add initial dockerfile and config

Author: jgreat

.githooks/pre-commit

@@ -0,0 +1,92 @@
+#!/bin/bash
+# Copyright (c) 2022-2023 MobileCoin Inc.
+
+# Set fancy pants colors
+no_color='\033[0m'
+bold_white='\033[1;37m'
+red='\033[0;31m'
+green='\033[0;32m'
+
+# Set default headers
+header="${bold_white}[pre-commit]${no_color}"
+ok="${green}[ OK ]${no_color}"
+failed="${red}[ FAILED ]${no_color}"
+
+# Check the results and print output if there are errors.
+check_results()
+{
+    if [[ "${error}" == "true" ]]
+    then
+        echo -e "${failed}"
+        echo -e "${out}"
+        exit 1
+    else
+        echo -e "${ok}"
+    fi
+}
+
+# error flag starts off as false
+error="false"
+
+# Get list of files included in the commit.  We don't need to necessarily check the whole project.
+files=$(git diff --cached --name-only --diff-filter=ACM)
+
+# Run shellcheck if installed
+if which shellcheck >/dev/null 2>&1
+then
+    echo -e -n "${header} Run shellcheck on files included in the commit "
+
+    out=""
+    for f in ${files}
+    do
+        # check only files that have proper shebang headers
+        if grep -E "^#!.*(sh|bash|ksh)$" "${f}" >/dev/null 2>&1
+        then
+            if ! out+=$(shellcheck -Calways -x "${f}" 2>&1)
+            then
+                error="true"
+            fi
+        fi
+    done
+
+    # check for error status and print results
+    check_results
+fi
+
+# Run actionlint to check GHA workflow syntax
+if which actionlint >/dev/null 2>&1
+then
+    echo -e -n "${header} Run actionlint on GHA workflow files "
+
+    out=""
+    if ! out+=$(actionlint -color 2>&1)
+    then
+        error="true"
+    fi
+
+    # check for error status and print results
+    check_results
+fi
+
+# Run hadolint on Dockerfiles included in .internal-ci/docker
+if which hadolint >/dev/null 2>&1
+then
+    echo -e -n "${header} Run hadolint on Dockerfiles "
+
+    out=""
+
+    # Find Dockerfile files
+    docker_files=$(find . -name "Dockerfile*" -type f | grep -v "dockerignore")
+
+    # helm lint on directories where there are chart.yaml files
+    for f in ${docker_files}
+    do
+        if ! out+=$(hadolint "${f}" 2>&1)
+        then
+            error="true"
+        fi
+    done
+
+    # check for error status and print results
+    check_results
+fi

.github/actionlint.yaml

@@ -0,0 +1,5 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of string
+  labels:
+  - small
+  - large

.github/workflows/build-and-publish.yaml

@@ -0,0 +1,31 @@
+# Copyright (c) 2023 MobileCoin Inc.
+name: build-and-publish
+
+on:
+  push:
+    tags:
+    - '*.*.*'
+  pull_request: {}
+
+env:
+  DOCKER_ORG: mobilecoin
+
+jobs:
+  docker:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout
+      uses: mobilecoinofficial/gh-actions/checkout@v0
+
+    - name: Build/Publish Image
+      uses: mobilecoinofficial/gh-actions/docker@v0
+      with:
+        dockerfile: ./Dockerfile
+        flavor: latest=true
+        images: mobilecoin/gha-runner
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+        push: ${{ github.event_name == 'pull_request' && 'false' || 'true' }}
+        tags: |
+          type=semver,pattern={{version}},priority=20
+          type=sha,priority=10
+        username: ${{ secrets.DOCKERHUB_USERNAME }}

.github/workflows/checks.yaml

@@ -0,0 +1,63 @@
+# Copyright (c) 2023 MobileCoin Inc.
+name: checks
+
+on:
+  pull_request: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  lint-docker:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout
+      uses: mobilecoinofficial/gh-actions/checkout@v0
+
+    - name: Run hadolint with reviewdog
+      uses: reviewdog/action-hadolint@v1
+      with:
+        fail_on_error: true
+        reporter: github-pr-review
+        exclude: |
+          *.dockerignore
+
+  lint-shell:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout
+      uses: mobilecoinofficial/gh-actions/checkout@v0
+
+    - name: Run shellcheck with reviewdog
+      uses: reviewdog/action-shellcheck@v1
+      with:
+        fail_on_error: true
+        reporter: github-pr-review
+
+  lint-actions:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout
+      uses: mobilecoinofficial/gh-actions/checkout@v0
+
+    - name: Run actionlint with reviewdog
+      uses: reviewdog/action-actionlint@v1
+      with:
+        fail_on_error: true
+        reporter: github-pr-review
+
+  workflow-ok:
+    needs:
+    - lint-docker
+    - lint-shell
+    - lint-actions
+    runs-on: ubuntu-22.04
+    steps:
+    - name: All Checks OK!
+      run: |
+        true

