oci-images/Makefile

BITBUCKET_REPO_SLUG := oci-images
BITBUCKET_WORKSPACE := byteb4rb1e
DOCKER_REGISTRY := docker.io
DOCKER_REPO_SLUG := byteb4rb1e
GPG_SIGNER_FINGERPRINT := "91CD826E74B0174D181903DEF97C70941CD8C4EF"
TAG_NAME_PREFIX := $(DOCKER_REGISTRY)/$(DOCKER_REPO_SLUG)/
ARCHIVE_PATH_PREFIX := dist/$(TAG_NAME_PREFIX)

VERBOSE := 0


# macro for uploading a docker image dump
#
# this is the fallback Docker registry infrastructure. In addition to being
# published to a Docker registry, OCI images are publicly stored as Bitbucket
# Cloud Download Artifact HTTP documents.
define bitbucket-upload
	curl \
	    --request POST \
	    --header "Authorization: Bearer $$BITBUCKET_ACCESS_TOKEN" \
	    --form "files=@$(1);filename=$$(basename "$(1)")" \
	    --fail \
	    https://api.bitbucket.org/2.0/repositories/$(BITBUCKET_WORKSPACE)/$(BITBUCKET_REPO_SLUG)/downloads
endef


# macro for uploading a docker image dump
#
# this is the fallback Docker registry infrastructure. In addition to being
# published to a Docker registry, OCI images are publicly stored as Bitbucket
# Cloud Download Artifact HTTP documents.
define bitbucket-upload-image-dump
	$(call bitbucket-upload,$(ARCHIVE_PATH_PREFIX)$@.$$(git rev-parse --short HEAD).tar.gz)
endef


# macro for building an image by targeting a Docker image stage
#
# I expect variant Docker images to use staged image specifications, that share
# a base image.  In the case of the ``build`` docker image, which provides build
# environments, there are versioned runtime environment variants, e.g.
# ``python39``, ``node19``, that all share a ``build`` base, resulting in full
# image tag names such as ``build-python39`` and ``build-node19``.
define build-image-stage
	export rev_id=$$(git rev-parse --short HEAD); \
	docker build \
		-f src/$$(echo "$1" | cut -d '-' -f 1)/Dockerfile \
		-t $(TAG_NAME_PREFIX)$@ \
		-t $(TAG_NAME_PREFIX)$@:$$rev_id \
		--target "$$(echo "$@" | sed 's|^$(1)||')" \
		--build-arg VERBOSE=$(VERBOSE) \
		src/$$(echo "$1" | cut -d '-' -f 1)
endef


BUILD_NODE_TARGETS := $(addprefix build-node, 19 20 21 22 23)
BUILD_PYTHON_TARGETS := $(addprefix build-python3, 9 10 11 12 13)
BUILD_OPENJDK_TARGETS := $(addprefix build-openjdk, 21)
BUILD_TRIVY_TARGETS := $(addprefix build-trivy, 063)
PROXY_SQUIDCACHE_TARGETS := $(addprefix proxy-squidcache, 613)
ATLASSIAN_BITBUCKETRUNNER_TARGETS := $(addprefix atlassian-bitbucketrunner, 323)

_none:
	echo "Doing nothing."
_clean:
	rm -rvf configure~ autom4te.cache/ config.log config.status
_all-ubuntu: _all-build-ubuntu
_all-windowsserver: _all-build-windowsserver _all-atlassian-windowsserver
_all-build-ubuntu: build-ubuntu2504 _all-build-python-ubuntu _all-build-node-ubuntu _all-build-trivy-ubuntu
_all-build-windowsserver: _all-build-openjdk-windowsserver
_all-atlassian-windowsserver: _all-atlassian-bitbucketrunner-windowsserver
_all-proxy-ubuntu: _all-atlassian-bitbucketrunner-windowsserver
_all-build-python-ubuntu: $(addsuffix -ubuntu, $(BUILD_PYTHON_TARGETS))
_all-build-node-ubuntu: $(addsuffix -ubuntu, $(BUILD_NODE_TARGETS))
_all-build-openjdk-windowsserver: $(addsuffix -windowsserver, $(BUILD_OPENJDK_TARGETS))
_all-build-trivy-ubuntu: $(addsuffix -ubuntu, $(BUILD_TRIVY_TARGETS))
_all-atlassian-bitbucketrunner-windowsserver: $(addsuffix -windowsserver, $(ATLASSIAN_BITBUCKETRUNNER_TARGETS))

