From 5fa1eb19c3898a6abe33c15044bee9067c035263 Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Thu, 13 Oct 2022 13:28:01 +0200
Subject: [PATCH] feat: latest agent and Alpine, add detect-secrets

---
 Dockerfile           | 50 +++++++++++++++++++++++++-------------------
 conf/registries.conf |  2 --
 2 files changed, 28 insertions(+), 24 deletions(-)
 delete mode 100644 conf/registries.conf

diff --git a/Dockerfile b/Dockerfile
index 0a87c4e..630e6ec 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,47 +1,53 @@
 # https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile
+# https://hub.docker.com/r/jenkins/inbound-agent/tags
 
-ARG BASE="4.13.2-1-alpine-jdk17-preview"
+ARG BASE="alpine-jdk17"
 
 FROM jenkins/inbound-agent:${BASE}
 
-ARG USER=jenkins
+ARG BUILDUSER=jenkins
 
 USER root
-RUN apk upgrade -U --available --no-cache && apk add --no-cache \
-    tini \
-    make \
-    yq \
-    strace \
-    podman \
-    buildah \
-    aws-cli
-
-RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
-    apk upgrade -U --available --no-cache && apk add --no-cache \
-    trivy
+RUN echo "@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
+    apk upgrade -U --available --no-cache && \
+    apk add --no-cache \
+      tini \
+      make \
+      yq \
+      strace \
+      podman \
+      buildah \
+      py3-pip \
+      aws-cli \
+      trivy@edge-testing
 
 # Trivy html template
-ADD --chown=$USER:$USER html.tpl /home/$USER
+ADD --chown=$BUILDUSER:$BUILDUSER html.tpl /home/$BUILDUSER
 
 # Rootless podman
-RUN mkdir -p /home/$USER/.config/containers
+RUN mkdir -p /home/$BUILDUSER/.config/containers
 
 ADD entrypoint.sh /usr/local/bin/entrypoint.sh
-ADD --chown=$USER:$USER conf/containers.conf conf/registries.conf conf/storage.conf /home/$USER/.config/containers
+# conf/registries.conf will be mounted RO at runtime to inherit worker settings incl. caching proxies
+ADD --chown=$BUILDUSER:$BUILDUSER conf/containers.conf conf/storage.conf /home/$BUILDUSER/.config/containers
 
-RUN echo -e "$USER:1:999\n$USER:1001:64535" > /etc/subuid && \
-    echo -e "$USER:1:999\n$USER:1001:64535" > /etc/subgid && \
+RUN echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subuid && \
+    echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid && \
     cd /usr/bin && ln -s podman docker && \
-    chown $USER:$USER -R /home/$USER
+    chown $BUILDUSER:$BUILDUSER -R /home/$BUILDUSER
 
 # Patch jenkins-agent to launch podman service
 RUN sed -i -e 's/exec \$JAVA_BIN/podman system service -t0\&\n        exec \$JAVA_BIN/' /usr/local/bin/jenkins-agent
 
-ENV XDG_RUNTIME_DIR=/home/$USER/agent/xdg-run
+ENV XDG_RUNTIME_DIR=/home/$BUILDUSER/agent/xdg-run
 ENV BUILDAH_ISOLATION=chroot
 ENV _CONTAINERS_USERNS_CONFIGURED=""
 ENV TRIVY_TEMPLATE="@/home/jenkins/html.tpl"
 
-USER $USER
+USER $BUILDUSER
+
+# Install detect-secrets
+ENV PATH=$PATH:/home/${BUILDUSER}/.local/bin
+RUN pip install detect-secrets --user
 
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/entrypoint.sh"]
diff --git a/conf/registries.conf b/conf/registries.conf
deleted file mode 100644
index 004ec42..0000000
--- a/conf/registries.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-# Note that changing the order here may break lazy devs Dockerfile
-unqualified-search-registries = [ "gcr.io", "quay.io", "docker.io", "registry.fedoraproject.org"]