Add Ubuntu Pro support #40
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bloodearnest
force-pushed
the
ubuntu-pro
branch
from
0838d8e to
73912e7
Compare
evansd
approved these changes
Jan 15, 2026
evansd
left a comment
evansd
left a comment
There was a problem hiding this comment.
This looks like a nice solution to me. There's not masses of extra complexity and I love being able to punt difficult questions into what feels right now like the very distant future!
Add shellcheck and actionlint linting, and fix related errors
This ensures that an UBUNTU_PRO_TOKEN env var is set, and writes it to a file in .secrets, which is exposed to the builder via docker compose secret support. We need use a file rather than an env var to keep the token a secret, as docker build env vars get stored in the layer metadata.
It will now optionally enable the Ubuntu Pro ESM package archives, if a) the secret is present and b) we are on 20.04, and then clean up after packages are installed. Embedding it in this help script servers two purposes: a) it ensures that it setups and tears down ubuntu pro within one step, ensuring the pro secret is removed. b) it can be reused by downstream docker images to enable installing from ESM repos for other 20.04 images (e.g. python:v1, r:v1) We also expose this secret in the Dockerfile when installing pacakges This enables ESM archives for 20.04 images.
Check we have packages from the ESM archives, and that we not left the token in the image.
bloodearnest
force-pushed
the
ubuntu-pro
branch
from
73912e7 to
956b5cf
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Works by injecting the env var UBUNTU_PRO_TOKEN as a secret into the docker build, and updating the docker-apt-install helper script to use it to add the ESM repos if we are on 20.04, and then removing it.
This should give us security updates on 20.04 images until 2030. This gives us more time to try figure out our actual image deprecation policy.
We could easily extend it to 22.04 if we want once it, once it hits EOL in 2027
Is uses the recommended way to us Pro/ESM in docker containers, and as far as I can tell, this is a valid use of the free Ubuntu Pro tier.
The token we are using is currently tied to my Ubuntu SSO account, and is stored as an org secret, and shared only with the docker repos.
If we land this, then with some small updates to the r and python build process, the images for python:v1 and r:v1 can also install their packages from ESM repos too.