -d "|" | xargs)
yes | sdk install java "$CANDIDATE"
yes | sdk install gradle 9.0.0
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spillover from https://github.com/snyk/cli/pull/6099/files#diff-672be0d947633c481cf3311a3b2f0b2014092e9bd759d8c9022ab9432eefb02aL5

dotkas
dotkas commented Sep 10, 2025
View reviewed changes
.circleci/Dockerfile
vim \
make \
maven \
gradle \
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doing this in the sdkman part of the installation. Debian stable still installs Gradle 8.

@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch from e3c4edb to 71ad5e7 Compare September 10, 2025 15:39
dotkas
dotkas commented Sep 10, 2025
View reviewed changes
test/fixtures/gradle-prune-repeated-deps/build.gradle
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This contains outdated Gradle < 9 logic, which caused the regression tests to fail.

@dotkas dotkas enabled auto-merge September 11, 2025 09:11
@dotkas
fix: moving to a private docker repo
2c96c50 
Changes:
* Added credentials to the circleci config and contexts where needed
* Silenced the very verbose logging when running on Github Actions, but kept the verbosity when running locally
* Elaborated some comment strings here and there
* Updated the Docker tags from the GH image builder script
@dotkas
chore: ensure docker logout on script exit
c519034
@dotkas
chore: adding missed context
b8bad7f
@dotkas
fix: using Gradle 9 on build image
cc1f80d
@dotkas
chore: updated tags after java bugfix
05ea5d3
@dotkas
fix: making test fixtures in regression tests gradle 9 compatible
5604157
@dotkas dotkas force-pushed the dotkas/CLI-792/move-to-private-docker-repo branch from 71ad5e7 to 5604157 Compare September 11, 2025 09:11
@dotkas dotkas merged commit 6c870f3 into main Sep 11, 2025
8 checks passed
@dotkas dotkas deleted the dotkas/CLI-792/move-to-private-docker-repo branch September 11, 2025 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PeterSchafer PeterSchafer PeterSchafer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dotkas @PeterSchafer