$(addsuffix -windowsserver, $(ATLASSIAN_BITBUCKETRUNNER_TARGETS)): build-openjdk21-windowsserver


build-ubuntu2504 \
build-windowsserver build-windowsserver2022 \
$(addsuffix -windowsserver, $(BUILD_OPENJDK_TARGETS)) \
$(addsuffix -ubuntu, $(BUILD_NODE_TARGETS)) \
$(addsuffix -ubuntu, $(BUILD_PYTHON_TARGETS)) \
$(addsuffix -ubuntu, $(BUILD_TRIVY_TARGETS)) \
$(addsuffix -ubuntu, $(PROXY_SQUIDCACHE_TARGETS)) \
$(addsuffix -windowsserver, $(ATLASSIAN_BITBUCKETRUNNER_TARGETS)):
	$(call build-image-stage,$(word 1,$(subst -, ,build-ubuntu))-)
ifdef SCAN
	mkdir -p "test-reports/$(TAG_NAME_PREFIX)"
	trivy image \
		--format json \
		--output test-reports/$(TAG_NAME_PREFIX)$$(git rev-parse --short HEAD)-$@.trivy.json \
		$(TAG_NAME_PREFIX)$@
ifdef SIGN_SCAN
	gpg --detach-sign --local-user $(GPG_SIGNER_FINGERPRINT) -v -a --yes test-reports/$(TAG_NAME_PREFIX)$$(git rev-parse --short HEAD)-$@.trivy.json
endif
endif
ifdef ARCHIVE
	export archive_path="$(ARCHIVE_PATH_PREFIX)$$(git rev-parse --short HEAD)-$@.tar"; \
	export manifest_path="$(ARCHIVE_PATH_PREFIX)$$(git rev-parse --short HEAD)-$@.manifest.json"; \
	mkdir -p "$$(dirname $$archive_path)" && \
	docker save -o "$$archive_path" "$(DOCKER_REGISTRY)/$(DOCKER_REPO_SLUG)/$@" && \
	tar -xf "$$archive_path" manifest.json --to-stdout > $$manifest_path; \
	gzip -vf "$$archive_path"
ifdef SIGN_ARCHIVE
	export archive_path="$(ARCHIVE_PATH_PREFIX)$$(git rev-parse --short HEAD)-$@.tar.gz"; \
	export manifest_path="$(ARCHIVE_PATH_PREFIX)$$(git rev-parse --short HEAD)-$@.manifest.json"; \
	gpg --detach-sign --local-user $(GPG_SIGNER_FINGERPRINT) -v -a --yes "$$manifest_path"; \
	gpg --detach-sign --local-user $(GPG_SIGNER_FINGERPRINT) -v -a --yes "$$archive_path";
endif
ifdef PUBLISH_ARCHIVE
ifndef BITBUCKET_ACCESS_TOKEN
	$(error BITBUCKET_ACCESS_TOKEN not set)
endif
	$(call bitbucket-upload,$(ARCHIVE_PATH_PREFIX)$$(git rev-parse --short HEAD)-$@.tar.gz)
	$(call bitbucket-upload,$(ARCHIVE_PATH_PREFIX)$$(git rev-parse --short HEAD)-$@.manifest.json)
ifdef SIGN_ARCHIVE
	$(call bitbucket-upload,$(ARCHIVE_PATH_PREFIX)$$(git rev-parse --short HEAD)-$@.tar.gz.asc)
	$(call bitbucket-upload,$(ARCHIVE_PATH_PREFIX)$$(git rev-parse --short HEAD)-$@.manifest.json.asc)
endif
ifdef SCAN
	$(call bitbucket-upload,test-reports/$(TAG_NAME_PREFIX)$$(git rev-parse --short HEAD)-$@.trivy.json)
ifdef SIGN_SCAN
	$(call bitbucket-upload,test-reports/$(TAG_NAME_PREFIX)$$(git rev-parse --short HEAD)-$@.trivy.json.asc)
endif # SIGN_SCAN
endif # SCAN
endif # PUBLISH_ARCHIVE
endif # ARCHIVE
ifdef PUBLISH
	docker push $(DOCKER_REGISTRY)/$(DOCKER_REPO_SLUG)/$@
	docker push $(DOCKER_REGISTRY)/$(DOCKER_REPO_SLUG)/$@:$$(git rev-parse --short HEAD)
endif