Lock CI images to specific SHAs

.github/workflows/budibase_ci.yml

@@ -108,7 +108,7 @@ jobs:
       - name: Pull testcontainers images
         run: |
           docker pull testcontainers/ryuk:0.5.1 &
-          docker pull budibase/couchdb:v3.2.1-sqs &
+          docker pull budibase/couchdb:v3.3.3 &
           docker pull redis &
 
           wait $(jobs -p)
@@ -162,17 +162,23 @@ jobs:
           node-version: 20.x
           cache: yarn
 
+      - name: Load dotenv
+        id: dotenv
+        uses: falti/[email protected]
+        with:
+          path: ./packages/server/datasource-sha.env
+
       - name: Pull testcontainers images
         run: |
-          docker pull mcr.microsoft.com/mssql/server:2022-CU13-ubuntu-22.04 &
-          docker pull mysql:8.3 &
-          docker pull postgres:16.1-bullseye &
-          docker pull mongo:7.0-jammy &
-          docker pull mariadb:lts &
-          docker pull testcontainers/ryuk:0.5.1 &
-          docker pull budibase/couchdb:v3.2.1-sqs &
+          docker pull mcr.microsoft.com/mssql/server@${{ steps.dotenv.outputs.MSSQL_SHA }} &
+          docker pull mysql@${{ steps.dotenv.outputs.MYSQL_SHA }} &
+          docker pull postgres@${{ steps.dotenv.outputs.POSTGRES_SHA }} &
+          docker pull mongo@${{ steps.dotenv.outputs.MONGODB_SHA }} &
+          docker pull mariadb@${{ steps.dotenv.outputs.MARIADB_SHA }} &
           docker pull minio/minio &
           docker pull redis &
+          docker pull testcontainers/ryuk:0.5.1 &
+          docker pull budibase/couchdb:v3.3.3 &
 
           wait $(jobs -p)
 

globalSetup.ts

@@ -46,7 +46,7 @@ export default async function setup() {
   await killContainers(containers)
 
   try {
-    const couchdb = new GenericContainer("budibase/couchdb:v3.2.1-sqs")
+    const couchdb = new GenericContainer("budibase/couchdb:v3.3.3")
       .withExposedPorts(5984, 4984)
       .withEnvironment({
         COUCHDB_PASSWORD: "budibase",

packages/server/datasource-sha.env

@@ -0,0 +1,5 @@
+MSSQL_SHA=sha256:c4369c38385eba011c10906dc8892425831275bb035d5ce69656da8e29de50d8
+MYSQL_SHA=sha256:9de9d54fecee6253130e65154b930978b1fcc336bcc86dfd06e89b72a2588ebe
+POSTGRES_SHA=sha256:bd0d8e485d1aca439d39e5ea99b931160bd28d862e74c786f7508e9d0053090e
+MONGODB_SHA=sha256:afa36bca12295b5f9dae68a493c706113922bdab520e901bd5d6c9d7247a1d8d
+MARIADB_SHA=sha256:e59ba8783bf7bc02a4779f103bb0d8751ac0e10f9471089709608377eded7aa8

packages/server/src/integrations/tests/utils/images.ts

@@ -0,0 +1,17 @@
+import dotenv from "dotenv"
+import { join } from "path"
+
+const path = join(__dirname, "..", "..", "..", "..", "datasource-sha.env")
+dotenv.config({
+  path,
+})
+
+export function getImageSHAs() {
+  return {
+    mssql: `mcr.microsoft.com/mssql/server@${process.env.MSSQL_SHA}`,
+    mysql: `mysql@${process.env.MYSQL_SHA}`,
+    postgres: `postgres@${process.env.POSTGRES_SHA}`,
+    mongodb: `mongo@${process.env.MONGODB_SHA}`,
+    mariadb: `mariadb@${process.env.MARIADB_SHA}`,
+  }
+}

packages/server/src/integrations/tests/utils/index.ts

@@ -1,3 +1,4 @@
+import "./images"
 import { Datasource, SourceName } from "@budibase/types"
 import * as postgres from "./postgres"
 import * as mongodb from "./mongodb"
@@ -67,7 +68,11 @@ export async function knexClient(ds: Datasource) {
 
 export async function startContainer(container: GenericContainer) {
   const imageName = (container as any).imageName.string as string
-  const key = imageName.replaceAll("/", "-").replaceAll(":", "-")
+  let key: string = imageName
+  if (imageName.includes("@sha256")) {
+    key = imageName.split("@")[0]
+  }
+  key = key.replaceAll("/", "-").replaceAll(":", "-")
 
