Merge pull request #5749 from freedomofpress/update-builder-20210126

Update builder image and fix CI target for bandit
freedomofpress · Jan 26, 2021 · 0b7f93a · 0b7f93a
2 parents 4df72e7 + 355cee0
commit 0b7f93a
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 11 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -296,13 +296,13 @@ jobs:
           name: Check Python dependencies for CVEs
           command: |
             fromtag=$(docker images |grep securedrop-test-xenial-py3 |head -n1 |awk '{print $2}')
-            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "sudo pip3 install -q --upgrade safety && make -C .. safety"
+            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "pip3 install -U -q --upgrade safety && make -C .. safety"
 
       - run:
           name: Run static security testing on source code
           command: |
             fromtag=$(docker images |grep securedrop-test-xenial-py3 |head -n1 |awk '{print $2}')
-            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "sudo pip3 install -q --upgrade pip && sudo pip3 install -q --upgrade bandit && make -C .. bandit"
+            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "pip3 install -U -q --upgrade pip && pip3 install -U -q --upgrade bandit && make -C .. bandit"
 
 
   staging-test-with-rebase:

diff --git a/molecule/builder-focal/Dockerfile b/molecule/builder-focal/Dockerfile
@@ -39,10 +39,8 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
 
 # TEMPORARY: install dh-virtualenv from debian unstable, pending focal package:
 # https://github.com/spotify/dh-virtualenv/issues/298
-RUN echo "deb https://deb.debian.org/debian unstable main contrib" > /etc/apt/sources.list.d/debian-unstable.list
-COPY aptpreferences.conf /etc/apt/preferences.d/debian-unstable
-RUN apt-get install -y debian-archive-keyring
-RUN ln -s /usr/share/keyrings/debian-archive-keyring.gpg /etc/apt/trusted.gpg.d/
+RUN echo "deb http://archive.ubuntu.com/ubuntu/ groovy universe" > /etc/apt/sources.list.d/ubuntu-groovy.list
+COPY aptpreferences.conf /etc/apt/preferences.d/ubuntu-groovy
 
 RUN apt-get update && apt-get install -y dh-virtualenv
 

diff --git a/molecule/builder-focal/aptpreferences.conf b/molecule/builder-focal/aptpreferences.conf
@@ -3,5 +3,5 @@ Pin: release a=focal
 Pin-Priority: 700
 
 Package: *
-Pin: release a=unstable
+Pin: release a=groovy
 Pin-Priority: 1
diff --git a/molecule/builder-focal/image_hash b/molecule/builder-focal/image_hash
@@ -1,2 +1,2 @@
-# sha256 digest quay.io/freedomofpress/sd-docker-builder-focal:2020_09_11
-10d4b7f28a3de6f2bd9e6a55dd5fdb448fb90442d15a013f73942b4d2e5ce259
+# sha256 digest quay.io/freedomofpress/sd-docker-builder-focal:2021_01_26
+60436817a1e7a2b1f2abe19ef456b73e0b6e6d4064f2edb27e1ae0da3fcccef3
diff --git a/molecule/builder-xenial/image_hash b/molecule/builder-xenial/image_hash
@@ -1,2 +1,2 @@
-# sha256 digest quay.io/freedomofpress/sd-docker-builder-xenial:2020_10_07
-35b70776cf5139ed2c597063579d74f0458416e4cbbe443bfebef2596ce5a48c
+# sha256 digest quay.io/freedomofpress/sd-docker-builder-xenial:2021_01_26
+f17105ea2618621d2de42ee6ef4d2cff507845fbf4d26581581bcf7c99d47217