fix(docker): Prevent all possible "silent errors" during docker build

[MaxymVlasov]

Put an x into the box if that apply:

• This PR introduces breaking change.
• This PR fixes a bug.
• This PR adds new functionality.
• This PR enhances existing functionality.

Description of your changes

Because docker RUN runs shell w/o set -e I moved all installation logic to standalone bash scripts, as it was suggested in #635 (comment), and:

• Rewrite them from sh to bash (because of no set pipefail in sh - https://www.shellcheck.net/wiki/SC3040)
• Sort Dockerfile instructions alphabetically

[MaxymVlasov]

stderr: exec /usr/bin/git: exec format error

from https://github.com/antonbabenko/pre-commit-terraform/actions/runs/8239964468/job/22534539718?pr=644#step:7:16

https://stackoverflow.com/questions/73285601/docker-exec-usr-bin-sh-exec-format-error

So, free arm builders not available for GitHub at all? 🤔

[yermulnik]

Apart from the suggestions and some bits of nitpicking, this PR looks good to me.

[yermulnik]

So, free arm builders not available for GitHub at all? 🤔

Get @antonbabenko to pay for some 😂

[MaxymVlasov]

Lol :)
Better he will pay us :D

Btw, ARM runners in private beta from Oct 2023

https://stackoverflow.com/a/77429129

[yermulnik]

Btw, ARM runners in private beta from Oct 2023

stackoverflow.com/a/77429129

It's still not released? =( Should we opt in to the waitlist https://resources.github.com/devops/accelerate-your-cicd-with-arm-and-gpu-runners-in-github-actions/#form ? 🤔

[MaxymVlasov]

Already joined, but don't think that it will be soon

[yermulnik]

I most probably am missing some context, though why switching from comparing value to latest? Is false assigned for a reason and somewhere else?

[MaxymVlasov]

Just a few lines above answer to your question :)

Install required tools

If someone disables PRE_COMMIT_VERSION - the image will not work
Same for TF, till we don't add support for OpenTofu or other TF-derivative. I can't guarantee that any of our hooks can work without TF

[yermulnik]

Just a few lines above answer to your question :)

Oh, I think I got the idea. As always explanatory comment wouldn't come amiss.

Btw why specifically lowercase false has been chosen? What if they choose to set it to off, no, False, or whatever they can imagine may work to switch it off? =)

[MaxymVlasov]

Btw why specifically lowercase false has been chosen?

Because only false is reserved word in bash

What if they choose to set it to off, no, False, or whatever they can imagine may work to switch it off? =)

Well, I can suggest to that folks RTFM :D
Btw, usually no-one would like to set anything to false, as everything that can be disabled, is set to false by default, if INSTALL_ALL=true not provided

[MaxymVlasov]

As always explanatory comment wouldn't come amiss.

Write it then. It's too obvious to me that I have no idea what here should be explained

[yermulnik]

maybe tomorrow (c) you

[MaxymVlasov]

?

Suggested change

	if [ "$PRE_COMMIT_VERSION" = "false" ]; then echo "PRE_COMMIT_VERSION=latest" >> /.env; fi; \
	if [ "$TERRAFORM_VERSION" = "false" ]; then echo "TERRAFORM_VERSION=latest" >> /.env; fi
	if [ "$PRE_COMMIT_VERSION" = "false" ]; then echo "PRE_COMMIT_VERSION=''" >> /.env; fi; \
	if [ "$TERRAFORM_VERSION" = "false" ]; then echo "TERRAFORM_VERSION=''" >> /.env; fi

[MaxymVlasov]

Or you suggest to just get rid of these if's, and provide folks ability to shoot their legs if they want to?

pre-commit-terraform/tools/install/_common.sh

Lines 18 to 22 in 51cfcd9

	# Skip tool installation if the version is set to "false"
	if [[ $VERSION == false ]]; then
	echo "'$TOOL' skipped"
	exit 0
	fi

[yermulnik]

I did not suggest either options. Initially I only asked to add a brief comment explaining why false is silently converted into latest because it wasn't obvious right away.
From my point of view the correct way to implement what you're implementing would be to check whether values of PRE_COMMIT_VERSION and TERRAFORM_VERSION are either latest or match their version formats. Else fail to prevent Docker build from completing successfully.

[MaxymVlasov]

Now it explicitly fails if set PRE_COMMIT_VERSION or TERRAFORM_VERSION to false.

If there is be provided not-valid version - it will fail when will try to find such version

[yermulnik]

I might have missed the answer from previous round of review, hence: why these two apk del commands cannot be combined into one apk del command? 🤔 Apologies if you already replied though. In such case it defo makes sense to add an explanatory comment so that I stop asking again and again =) Thanks.

[MaxymVlasov]

Should always be:

pre-commit-terraform/tools/install/checkov.sh

Lines 11 to 14 in 65ba593

	apk add --no-cache \
	gcc=~12 \
	libffi-dev=~3 \
	musl-dev=~1

pre-commit-terraform/tools/install/checkov.sh

Line 33 in 65ba593

apk del gcc libffi-dev musl-dev

Should be removed when the issue in Checkov will be fixed:

pre-commit-terraform/tools/install/checkov.sh

Lines 16 to 25 in 65ba593

	# cargo, gcc, git, musl-dev, rust and CARGO envvar required for compilation of [email protected]
	# no longer required once checkov version depends on rustworkx >0.14.0
	# https://github.com/bridgecrewio/checkov/pull/6045
	# gcc libffi-dev musl-dev required for compilation of cffi, until it contains musl aarch64
	export CARGO_NET_GIT_FETCH_WITH_CLI=true
	apk add --no-cache \
	cargo=~1 \
	git=~2 \
	libgcc=~12 \
	rust=~1

pre-commit-terraform/tools/install/checkov.sh

Line 34 in 65ba593

apk del cargo git rust

[yermulnik]

Should always be:

Should always be what? I'm not following your point.