   container = container
     .withReuse()

packages/server/src/integrations/tests/utils/mariadb.ts

@@ -4,6 +4,7 @@ import { AbstractWaitStrategy } from "testcontainers/build/wait-strategies/wait-
 import { generator, testContainerUtils } from "@budibase/backend-core/tests"
 import { startContainer } from "."
 import { knexClient } from "./mysql"
+import { getImageSHAs } from "./images"
 
 let ports: Promise<testContainerUtils.Port[]>
 
@@ -27,7 +28,7 @@ class MariaDBWaitStrategy extends AbstractWaitStrategy {
 export async function getDatasource(): Promise<Datasource> {
   if (!ports) {
     ports = startContainer(
-      new GenericContainer("mariadb:lts")
+      new GenericContainer(getImageSHAs().mariadb)
         .withExposedPorts(3306)
         .withEnvironment({ MARIADB_ROOT_PASSWORD: "password" })
         .withWaitStrategy(new MariaDBWaitStrategy())

packages/server/src/integrations/tests/utils/mongodb.ts

@@ -2,13 +2,14 @@ import { generator, testContainerUtils } from "@budibase/backend-core/tests"
 import { Datasource, SourceName } from "@budibase/types"
 import { GenericContainer, Wait } from "testcontainers"
 import { startContainer } from "."
+import { getImageSHAs } from "./images"
 
 let ports: Promise<testContainerUtils.Port[]>
 
 export async function getDatasource(): Promise<Datasource> {
   if (!ports) {
     ports = startContainer(
-      new GenericContainer("mongo:7.0-jammy")
+      new GenericContainer(getImageSHAs().mongodb)
         .withExposedPorts(27017)
         .withEnvironment({
           MONGO_INITDB_ROOT_USERNAME: "mongo",

packages/server/src/integrations/tests/utils/mssql.ts

@@ -3,15 +3,14 @@ import { GenericContainer, Wait } from "testcontainers"
 import { generator, testContainerUtils } from "@budibase/backend-core/tests"
 import { startContainer } from "."
 import knex from "knex"
+import { getImageSHAs } from "./images"
 
 let ports: Promise<testContainerUtils.Port[]>
 
 export async function getDatasource(): Promise<Datasource> {
   if (!ports) {
     ports = startContainer(
-      new GenericContainer(
-        "mcr.microsoft.com/mssql/server:2022-CU13-ubuntu-22.04"
-      )
+      new GenericContainer(getImageSHAs().mssql)
         .withExposedPorts(1433)
         .withEnvironment({
           ACCEPT_EULA: "Y",

packages/server/src/integrations/tests/utils/mysql.ts

@@ -4,6 +4,7 @@ import { AbstractWaitStrategy } from "testcontainers/build/wait-strategies/wait-
 import { generator, testContainerUtils } from "@budibase/backend-core/tests"
 import { startContainer } from "."
 import knex from "knex"
+import { getImageSHAs } from "./images"
 
 let ports: Promise<testContainerUtils.Port[]>
 
@@ -30,7 +31,7 @@ class MySQLWaitStrategy extends AbstractWaitStrategy {
 export async function getDatasource(): Promise<Datasource> {
   if (!ports) {
     ports = startContainer(
-      new GenericContainer("mysql:8.3")
+      new GenericContainer(getImageSHAs().mysql)
         .withExposedPorts(3306)
         .withEnvironment({ MYSQL_ROOT_PASSWORD: "password" })
         .withWaitStrategy(new MySQLWaitStrategy().withStartupTimeout(10000))

packages/server/src/integrations/tests/utils/postgres.ts

@@ -3,13 +3,14 @@ import { GenericContainer, Wait } from "testcontainers"
 import { generator, testContainerUtils } from "@budibase/backend-core/tests"
 import { startContainer } from "."
 import knex from "knex"
+import { getImageSHAs } from "./images"
 
 let ports: Promise<testContainerUtils.Port[]>
 
 export async function getDatasource(): Promise<Datasource> {
   if (!ports) {
     ports = startContainer(
-      new GenericContainer("postgres:16.1-bullseye")
+      new GenericContainer(getImageSHAs().postgres)
         .withExposedPorts(5432)
         .withEnvironment({ POSTGRES_PASSWORD: "password" })
         .withWaitStrategy(