Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save LeoniePhiline/20903f6e891dc20f71b445ad9bc4ff64 to your computer and use it in GitHub Desktop.
Save LeoniePhiline/20903f6e891dc20f71b445ad9bc4ff64 to your computer and use it in GitHub Desktop.
Update GitLab dependency proxy prefixed docker images and pinned PHP PECL packages in Dockerfiles with renovate-bot

Update GitLab dependency proxy prefixed docker images and pinned PHP PECL packages in Dockerfiles with renovate-bot

Example custom-built php-cli Dockerfile

ARG DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX
FROM $DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX/composer:2 AS composer
FROM $DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX/php:7.4-cli-alpine3.15
ENV MUSL_LOCPATH="/usr/local/share/i18n/locales/musl"
RUN set -eux \
    && PACKAGES_PERSISTENT="exiftool git openssh-client imagemagick freetype libjpeg-turbo \
           libpng libxpm libwebp icu-libs libintl libstdc++ libzip poppler-utils unzip" \
    && PACKAGES_VOLATILE="$PHPIZE_DEPS cmake make musl-dev gcc gettext-dev \
           libwebp-dev libjpeg-turbo-dev libpng-dev libxpm-dev libwebp-dev \
           freetype-dev zlib-dev linux-headers libzip-dev icu-dev g++ libxml2-dev \
           gnutls-dev libzip-dev libressl-dev zlib-dev" \
    && apk add --update --no-cache $PACKAGES_PERSISTENT $PACKAGES_VOLATILE \
    && docker-php-ext-configure gd --enable-gd --with-webp --with-jpeg \
         --with-xpm --with-freetype \
    && docker-php-ext-configure intl \
    && docker-php-ext-install exif gd intl mysqli soap zip \
    && pecl install xdebug-3.1.3 \
    && pecl install redis-5.3.7 \
    && docker-php-ext-enable redis xdebug \
    && cd /tmp && git clone https://gitlab.com/rilian-la-te/musl-locales.git \
    && cd /tmp/musl-locales && cmake . && make && make install \
    && /usr/local/bin/locale -a \
    && rm -rf /tmp/pear \
    && apk del --purge $PACKAGES_VOLATILE \
    && mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini"
COPY --from=composer /usr/bin/composer /usr/bin/composer
COPY "settings.ini" "$PHP_INI_DIR/conf.d/"
COPY "xdebug.ini" "$PHP_INI_DIR/conf.d/"
RUN addgroup -g 1000 -S cli \
    && adduser -S -G cli -u 1000 -s /bin/bash 1000
USER 1000:1000
WORKDIR "/var/www/html"

The challenges

  1. Keep the composer and php docker source images updated despite using a GitLab dependency proxy variable prefix.
  2. Keep the redis and xdebug PECL packages auto-updated with renovate's regexManager.

Solution: Renovate regex config

{
  "extends": ["config:base", ":automergeMinor", ":rebaseStalePrs"],
  "major": {
    "dependencyDashboardApproval": true
  },
  "regexManagers": [
    {
      "description": "Update docker references with GitLab dependency proxy prefix variables",
      "fileMatch": [
        "^\\.gitlab-ci\\.ya?ml$",
        "(^|/|\\.)Dockerfile(?:\\.[^/]+)?$",
        "(^|/|\\.)docker-compose\\.ya?ml$"
      ],
      "matchStrings": [
        "\\$\\{?(?:CI_)?DEPENDENCY_PROXY_(?:DIRECT_)?GROUP_IMAGE_PREFIX\\}?\\/(?<depName>[^:]+):(?<currentValue>[a-z0-9.-]+)(?:@(?<currentDigest>sha256:[a-f0-9]+))?"
      ],
      "datasourceTemplate": "docker",
      "versioningTemplate": "docker"
    },
    {
      "description": "Update pecl packages in Dockerfiles",
      "fileMatch": ["(^|/|\\.)Dockerfile(?:\\.[^/]+)?$"],
      "matchStrings": [
        "&& pecl install (?<depName>(?:imagick|redis|xdebug))-(?<currentValue>[a-zA-Z0-9.-]+) \\\\"
      ],
      "datasourceTemplate": "github-tags",
      "lookupNameTemplate": "{{#if (containsString depName 'redis')}}php{{depName}}/php{{depName}}{{else}}{{depName}}/{{depName}}{{/if}}",
      "versioningTemplate": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(?<prerelease>[^.-]+)?(-(?<compatibility>.*))?$"
    }
  ]
}

Notes

PECL packages' repositories are not standardized. As I found, redis (https://pecl.php.net/package/redis) uses phpredis/phpredis on GitHub. Other packages like xdebug or imagick host their repositories under <name>/<name>, e.g. xdebug/xdebug on GitHub.

This ruleset naively prefixes redis with php; for all other dependency names it simply uses the dependency name as detailed above.

Adjust your lookupNameTemplate to generate the correct github lookup names for your dependencies accordingly.

When adding more dependencies, also make sure to update your matchStrings to match the PECL extension's name.

If your PECL dependencies are not hosted on GitHub, then add another section, using another datasourceTemplate, like gitlab-tags, git-tags etc. You can find all available datasources in the renovate documentation and code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment