diff --git a/.github/workflows/build-bake-preview.yaml b/.github/workflows/build-bake-preview.yaml index c95dea69..641787f5 100644 --- a/.github/workflows/build-bake-preview.yaml +++ b/.github/workflows/build-bake-preview.yaml @@ -77,7 +77,7 @@ jobs: steps: - name: Check Out main Branch if: github.event.schedule == '0 8 * * *' - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: 'main' @@ -104,7 +104,7 @@ jobs: connect-daily: needs: [versions] - name: Connect Image - Daily + name: Connect - Daily runs-on: ubuntu-latest-4x env: diff --git a/.github/workflows/build-bake.yaml b/.github/workflows/build-bake.yaml index 50b2cd45..c1c67e11 100644 --- a/.github/workflows/build-bake.yaml +++ b/.github/workflows/build-bake.yaml @@ -22,6 +22,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Get commit SHA @@ -46,6 +53,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -58,7 +72,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -81,6 +95,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -93,7 +114,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -116,6 +137,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -128,7 +156,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -151,6 +179,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -163,7 +198,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -186,6 +221,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -198,7 +240,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -221,6 +263,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -233,7 +282,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -256,6 +305,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -268,7 +324,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -291,6 +347,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -303,7 +366,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -326,6 +389,13 @@ jobs: steps: - name: Checkout + if: github.event_name == 'schedule' + uses: actions/checkout@v4 + with: + ref: 'main' + + - name: Checkout + if: github.event_name != 'schedule' uses: actions/checkout@v4 - name: Set up Docker Buildx @@ -338,7 +408,7 @@ jobs: uses: ./.github/actions/bake-test-push with: target: ${{ env.target }} - push-image: ${{ github.ref == 'refs/heads/main' }} + push-image: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' }} ghcr-token: ${{ secrets.GITHUB_TOKEN }} dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} diff --git a/.github/workflows/build-manual.yaml b/.github/workflows/build-manual.yaml index 7e0fd5da..2f991774 100644 --- a/.github/workflows/build-manual.yaml +++ b/.github/workflows/build-manual.yaml @@ -163,3 +163,5 @@ jobs: dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} gcp-json: '${{ secrets.GCP_ARTIFACT_REGISTRY_JSON }}' + snyk-org: ${{ secrets.SNYK_ORG }} + snyk-token: '${{ secrets.SNYK_TOKEN }}' diff --git a/Justfile b/Justfile index 6f264186..a6ddcad2 100644 --- a/Justfile +++ b/Justfile @@ -7,7 +7,7 @@ sed_vars := if os() == "macos" { "-i ''" } else { "-i" } BUILDX_PATH := "" -RSC_VERSION := "2024.06.0" +RSC_VERSION := "2024.08.0" RSPM_VERSION := "2024.04.4-35" RSW_VERSION := "2024.04.2+764.pro1" diff --git a/connect-content-init/Dockerfile.ubuntu2204 b/connect-content-init/Dockerfile.ubuntu2204 index 9816c8e6..9a260dba 100644 --- a/connect-content-init/Dockerfile.ubuntu2204 +++ b/connect-content-init/Dockerfile.ubuntu2204 @@ -9,7 +9,7 @@ RUN apt-get update && \ apt-get install -y --no-install-recommends ca-certificates curl && \ rm -rf /var/lib/apt/lists/* -ARG RSC_VERSION=2024.06.0 +ARG RSC_VERSION=2024.08.0 SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN mkdir -p /rsc-staging && \ RSC_VERSION_URL=$(echo -n "${RSC_VERSION}" | sed 's/+/%2B/g') && \ diff --git a/connect-content-init/README.md b/connect-content-init/README.md index 5bb8e779..1fce505f 100644 --- a/connect-content-init/README.md +++ b/connect-content-init/README.md @@ -9,7 +9,7 @@ # Supported tags and respective Dockerfile links -* [`jammy`, `ubuntu2204`, `jammy-2024.06.0`, `ubuntu2204-2024.06.0`](https://github.com/rstudio/rstudio-docker-products/blob/main/connect/Dockerfile.2204) +* [`jammy`, `ubuntu2204`, `jammy-2024.08.0`, `ubuntu2204-2024.08.0`](https://github.com/rstudio/rstudio-docker-products/blob/main/connect/Dockerfile.2204) # RStudio Connect Content Init Container @@ -31,7 +31,7 @@ The version of the release package to use can be overridden with the `RSC_VERSION` build arg. ```console -just build ubuntu2204 2024.06.0 +just build ubuntu2204 2024.08.0 ``` ## Testing @@ -56,7 +56,7 @@ just test You can see the different layers that make up the image: ```console -docker history rstudio/rstudio-connect-content-init-preview:2024.06.0-dev-326 +docker history rstudio/rstudio-connect-content-init-preview:2024.08.0-dev-326 ``` NOTE: almost all the image size is pandoc. diff --git a/connect/.env b/connect/.env index fca74e64..142c04b8 100644 --- a/connect/.env +++ b/connect/.env @@ -1,4 +1,4 @@ -RSC_VERSION=2024.06.0 +RSC_VERSION=2024.08.0 R_VERSION=4.2.3 R_VERSION_ALT=4.1.3 PYTHON_VERSION=3.9.17 diff --git a/connect/Dockerfile.ubuntu2204 b/connect/Dockerfile.ubuntu2204 index d4d72986..5aea9e84 100644 --- a/connect/Dockerfile.ubuntu2204 +++ b/connect/Dockerfile.ubuntu2204 @@ -7,7 +7,7 @@ ARG R_VERSION=4.2.3 ARG R_VERSION_ALT=4.1.3 ARG PYTHON_VERSION=3.9.17 ARG PYTHON_VERSION_ALT=3.8.17 -ARG RSC_VERSION=2024.06.0 +ARG RSC_VERSION=2024.08.0 ARG QUARTO_VERSION=1.4.557 ARG SCRIPTS_DIR=/opt/positscripts diff --git a/connect/README.md b/connect/README.md index c4203c55..488e72d3 100644 --- a/connect/README.md +++ b/connect/README.md @@ -7,7 +7,7 @@ # Supported tags and respective Dockerfile links -* [`jammy`, `ubuntu2204`, `jammy-2024.06.0`, `ubuntu2204-2024.06.0`](https://github.com/rstudio/rstudio-docker-products/blob/main/connect/Dockerfile.2204) +* [`jammy`, `ubuntu2204`, `jammy-2024.08.0`, `ubuntu2204-2024.08.0`](https://github.com/rstudio/rstudio-docker-products/blob/main/connect/Dockerfile.2204) # What is Posit Connect? diff --git a/docker-bake.hcl b/docker-bake.hcl index bf9957c3..b2d3acec 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,6 +1,6 @@ ### Variable definitions ### variable CONNECT_VERSION { - default = "2024.06.0" + default = "2024.08.0" } variable PACKAGE_MANAGER_VERSION { @@ -461,12 +461,12 @@ target "workbench-for-google-cloud-workstations" { tags = [ "us-central1-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", "us-central1-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", - "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", - "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", "europe-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", "europe-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", "asia-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", "asia-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", + "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:${tag_safe_version(WORKBENCH_VERSION)}", + "us-docker.pkg.dev/posit-images/cloud-workstations/workbench:latest", ] dockerfile = "Dockerfile.${builds.os}" diff --git a/r-session-complete/.snyk b/r-session-complete/.snyk index 095a845b..909ad99a 100644 --- a/r-session-complete/.snyk +++ b/r-session-complete/.snyk @@ -11,7 +11,10 @@ ignore: created: 2024-07-02T20:33:30.847Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: - '*': - reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-02T20:52:24.627Z + reason: >- + Confirmed fixed upstream in + https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be + ingested in Workbench 2024.08.0 (expected within 1 week). + expires: 2024-08-07T00:00:00.000Z + created: 2024-07-31T17:46:24.852Z patch: {} diff --git a/tools/snyk_bake_artifacts.py b/tools/snyk_bake_artifacts.py index 1983b43e..87281b02 100644 --- a/tools/snyk_bake_artifacts.py +++ b/tools/snyk_bake_artifacts.py @@ -17,6 +17,15 @@ LOGGER = logging.getLogger(__name__) SNYK_ORG = os.getenv("SNYK_ORG") SERVICE_IMAGES = ["workbench-for-microsoft-azure=ml", "workbench-for-google-cloud-workstations"] +SARIF_PATH_FILTERS = { + "connect": ["/opt/rstudio-connect/examples"], + "workbench-for-google-cloud-workstations": [ + "/usr/lib/google-cloud-sdk", + "/usr/share", + "/usr/bin", + "/usr/local/go", + ], +} PROJECT_DIR = Path(__file__).resolve().parents[1] @@ -78,7 +87,8 @@ def build_snyk_command(target_name, target_spec, snyk_command, opts): f"--file={str(docker_file_path)}", "--platform=linux/amd64", f"--project-name={target_spec['tags'][-1]}", - f"--sarif-file-output=container.sarif", + "--sarif-file-output=container.sarif", + "--json-file-output=container.json", "--severity-threshold=high", f"--policy-path={target_spec['context']}", ]) @@ -112,6 +122,36 @@ def build_snyk_command(target_name, target_spec, snyk_command, opts): return cmd +def filter_sarif_file(target_spec): + with open("container.sarif", "r") as f: + c_sarif = json.load(f) + with open("container.json", "r") as f: + c_json = json.load(f) + c_sarif_paths = c_sarif["runs"] + c_sarif_root = c_sarif_paths.pop(0) + c_json_paths = c_json["applications"] + filter_paths = SARIF_PATH_FILTERS.get(target_spec["context"], []) + filtered_c_sarif_paths = [c_sarif_root] + if len(c_sarif_paths) != len(c_json_paths): + LOGGER.error("SARIF and JSON number of discovered paths do not match") + return + for i in range(len(c_sarif_paths)): + if c_json_paths[i]["dependencyCount"] != c_sarif_paths[i]["tool"]["driver"]["properties"]["artifactsScanned"]: + LOGGER.warning( + f"Artifact count in JSON, {c_json_paths[i]['dependencyCount']}, " + f"differs from artifact count in SARIF, " + f"{c_sarif_paths[i]['tool']['driver']['properties']['artifactsScanned']}, for " + f"{c_json_paths[i]['displayTargetFile']}. This may cause incorrect filtering in the SARIF file." + ) + if not any(p in c_json_paths[i]["targetFile"] for p in filter_paths): + filtered_c_sarif_paths.append(c_sarif_paths[i]) + c_sarif["runs"] = filtered_c_sarif_paths + num_filtered_paths = len(c_sarif_paths) - len(filtered_c_sarif_paths) + LOGGER.info(f"Filtered {num_filtered_paths} paths from SARIF file") + with open("container.sarif", "w") as f: + json.dump(c_sarif, f, indent=2) + + def run_cmd(target_name, cmd): LOGGER.info(f"Running tests for {target_name}") LOGGER.info(f"{' '.join(cmd)}") @@ -139,6 +179,9 @@ def main(): if return_code != 0: failed_targets.append(target_name) result = 1 + if target_spec["context"] in SARIF_PATH_FILTERS and args.command == "test": + LOGGER.info("Filtering SARIF output file for excluded paths...") + filter_sarif_file(target_spec) LOGGER.info(f"Failed targets: {failed_targets}") exit(result) diff --git a/workbench-for-google-cloud-workstations/.snyk b/workbench-for-google-cloud-workstations/.snyk index 87558195..557b169d 100644 --- a/workbench-for-google-cloud-workstations/.snyk +++ b/workbench-for-google-cloud-workstations/.snyk @@ -11,12 +11,15 @@ ignore: created: 2024-07-02T20:33:30.847Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: - '*': - reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-02T20:52:24.627Z + reason: >- + Confirmed fixed upstream in + https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be + ingested in Workbench 2024.08.0 (expected within 1 week). + expires: 2024-08-07T00:00:00.000Z + created: 2024-07-31T17:46:24.852Z SNYK-GOLANG-GOLANGORGXNETHTTP2-6531285: - '*': - reason: 'Patched in later version https://cloud.google.com/support/bulletins#gcp-2024-023' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-03T16:16:45.000Z + reason: Vulnerability in Google Cloud SDK. + expires: 2024-09-01T00:00:00.000Z + created: 2024-07-31T19:45:25.728Z patch: {} diff --git a/workbench-for-microsoft-azure-ml/.snyk b/workbench-for-microsoft-azure-ml/.snyk index 095a845b..909ad99a 100644 --- a/workbench-for-microsoft-azure-ml/.snyk +++ b/workbench-for-microsoft-azure-ml/.snyk @@ -11,7 +11,10 @@ ignore: created: 2024-07-02T20:33:30.847Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: - '*': - reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-02T20:52:24.627Z + reason: >- + Confirmed fixed upstream in + https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be + ingested in Workbench 2024.08.0 (expected within 1 week). + expires: 2024-08-07T00:00:00.000Z + created: 2024-07-31T17:46:24.852Z patch: {} diff --git a/workbench/.snyk b/workbench/.snyk index 095a845b..909ad99a 100644 --- a/workbench/.snyk +++ b/workbench/.snyk @@ -11,7 +11,10 @@ ignore: created: 2024-07-02T20:33:30.847Z SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV3-6070737: - '*': - reason: 'Reported upstream in https://github.com/rstudio/openid/issues/18' - expires: 2024-07-31T00:00:00.000Z - created: 2024-07-02T20:52:24.627Z + reason: >- + Confirmed fixed upstream in + https://github.com/rstudio/rstudio-pro/issues/6635. Patch will be + ingested in Workbench 2024.08.0 (expected within 1 week). + expires: 2024-08-07T00:00:00.000Z + created: 2024-07-31T17:46:24.852Z patch: {}