.github/workflows/release.yaml

@@ -0,0 +1,22 @@
+# Copyright (c) 2023 MobileCoin Inc.
+name: release
+
+on:
+  push:
+    tags:
+    - '*.*.*'
+
+permissions:
+  contents: write
+
+jobs:
+  gh-release:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout
+      uses: mobilecoinofficial/gh-actions/checkout@v0
+
+    - name: Create a GitHub Release
+      uses: softprops/action-gh-release@v1
+      with:
+        generate_release_notes: true

.github/workflows/tag.yaml

@@ -0,0 +1,44 @@
+# Copyright (c) 2023 MobileCoin Inc.
+name: tag
+
+on:
+  push:
+    branches:
+    - main
+
+# when the gh publishes a new ghcr.io/actions/actions-runner image renovate should PR.
+# we want the tag from renovate update?
+# can we get renovate to add something like `[tag/2.310.0]` to the commit message?
+# something we can scrape?
+
+jobs:
+  tag:
+    runs-on: ubuntu-22.04
+    steps:
+    # We need to use an external PAT here because GHA will not run downstream events if we use the built in token.
+    - name: Checkout
+      uses: mobilecoinofficial/gh-actions/checkout@2839c84b9279bfc02df70884d42700769bfbfc39
+      with:
+        token: ${{ secrets.ACTIONS_TOKEN }}
+
+    # - name: Bump GitHub tag
+    #   id: bump
+    #   uses: anothrNick/[email protected]
+    #   env:
+    #     GITHUB_TOKEN: ${{ secrets.ACTIONS_TOKEN }}
+    #     WITH_V: 'true'
+    #     DEFAULT_BUMP: patch
+    #     DRY_RUN: 'true'
+
+    # # Doing manual tags because anothrNick/github-tag-action won't retag a commit.
+    # - name: Get major and minor values for new tag
+    #   id: tags
+    #   env:
+    #     TAG: ${{ steps.bump.outputs.new_tag }}
+    #   run: |
+    #     export MAJOR_MINOR=${TAG%.*}
+    #     export MAJOR=${MAJOR_MINOR%.*}
+    #     git tag --force "${MAJOR}"
+    #     git tag --force "${MAJOR_MINOR}"
+    #     git tag --force "${TAG}"
+    #     git push --tags --force

.hadolint.yaml

@@ -0,0 +1,3 @@
+ignored:
+- DL3008
+- DL3015

Dockerfile

@@ -0,0 +1,19 @@
+FROM ghcr.io/actions/actions-runner:2.311.0
+
+USER root
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+  curl \
+  ca-certificates \
+  zstd \
+  gzip \
+  tar \
+  jq \
+  git \
+  zip \
+  unzip \
+ && apt-get clean \
+ && rm -r /var/lib/apt/lists/*
+
+USER runner

README.md

@@ -1,2 +1,82 @@
 # gha-runner
-`FROM actions/action-runner` image with utilities installed so actions actually work.
+
+Automated updated builds starting with `ghcr.io/actions/actions-runner` image. Adds with utilities installed so actions actually work.
+
+Adds the following packages to the base image.
+
+```
+curl
+ca-certificates
+zstd
+gzip
+tar
+jq
+git
+zip
+unzip
+```
+
+### How to use
+
+Replace `ghcr.io/actions/actions-runner` with `mobilecoin/gha-runner` in your `gha-runner-scale-set` helm releases.
+
+Example `values.yaml`.  See the [gha-runner-scale-set docs](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#using-advanced-configuration-options) for full details on customizing your install.
+
+```yaml
+runnerScaleSetName: dev-small-x64
+githubConfigUrl: https://github.com/<GitHub Org>
+githubConfigSecret: <GitHub App Secret>
+maxRunners: 25
+minRunners: 0
+runnerGroup: default
+
+template:
+  spec:
+    imagePullSecrets:
+    - name: docker-credentials
+    initContainers:
+    - name: init-dind-externals
+      image: mobilecoin/gha-runner:latest
+      command: ["cp", "-r", "-v", "/home/runner/externals/.", "/home/runner/tmpDir/"]
+      volumeMounts:
+      - name: dind-externals
+        mountPath: /home/runner/tmpDir
+    containers:
+    - name: runner
+      image: mobilecoin/gha-runner:latest
+      command: ["/home/runner/run.sh"]
+      env:
+      - name: DOCKER_HOST
+        value: unix:///run/docker/docker.sock
+      volumeMounts:
+      - name: work
+        mountPath: /home/runner/_work
+      - name: dind-sock
+        mountPath: /run/docker
+        readOnly: true
+    - name: dind
+      image: docker:dind
+      args:
+      - dockerd
+      - --host=unix:///run/docker/docker.sock
+      - --group=$(DOCKER_GROUP_GID)
+      env:
+      - name: DOCKER_GROUP_GID
+        value: "123"
+      securityContext:
+        privileged: true
+      volumeMounts:
+      - name: work
+        mountPath: /home/runner/_work
+      - name: dind-sock
+        mountPath: /run/docker
+      - name: dind-externals
+        mountPath: /home/runner/externals
+    volumes:
+    - name: work
+      emptyDir: {}
+    - name: dind-sock
+      emptyDir: {}
+    - name: dind-externals
+      emptyDir: {}
+```