We have two apk del commands. Is there a reason to not combine them into single one: apk del cargo gcc git libffi-dev musl-dev rust?

[MaxymVlasov]

Should always be what? I'm not following your point.

Should always exist.

Hmm, I dunno, maybe you not from GHweb, here image for you:

[yermulnik]

Should always exist.

Heck 🤦🏻 What should exist always? 😲

Hmm, I dunno, maybe you not from GHweb, here image for you:

I see the changes. Posting just links (or screenshots) w/o any explanation is just senseless.
I see the consecutive lines 33 and 34:

They both have the same apk del but for different packages.
What makes you think these two lines should not be combined into single command?
Is it logical separation because these packages are added with separate apk add commands? If yes, then please add an explanatory comment of why this oddness is maintained. Thanks.

[MaxymVlasov]

It is here
Line 18

# no longer required once checkov version depends on rustworkx >0.14.0 

[MaxymVlasov]

You just ignored it twice.

[yermulnik]

It is here Line 18

# no longer required once checkov version depends on rustworkx >0.14.0 

For me it's line 17.
I also see there cargo, gcc, git, musl-dev, rust and libffi-dev musl-dev are also mentioned in that comment. And this give zero to nothing answer to why the apk del commands can't be combined.
What you feel like is obvious to you, shouldn't be expected to be obvious to others.

[yermulnik]

You just ignored it twice.

Dude, you please learn to explain your thoughts before accusing others that they don't get what you're not telling.

[MaxymVlasov]

Added corresponding comment, hope it will help

[yermulnik]

Maybe re-use DISTRIBUTED_AS?

Suggested change

	GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz"
	GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz"
	DISTRIBUTED_AS="tar.gz"
	DISTRIBUTED_AS="tar.gz"
	GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.${DISTRIBUTED_AS}"
	GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.${DISTRIBUTED_AS}"

[MaxymVlasov]

Nope, because:

1. It will be different for binary
2. You will know the Distribution type only when you get GH Release link, not otherwise

[yermulnik]

1. It will be different for binary

The binary types just don't use the DISTRIBUTED_AS in GH_RELEASE_REGEX_LATEST and GH_RELEASE_REGEX_SPECIFIC_VERSION vars so they are not affected at all by the suggested change.

2. You will know the Distribution type only when you get GH Release link, not otherwise

This is probably about something else.
I see the code:

GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz"
GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz"
DISTRIBUTED_AS="tar.gz"

and

GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}"
GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}"
DISTRIBUTED_AS="binary"

and I see no reason to not swap these two to the below:

DISTRIBUTED_AS="tar.gz"
GH_RELEASE_REGEX_LATEST="https://.+?_${TARGETOS}_${TARGETARCH}.${DISTRIBUTED_AS}"
GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?${VERSION}_${TARGETOS}_${TARGETARCH}.${DISTRIBUTED_AS}"

and

DISTRIBUTED_AS="binary"
GH_RELEASE_REGEX_LATEST="https://.+?/${TOOL}_${TARGETOS}_${TARGETARCH}"
GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?v${VERSION}/${TOOL}_${TARGETOS}_${TARGETARCH}"

No change to binary types and optimization to non-binary types.

Am I missing something non-obvious?

[MaxymVlasov]

Once again:

You will know the Distribution type only when you get GH Release link, not otherwise

Imagine that you adding a new hook, let's say tfupdate.

You copy-past file, IE tfsec.sh rename it, cleanup pre-populated values and get this:

#...

GH_ORG=""
GH_RELEASE_REGEX_LATEST="https://.+?/"
GH_RELEASE_REGEX_SPECIFIC_VERSION="https://.+?"
DISTRIBUTED_AS=""

common::install_from_gh_release "$GH_ORG" "$DISTRIBUTED_AS" \
  "$GH_RELEASE_REGEX_LATEST" "$GH_RELEASE_REGEX_SPECIFIC_VERSION"

How you should know DISTRIBUTED_AS value till you don't get any of GH_RELEASE_...?

Please, don't make it more complex than it already is.

Also, someone could distribute not .tar.gz but .tgz.

[yermulnik]

How you should know DISTRIBUTED_AS value till you don't get any of GH_RELEASE_...?

From what I see in each new script for each tool installation, the value of DISTRIBUTED_AS is known and is defined in each of these files. Along with that most of the files have the value of DISTRIBUTED_AS repeated three times. And my suggestion is to reduce it to one time.

Please, don't make it more complex than it already is.

I'm trying to simplify so that new tools are added without a need to copy&paste DISTRIBUTED_AS value three times on a three lines in a row.

[MaxymVlasov]

Read once again, maybe tomorrow
#644 (comment)

[yermulnik]

There 0 simplification.

You're wrong, unless you prove opposite 🤝

Read once again, maybe tomorrow

That comment makes no sense to me. Re-write it once again, maybe tomorrow 😏

[MaxymVlasov]

There is a process of adding a new tool from scratch
Screencast from 24.04.24 21:01:35.webm

[MaxymVlasov]

1. Get URLs
2. Replace URL parts with variables
3. Simplify URL by replacing not matter parts by regex
4. Set DISTRIBUTED_AS value based on URL

Also, I see that I'm already stuck to recreate that process from memory for LATEST regex, which means that this flow is already complicated.
That verbosity does not hurt anyone.

[MaxymVlasov]

Version without stuck (will add it to contributor docs)

Screencast.from.24.04.24.22.00.36.webm

[antonbabenko]

This PR is included in version 1.89.1 🎉