From 58e25ebd4d4c85a61f62ff0e1559f0c4d0ce829f Mon Sep 17 00:00:00 2001 From: Fadhli Azhari Date: Thu, 30 Apr 2026 09:52:04 +0800 Subject: [PATCH] build: Update libraries to latest version --- .gitea/workflows/build-and-push.yaml | 2 +- CLAUDE.md | 4 +- ci/frontend-builder/Dockerfile | 98 ++++++++++++++++------------ ci/frontend-builder/README.md | 14 ++-- ci/java-builder/Dockerfile | 46 ++++++++----- ci/java-builder/README.md | 26 ++++---- ci/sonar-runner/Dockerfile | 8 +-- ci/sonar-runner/README.md | 10 +-- 8 files changed, 117 insertions(+), 91 deletions(-) diff --git a/.gitea/workflows/build-and-push.yaml b/.gitea/workflows/build-and-push.yaml index bf3e48c..a0f6d81 100644 --- a/.gitea/workflows/build-and-push.yaml +++ b/.gitea/workflows/build-and-push.yaml @@ -10,7 +10,7 @@ on: workflow_dispatch: env: - HARBOR_REGISTRY: 192.168.1.72 + HARBOR_REGISTRY: kcr.kollect.biz HARBOR_PROJECT: kollect-tools jobs: diff --git a/CLAUDE.md b/CLAUDE.md index f331066..ddec443 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -13,7 +13,7 @@ This repo holds CI Docker images for KollectAI infrastructure. Each subdirectory ## Registries -- **Harbor**: `192.168.1.72/kollect-tools/` — production image store (project: `kollect-tools`) +- **Harbor**: `kcr.kollect.biz/kollect-tools/` — production image store (project: `kollect-tools`) - Images are tagged three ways: `latest`, short commit SHA, and `YYYYMMDD` date ## CI Workflow @@ -34,5 +34,5 @@ Required Gitea secrets: `HARBOR_USERNAME`, `HARBOR_PASSWORD` ## Building Locally ```bash -docker build -t 192.168.1.72/kollect-tools/:latest ci// +docker build -t kcr.kollect.biz/kollect-tools/:latest ci// ``` diff --git a/ci/frontend-builder/Dockerfile b/ci/frontend-builder/Dockerfile index 34dcf35..7fdc2c0 100644 --- a/ci/frontend-builder/Dockerfile +++ b/ci/frontend-builder/Dockerfile @@ -7,33 +7,20 @@ # (chromium browser binary + system deps), ORAS CLI, common build tools. # # Build: -# docker build -t 192.168.1.72/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/ +# docker build -t kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/ # # Usage in CI: # container: -# image: 192.168.1.72/kollect-tools/ci/frontend-builder:latest +# image: kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest +# +# RUN order is cache-optimised. Playwright (~170MB chromium download) is +# the heaviest layer, so it sits high — right after pnpm — to protect it +# from being invalidated by bumps to ORAS / buf / protoc-gen-es. The +# cheap, low-volatility layers trail behind. ARG NODE_MAJOR=24 FROM node:${NODE_MAJOR}-bookworm-slim -ARG PNPM_VERSION=10.15.0 -ARG BUF_VERSION=1.55.0 -# Pin protoc-gen-es to a known-good version. The KollectAI-ETL CI -# workflow doesn't actually use this global install (it does -# `pnpm install` from proto/ to pick up the lockfile-pinned version) -# but we still bake it for ad-hoc use inside the container. -ARG PROTOC_GEN_ES_VERSION=2.12.0 -ARG ORAS_VERSION=1.2.2 -# Pin Playwright in lockstep with frontend/svelte/package.json's -# @playwright/test version. If the project uses a different patch level, -# Playwright re-downloads the right browser at runtime; matching here -# means CI hits the prebaked browser cache and skips the download. -ARG PLAYWRIGHT_VERSION=1.59.1 - -# Install Playwright browsers under a known global path so they survive -# across containers and so `pnpm exec playwright install` reuses them. -ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright - # ───────────────────────────────────────────────────────────────────── # System dependencies # @@ -76,7 +63,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ # ───────────────────────────────────────────────────────────────────── # pnpm via corepack (ships with Node.js) +# +# Needed by Playwright (`pnpm dlx`) and protoc-gen-es (`pnpm add -g`), +# so it must land before both. # ───────────────────────────────────────────────────────────────────── +ARG PNPM_VERSION=11.0.1 + RUN corepack enable \ && corepack prepare "pnpm@${PNPM_VERSION}" --activate @@ -87,30 +79,15 @@ RUN corepack enable \ ENV PNPM_HOME=/root/.local/share/pnpm ENV PATH="${PNPM_HOME}:${PATH}" -# ───────────────────────────────────────────────────────────────────── -# buf CLI - single static binary, used for `buf lint` and `buf generate` -# ───────────────────────────────────────────────────────────────────── -RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \ - -o /usr/local/bin/buf \ - && chmod +x /usr/local/bin/buf - -# ───────────────────────────────────────────────────────────────────── -# protoc-gen-es - TypeScript codegen plugin for buf 'local:' references. -# Installed via pnpm into $PNPM_HOME so the binary lands on PATH; buf v2 -# resolves `local: protoc-gen-es` via PATH lookup. -# ───────────────────────────────────────────────────────────────────── -RUN pnpm add -g "@bufbuild/protoc-gen-es@${PROTOC_GEN_ES_VERSION}" - -# ───────────────────────────────────────────────────────────────────── -# ORAS CLI - for uploading artifacts (test reports, audit logs) to Harbor -# ───────────────────────────────────────────────────────────────────── -RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \ - | tar -xz -C /usr/local/bin oras - # ───────────────────────────────────────────────────────────────────── # Playwright + chromium browser binary # -# Browsers go to /ms-playwright (PLAYWRIGHT_BROWSERS_PATH set above) so +# Pin Playwright in lockstep with frontend/svelte/package.json's +# @playwright/test version. If the project uses a different patch level, +# Playwright re-downloads the right browser at runtime; matching here +# means CI hits the prebaked browser cache and skips the download. +# +# Browsers go to /ms-playwright (PLAYWRIGHT_BROWSERS_PATH set below) so # CI's `pnpm exec playwright install chromium` finds the prebaked binary # and skips the ~170MB download. System libs are already installed at # the top of the file, so we use bare `playwright install chromium` @@ -120,9 +97,48 @@ RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_V # executes the install command, and cleans up. The browser binary # itself persists at PLAYWRIGHT_BROWSERS_PATH, which is the only piece # we actually need at runtime. +# +# Placed high (right after pnpm) so a bump to any cheap downstream pin +# (oras, buf, protoc-gen-es) doesn't force a chromium re-download. # ───────────────────────────────────────────────────────────────────── +ARG PLAYWRIGHT_VERSION=1.59.1 +ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright + RUN pnpm dlx "playwright@${PLAYWRIGHT_VERSION}" install chromium +# ───────────────────────────────────────────────────────────────────── +# ORAS CLI - for uploading artifacts (test reports, audit logs) to Harbor. +# Low-volatility static binary; ahead of buf/protoc-gen-es so a bump +# here (rare) doesn't cascade into them. +# ───────────────────────────────────────────────────────────────────── +ARG ORAS_VERSION=1.3.2 + +RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \ + | tar -xz -C /usr/local/bin oras + +# ───────────────────────────────────────────────────────────────────── +# buf CLI - single static binary, used for `buf lint` and `buf generate` +# ───────────────────────────────────────────────────────────────────── +ARG BUF_VERSION=1.69.0 + +RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \ + -o /usr/local/bin/buf \ + && chmod +x /usr/local/bin/buf + +# ───────────────────────────────────────────────────────────────────── +# protoc-gen-es - TypeScript codegen plugin for buf 'local:' references. +# Installed via pnpm into $PNPM_HOME so the binary lands on PATH; buf v2 +# resolves `local: protoc-gen-es` via PATH lookup. +# +# Last because the KollectAI-ETL CI workflow doesn't actually use this +# global install (it does `pnpm install` from proto/ to pick up the +# lockfile-pinned version) — we only bake it for ad-hoc use inside the +# container, so its volatility doesn't matter for downstream cache. +# ───────────────────────────────────────────────────────────────────── +ARG PROTOC_GEN_ES_VERSION=2.12.0 + +RUN pnpm add -g "@bufbuild/protoc-gen-es@${PROTOC_GEN_ES_VERSION}" + WORKDIR /workspace # Verify installation. Font count guards against silently shipping an image diff --git a/ci/frontend-builder/README.md b/ci/frontend-builder/README.md index 37ecb95..d61ca73 100644 --- a/ci/frontend-builder/README.md +++ b/ci/frontend-builder/README.md @@ -5,7 +5,7 @@ Pre-baked build environment for KollectAI-ETL frontend (SvelteKit) CI jobs and p ## What's included - Node.js 24 (`node:24-bookworm-slim`) -- pnpm 10 (via corepack) +- pnpm 11 (via corepack) - [buf](https://buf.build) CLI — for `buf lint` and `buf generate` - [`@bufbuild/protoc-gen-es`](https://www.npmjs.com/package/@bufbuild/protoc-gen-es) — installed globally so `buf` v2 `local: protoc-gen-es` resolves via PATH (no BSR remote-plugin calls) - Playwright chromium runtime libraries pre-installed (`libnss3`, `libgbm1`, `libasound2`, etc.) @@ -16,8 +16,8 @@ Pre-baked build environment for KollectAI-ETL frontend (SvelteKit) CI jobs and p ## Build ```bash -docker build -t 192.168.1.72/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/ -docker push 192.168.1.72/kollect-tools/ci/frontend-builder:latest +docker build -t kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/ +docker push kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest ``` ### Build args @@ -25,11 +25,11 @@ docker push 192.168.1.72/kollect-tools/ci/frontend-builder:latest | Arg | Default | Description | |-----|---------|-------------| | `NODE_MAJOR` | `24` | Node.js major version (matches Node base image) | -| `PNPM_VERSION` | `10.15.0` | pnpm version (corepack-activated) | -| `BUF_VERSION` | `1.55.0` | buf CLI version | +| `PNPM_VERSION` | `11.0.1` | pnpm version (corepack-activated) | +| `BUF_VERSION` | `1.69.0` | buf CLI version | | `PROTOC_GEN_ES_VERSION` | `2.12.0` | `@bufbuild/protoc-gen-es` version (ad-hoc use only — KollectAI-ETL CI uses the version pinned in `proto/pnpm-lock.yaml`) | | `PLAYWRIGHT_VERSION` | `1.59.1` | Playwright version. Must match `frontend/svelte/package.json` `@playwright/test`; mismatch causes runtime browser re-download | -| `ORAS_VERSION` | `1.2.2` | ORAS CLI version | +| `ORAS_VERSION` | `1.3.2` | ORAS CLI version | ## Usage in CI @@ -38,7 +38,7 @@ jobs: test-unit: runs-on: ubuntu-latest container: - image: 192.168.1.72/kollect-tools/ci/frontend-builder:latest + image: kcr.kollect.biz/kollect-tools/ci/frontend-builder:latest steps: - uses: actions/checkout@v6 - run: pnpm install --frozen-lockfile diff --git a/ci/java-builder/Dockerfile b/ci/java-builder/Dockerfile index 2294fbb..74508ae 100644 --- a/ci/java-builder/Dockerfile +++ b/ci/java-builder/Dockerfile @@ -1,24 +1,27 @@ # KollectAI CI — Java Builder Image # # Pre-baked build environment for backend + plugin CI jobs. -# Contains: Java 21, Maven 3.9.9, Node.js + pnpm, buf CLI, OWASP NVD +# Contains: Java 25, Maven 3.9.x, Node.js 24 + pnpm 11, buf CLI, OWASP NVD # database, ORAS CLI, common dependencies. # # Build: -# docker build -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/ +# docker build -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/ # # Usage in CI: # container: -# image: 192.168.1.72/kollect-tools/ci/java-builder:latest +# image: kcr.kollect.biz/kollect-tools/ci/java-builder:latest +# +# RUN order is cache-optimised: most stable / most expensive layers come +# first, most volatile / cheapest layers come last. Bumping a version +# only invalidates that layer and everything below it, so volatile pins +# (pnpm, buf) live near the bottom to avoid forcing OWASP NVD or Maven +# downloads to re-run. ARG JAVA_VERSION=25 FROM eclipse-temurin:${JAVA_VERSION}-jdk-jammy -ARG MAVEN_VERSION=3.9.14 -ARG OWASP_DC_VERSION=12.1.1 -ARG NVD_API_KEY="" # ───────────────────────────────────────────────────────────────────── -# System dependencies +# System dependencies + Node.js # ───────────────────────────────────────────────────────────────────── ARG NODE_MAJOR=24 @@ -40,6 +43,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ # ───────────────────────────────────────────────────────────────────── # Maven # ───────────────────────────────────────────────────────────────────── +ARG MAVEN_VERSION=3.9.15 ENV MAVEN_HOME=/opt/maven ENV PATH="${MAVEN_HOME}/bin:${PATH}" @@ -56,6 +60,8 @@ RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries # # Rebuild this image weekly to keep the NVD database fresh. # ───────────────────────────────────────────────────────────────────── +ARG OWASP_DC_VERSION=12.2.1 +ARG NVD_API_KEY="" ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data RUN mkdir -p "${OWASP_DATA_DIR}" \ @@ -65,17 +71,11 @@ RUN mkdir -p "${OWASP_DATA_DIR}" \ -q || true # ───────────────────────────────────────────────────────────────────── -# pnpm — via corepack (ships with Node.js) +# ORAS CLI — for uploading artifacts to Harbor. +# Low-volatility static binary; placed before buf/pnpm so a bump here +# (rare) doesn't invalidate them. # ───────────────────────────────────────────────────────────────────── -ARG PNPM_VERSION=10.15.0 - -RUN corepack enable \ - && corepack prepare "pnpm@${PNPM_VERSION}" --activate - -# ───────────────────────────────────────────────────────────────────── -# ORAS CLI — for uploading artifacts to Harbor -# ───────────────────────────────────────────────────────────────────── -ARG ORAS_VERSION=1.2.2 +ARG ORAS_VERSION=1.3.2 RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \ | tar -xz -C /usr/local/bin oras @@ -85,12 +85,22 @@ RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_V # parity. Backend Java codegen lives in the Maven build (protobuf-maven- # plugin), not buf, so no protoc plugins are needed in this image. # ───────────────────────────────────────────────────────────────────── -ARG BUF_VERSION=1.55.0 +ARG BUF_VERSION=1.69.0 RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \ -o /usr/local/bin/buf \ && chmod +x /usr/local/bin/buf +# ───────────────────────────────────────────────────────────────────── +# pnpm — via corepack (ships with Node.js). +# Last because it's the most volatile pin and corepack prepare is the +# cheapest layer; bumping pnpm shouldn't force any other layer to rebuild. +# ───────────────────────────────────────────────────────────────────── +ARG PNPM_VERSION=11.0.1 + +RUN corepack enable \ + && corepack prepare "pnpm@${PNPM_VERSION}" --activate + WORKDIR /workspace # Verify installation diff --git a/ci/java-builder/README.md b/ci/java-builder/README.md index 43630a4..7894b98 100644 --- a/ci/java-builder/README.md +++ b/ci/java-builder/README.md @@ -4,12 +4,12 @@ Pre-baked build environment for KollectAI-ETL backend and plugin CI jobs. ## What's included -- Java 21 (Eclipse Temurin) -- Maven 3.9.9 +- Java 25 (Eclipse Temurin) +- Maven 3.9.15 - Pre-cached Maven dependencies (Spring Boot, Flink, MyBatis, etc.) - Pre-installed `plugin-api` in local Maven repo - OWASP NVD database snapshot -- Node.js + pnpm (via corepack) +- Node.js 24 + pnpm 11 (via corepack) - [buf](https://buf.build) CLI — for `buf lint` parity with pre-push - ORAS CLI (Harbor artifact uploads) - git, jq, curl @@ -22,8 +22,8 @@ Pre-baked build environment for KollectAI-ETL backend and plugin CI jobs. ## Build ```bash -docker build -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/ -docker push 192.168.1.72/kollect-tools/ci/java-builder:latest +docker build -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/ +docker push kcr.kollect.biz/kollect-tools/ci/java-builder:latest ``` ### Build args @@ -31,12 +31,12 @@ docker push 192.168.1.72/kollect-tools/ci/java-builder:latest | Arg | Default | Description | |-----|---------|-------------| | `JAVA_VERSION` | `25` | Eclipse Temurin JDK version | -| `MAVEN_VERSION` | `3.9.14` | Maven version | -| `OWASP_DC_VERSION` | `12.1.1` | OWASP Dependency-Check version | +| `MAVEN_VERSION` | `3.9.15` | Maven version | +| `OWASP_DC_VERSION` | `12.2.1` | OWASP Dependency-Check version | | `NODE_MAJOR` | `24` | Node.js major version | -| `PNPM_VERSION` | `10.15.0` | pnpm version (corepack-activated) | -| `BUF_VERSION` | `1.55.0` | buf CLI version | -| `ORAS_VERSION` | `1.2.2` | ORAS CLI version | +| `PNPM_VERSION` | `11.0.1` | pnpm version (corepack-activated) | +| `BUF_VERSION` | `1.69.0` | buf CLI version | +| `ORAS_VERSION` | `1.3.2` | ORAS CLI version | | `NVD_API_KEY` | (empty) | Optional NVD API key — speeds up the OWASP database update during image build | ## Usage in CI @@ -46,7 +46,7 @@ jobs: test: runs-on: ubuntu-latest container: - image: 192.168.1.72/kollect-tools/ci/java-builder:latest + image: kcr.kollect.biz/kollect-tools/ci/java-builder:latest steps: - uses: actions/checkout@v6 - run: ./mvnw -f backend/etl/pom.xml test -Dgroups=unit -q @@ -57,8 +57,8 @@ jobs: Rebuild weekly to keep the OWASP NVD database fresh: ```bash -docker build --no-cache -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/ -docker push 192.168.1.72/kollect-tools/ci/java-builder:latest +docker build --no-cache -t kcr.kollect.biz/kollect-tools/ci/java-builder:latest ci/java-builder/ +docker push kcr.kollect.biz/kollect-tools/ci/java-builder:latest ``` When `pom.xml` files change (new dependencies), rebuild to update the cached deps layer. diff --git a/ci/sonar-runner/Dockerfile b/ci/sonar-runner/Dockerfile index 9b94af3..e84ecd8 100644 --- a/ci/sonar-runner/Dockerfile +++ b/ci/sonar-runner/Dockerfile @@ -9,7 +9,7 @@ # workflow, so we don't bake it into the shared java-builder. # # Build: -# docker build -t 192.168.1.72/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/ +# docker build -t kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/ # # Build prerequisite: java-builder:latest must exist in the registry # (this image FROMs it). Run `build-and-push.ps1 -Image ci/java-builder` @@ -17,15 +17,15 @@ # # Usage in CI: # container: -# image: 192.168.1.72/kollect-tools/ci/sonar-runner:latest +# image: kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest -ARG REGISTRY=192.168.1.72 +ARG REGISTRY=kcr.kollect.biz ARG JAVA_BUILDER_TAG=latest FROM ${REGISTRY}/kollect-tools/ci/java-builder:${JAVA_BUILDER_TAG} # Sonar-scanner version. Bump in lockstep with KollectAI-ETL's # .gitea/workflows/sonar.yml SONAR_SCANNER_VERSION env. -ARG SONAR_SCANNER_VERSION=6.2.1.4610 +ARG SONAR_SCANNER_VERSION=8.1.0.6389 # ───────────────────────────────────────────────────────────────────── # sonar-scanner CLI diff --git a/ci/sonar-runner/README.md b/ci/sonar-runner/README.md index 5fa0352..46cc62a 100644 --- a/ci/sonar-runner/README.md +++ b/ci/sonar-runner/README.md @@ -12,17 +12,17 @@ Everything from [`java-builder`](../java-builder/) (Java 25, Maven 3.9.x, Node + ```bash # Prerequisite: java-builder must already exist in the registry. -docker build -t 192.168.1.72/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/ -docker push 192.168.1.72/kollect-tools/ci/sonar-runner:latest +docker build -t kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ci/sonar-runner/ +docker push kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest ``` ### Build args | Arg | Default | Description | |-----|---------|-------------| -| `REGISTRY` | `192.168.1.72` | Registry hostname for the parent `java-builder` pull | +| `REGISTRY` | `kcr.kollect.biz` | Registry hostname for the parent `java-builder` pull | | `JAVA_BUILDER_TAG` | `latest` | Tag of `java-builder` to extend | -| `SONAR_SCANNER_VERSION` | `6.2.1.4610` | Bump in lockstep with `KollectAI-ETL/.gitea/workflows/sonar.yml`'s `SONAR_SCANNER_VERSION` | +| `SONAR_SCANNER_VERSION` | `8.1.0.6389` | Bump in lockstep with `KollectAI-ETL/.gitea/workflows/sonar.yml`'s `SONAR_SCANNER_VERSION` | ## Usage in CI @@ -31,7 +31,7 @@ jobs: scan: runs-on: ubuntu-latest container: - image: 192.168.1.72/kollect-tools/ci/sonar-runner:latest + image: kcr.kollect.biz/kollect-tools/ci/sonar-runner:latest steps: - uses: actions/checkout@v6 with: