From 8593cc6e3f6261f825b77d50c5e1bb65ace247f2 Mon Sep 17 00:00:00 2001 From: k-matsuzawa Date: Wed, 26 Nov 2025 08:50:15 +0900 Subject: [PATCH] feat: update CI, etc --- .github/dependabot.yml | 4 ++++ .github/workflows/create-docker-image.yml | 2 +- Dockerfile | 16 +++++++++++++--- Taskfile.yml | 10 +++++----- amd64.dockerfile | 14 ++++++++++++-- arm64.dockerfile | 14 ++++++++++++-- 6 files changed, 47 insertions(+), 13 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1199678..e6a2dc1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,3 +10,7 @@ updates: - '.github/**/*' schedule: interval: weekly + groups: + dependencies: + patterns: + - "*" diff --git a/.github/workflows/create-docker-image.yml b/.github/workflows/create-docker-image.yml index 4c76947..1c35d7b 100644 --- a/.github/workflows/create-docker-image.yml +++ b/.github/workflows/create-docker-image.yml @@ -13,7 +13,7 @@ env: jobs: upload-image: - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read diff --git a/Dockerfile b/Dockerfile index 3e46d58..d1b0d1d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=$TARGETPLATFORM python:3.11.3-slim-bullseye +FROM --platform=$TARGETPLATFORM python:3.11.14-slim-bookworm # NOTE: nodedir has used by cmake-js. RUN mkdir /var/.npm \ @@ -53,18 +53,24 @@ RUN ARCH=`uname -m` \ && gpg --verify SHA256SUMS.asc 2>&1 | grep "using ECDSA key" | tr -s ' ' | cut -d ' ' -f5 \ && echo "dump key" \ && gpg --verify SHA256SUMS.asc 2>&1 | grep "using " | tr -s ' ' | cut -d ' ' -f5 \ + && echo "gpg keyserver 1" \ && gpg -v --keyserver ${GPG_KEY_SERVER} --recv-keys ${BITCOIN_PGP_KEY} \ + && echo "gpg keyserver 2" \ && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys 82921A4B88FD454B7EB8CE3C796C4109063D4EAF \ - && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys C388F6961FB972A95678E327F62711DBDCA8AE56 \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check SHA256SUMS \ && tar -xzvf ${BITCOIN_TARBALL} --directory=/opt/ \ && ln -sfn /opt/bitcoin-${BITCOIN_VERSION}/bin/* /usr/bin \ && rm -f ${BITCOIN_TARBALL} SHA256SUMS.asc -#20220427: ignore gpg verify (for C388F6961FB972A95678E327F62711DBDCA8AE56) +# 20220427: ignore gpg verify (for C388F6961FB972A95678E327F62711DBDCA8AE56) # && gpg --verify -v SHA256SUMS.asc \ # && sha256sum --ignore-missing --check SHA256SUMS \ +# 20251126: ignore import key +# && echo "gpg keyserver 3" \ +# && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys C388F6961FB972A95678E327F62711DBDCA8AE56 \ + # setup elements ARG ELEMENTS_VERSION=22.1.1 @@ -81,7 +87,9 @@ RUN ARCH=`uname -m` \ && wget -qO ${ELEMENTS_TARBALL} ${ELEMENTS_URL_BASE}/${ELEMENTS_TARBALL} \ && gpg -v --keyserver ${GPG_KEY_SERVER} --recv-keys ${ELEMENTS_PGP_KEY} \ && wget -qO SHA256SUMS.asc ${ELEMENTS_URL_BASE}/SHA256SUMS.asc \ + && echo "verify gpg" \ && gpg --verify SHA256SUMS.asc \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check SHA256SUMS.asc \ && tar -xzvf ${ELEMENTS_TARBALL} --directory=/opt/ \ && ln -sfn /opt/elements-${ELEMENTS_VERSION}/bin/* /usr/bin \ @@ -109,7 +117,9 @@ RUN ARCH=`uname -m` \ && gpg --keyserver ${GPG_KEY_SERVER} --recv-keys ${CMAKE_PGP_KEY} \ && wget -qO cmake-SHA-256.txt ${CMAKE_URL_BASE}/cmake-${CMAKE_VERSION}-SHA-256.txt \ && wget -qO cmake-SHA-256.txt.asc ${CMAKE_URL_BASE}/cmake-${CMAKE_VERSION}-SHA-256.txt.asc \ + && echo "verify gpg" \ && gpg --verify cmake-SHA-256.txt.asc \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check cmake-SHA-256.txt \ && tar -xzvf ${CMAKE_TARBALL} --directory=/opt/ \ && mv /opt/${CMAKE_DIR_NAME} /opt/cmake-${CMAKE_VERSION}-linux \ diff --git a/Taskfile.yml b/Taskfile.yml index edd4a76..1adbb7c 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -6,11 +6,11 @@ tasks: - task: :hadolint gha-lint: vars: - PINACT_VERSION: v2.2.1 - ACTIONLINT_VERSION: v1.7.7 - GHALINT_VERSION: v1.3.0 + PINACT_VERSION: v3.4.4 + ACTIONLINT_VERSION: v1.7.8 + GHALINT_VERSION: v1.5.3 cmds: - - go run github.com/suzuki-shunsuke/pinact/v2/cmd/pinact@{{.PINACT_VERSION}} run + - go run github.com/suzuki-shunsuke/pinact/v3/cmd/pinact@{{.PINACT_VERSION}} run - go run github.com/rhysd/actionlint/cmd/actionlint@{{.ACTIONLINT_VERSION}} - go run github.com/suzuki-shunsuke/ghalint/cmd/ghalint@{{.GHALINT_VERSION}} run hadolint: @@ -19,6 +19,6 @@ tasks: - docker run --rm -i -v {{.TASK_DIR}}/.hadolint.yml:/.config/hadolint.yaml ghcr.io/hadolint/hadolint < arm64.dockerfile format: vars: - YAMLFMT_VERSION: v0.15.0 + YAMLFMT_VERSION: v0.20.0 cmds: - go run github.com/google/yamlfmt/cmd/yamlfmt@{{.YAMLFMT_VERSION}} diff --git a/amd64.dockerfile b/amd64.dockerfile index 658b36a..7ab20c5 100644 --- a/amd64.dockerfile +++ b/amd64.dockerfile @@ -1,4 +1,4 @@ -FROM python:3.11.3-slim-bullseye +FROM python:3.11.14-slim-bookworm # NOTE: nodedir has used by cmake-js. RUN mkdir /var/.npm \ @@ -48,9 +48,11 @@ RUN BITCOIN_TARBALL=bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz \ && gpg --verify SHA256SUMS.asc 2>&1 | grep "using ECDSA key" | tr -s ' ' | cut -d ' ' -f5 \ && echo "dump key" \ && gpg --verify SHA256SUMS.asc 2>&1 | grep "using " | tr -s ' ' | cut -d ' ' -f5 \ + && echo "gpg keyserver 1" \ && gpg -v --keyserver ${GPG_KEY_SERVER} --recv-keys ${BITCOIN_PGP_KEY} \ + && echo "gpg keyserver 2" \ && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys 82921A4B88FD454B7EB8CE3C796C4109063D4EAF \ - && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys C388F6961FB972A95678E327F62711DBDCA8AE56 \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check SHA256SUMS \ && tar -xzvf ${BITCOIN_TARBALL} --directory=/opt/ \ && ln -sfn /opt/bitcoin-${BITCOIN_VERSION}/bin/* /usr/bin \ @@ -60,6 +62,10 @@ RUN BITCOIN_TARBALL=bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz \ # && gpg --verify -v SHA256SUMS.asc \ # && sha256sum --ignore-missing --check SHA256SUMS \ +# 20251126: ignore import key +# && echo "gpg keyserver 3" \ +# && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys C388F6961FB972A95678E327F62711DBDCA8AE56 \ + # setup elements ARG ELEMENTS_VERSION=22.1.1 @@ -70,7 +76,9 @@ RUN ELEMENTS_TARBALL=elements-${ELEMENTS_VERSION}-x86_64-linux-gnu.tar.gz \ && wget -qO ${ELEMENTS_TARBALL} ${ELEMENTS_URL_BASE}/${ELEMENTS_TARBALL} \ && gpg -v --keyserver ${GPG_KEY_SERVER} --recv-keys ${ELEMENTS_PGP_KEY} \ && wget -qO SHA256SUMS.asc ${ELEMENTS_URL_BASE}/SHA256SUMS.asc \ + && echo "verify gpg" \ && gpg --verify SHA256SUMS.asc \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check SHA256SUMS.asc \ && tar -xzvf ${ELEMENTS_TARBALL} --directory=/opt/ \ && ln -sfn /opt/elements-${ELEMENTS_VERSION}/bin/* /usr/bin \ @@ -90,7 +98,9 @@ RUN CMAKE_TARBALL=cmake-${CMAKE_VERSION}-linux-x86_64.tar.gz \ && gpg --keyserver ${GPG_KEY_SERVER} --recv-keys ${CMAKE_PGP_KEY} \ && wget -qO cmake-SHA-256.txt ${CMAKE_URL_BASE}/cmake-${CMAKE_VERSION}-SHA-256.txt \ && wget -qO cmake-SHA-256.txt.asc ${CMAKE_URL_BASE}/cmake-${CMAKE_VERSION}-SHA-256.txt.asc \ + && echo "verify gpg" \ && gpg --verify cmake-SHA-256.txt.asc \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check cmake-SHA-256.txt \ && tar -xzvf ${CMAKE_TARBALL} --directory=/opt/ \ && ln -sfn /opt/cmake-${CMAKE_VERSION}-linux-x86_64/bin/* /usr/bin \ diff --git a/arm64.dockerfile b/arm64.dockerfile index f0eeffc..6681783 100644 --- a/arm64.dockerfile +++ b/arm64.dockerfile @@ -1,4 +1,4 @@ -FROM python:3.11.3-slim-bullseye +FROM python:3.11.14-slim-bookworm # NOTE: nodedir has used by cmake-js. RUN mkdir /var/.npm \ @@ -48,9 +48,11 @@ RUN BITCOIN_TARBALL=bitcoin-${BITCOIN_VERSION}-aarch64-linux-gnu.tar.gz \ && gpg --verify SHA256SUMS.asc 2>&1 | grep "using ECDSA key" | tr -s ' ' | cut -d ' ' -f5 \ && echo "dump key" \ && gpg --verify SHA256SUMS.asc 2>&1 | grep "using " | tr -s ' ' | cut -d ' ' -f5 \ + && echo "gpg keyserver 1" \ && gpg -v --keyserver ${GPG_KEY_SERVER} --recv-keys ${BITCOIN_PGP_KEY} \ + && echo "gpg keyserver 2" \ && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys 82921A4B88FD454B7EB8CE3C796C4109063D4EAF \ - && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys C388F6961FB972A95678E327F62711DBDCA8AE56 \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check SHA256SUMS \ && tar -xzvf ${BITCOIN_TARBALL} --directory=/opt/ \ && ln -sfn /opt/bitcoin-${BITCOIN_VERSION}/bin/* /usr/bin \ @@ -60,6 +62,10 @@ RUN BITCOIN_TARBALL=bitcoin-${BITCOIN_VERSION}-aarch64-linux-gnu.tar.gz \ # && gpg --verify -v SHA256SUMS.asc \ # && sha256sum --ignore-missing --check SHA256SUMS \ +# 20251126: ignore import key +# && echo "gpg keyserver 3" \ +# && gpg -v --keyserver hkps://keys.openpgp.org --recv-keys C388F6961FB972A95678E327F62711DBDCA8AE56 \ + # setup elements ARG ELEMENTS_VERSION=22.1.1 @@ -70,7 +76,9 @@ RUN ELEMENTS_TARBALL=elements-${ELEMENTS_VERSION}-aarch64-linux-gnu.tar.gz \ && wget -qO ${ELEMENTS_TARBALL} ${ELEMENTS_URL_BASE}/${ELEMENTS_TARBALL} \ && gpg -v --keyserver ${GPG_KEY_SERVER} --recv-keys ${ELEMENTS_PGP_KEY} \ && wget -qO SHA256SUMS.asc ${ELEMENTS_URL_BASE}/SHA256SUMS.asc \ + && echo "verify gpg" \ && gpg --verify SHA256SUMS.asc \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check SHA256SUMS.asc \ && tar -xzvf ${ELEMENTS_TARBALL} --directory=/opt/ \ && ln -sfn /opt/elements-${ELEMENTS_VERSION}/bin/* /usr/bin \ @@ -90,7 +98,9 @@ RUN CMAKE_TARBALL=cmake-${CMAKE_VERSION}-linux-aarch64.tar.gz \ && gpg --keyserver ${GPG_KEY_SERVER} --recv-keys ${CMAKE_PGP_KEY} \ && wget -qO cmake-SHA-256.txt ${CMAKE_URL_BASE}/cmake-${CMAKE_VERSION}-SHA-256.txt \ && wget -qO cmake-SHA-256.txt.asc ${CMAKE_URL_BASE}/cmake-${CMAKE_VERSION}-SHA-256.txt.asc \ + && echo "verify gpg" \ && gpg --verify cmake-SHA-256.txt.asc \ + && echo "verify checksum" \ && sha256sum --ignore-missing --check cmake-SHA-256.txt \ && tar -xzvf ${CMAKE_TARBALL} --directory=/opt/ \ && ln -sfn /opt/cmake-${CMAKE_VERSION}-linux-aarch64/bin/* /usr/bin \