diff --git a/.gitea/workflows/mirror-base-image.yaml b/.gitea/workflows/mirror-base-image.yaml index e51a8c5..747b205 100644 --- a/.gitea/workflows/mirror-base-image.yaml +++ b/.gitea/workflows/mirror-base-image.yaml @@ -1,22 +1,35 @@ -name: Mirror python:3.12-slim base image +name: Mirror base images run-name: weekly base-image mirror -# Pulls python:3.12-slim from docker.io and re-pushes it to the in-house -# registry, so haproxy-manager-base's build (and any future image that -# uses the same mirror) doesn't depend on docker.io's Cloudflare R2 -# blob storage being reachable. The 2026-05-12 Cloudflare incident -# motivated this; manual refresh was the workaround at the time. + +# Pulls each declared base image from upstream and re-pushes to the in-house +# registry, so any of our images that FROM these don't depend on docker.io's +# Cloudflare R2 blob storage being reachable. The 2026-05-12 Cloudflare +# incident motivated this for python:3.12-slim and again for golang:1.25 +# when the coraza-spoa build hit the same blob-fetch failure. +# +# Adding a new mirror = add one entry to the matrix below. The destination +# tag is always cloud-hosting-platform/:, matching upstream. on: schedule: - # Mondays 06:00 UTC — outside customer peak hours and well before - # the typical Tuesday/Thursday push cycles. workflow_dispatch lets us - # trigger manually from the Gitea UI when Python publishes patches. + # Mondays 06:00 UTC — outside customer peak hours and well before the + # typical Tuesday/Thursday push cycles. workflow_dispatch lets us trigger + # manually from the Gitea UI when upstream publishes patches. - cron: '0 6 * * 1' workflow_dispatch: jobs: Mirror-Base: runs-on: ubuntu-latest + strategy: + # fail-fast=false so one image's upstream being down doesn't block the + # others from refreshing. + fail-fast: false + matrix: + image: + - { src: 'docker.io/library/python:3.12-slim', dst_path: 'cloud-hosting-platform/python', tag: '3.12-slim' } + - { src: 'docker.io/library/golang:1.25', dst_path: 'cloud-hosting-platform/golang', tag: '1.25' } + steps: - name: Login to in-house registry uses: docker/login-action@v3 @@ -25,11 +38,11 @@ jobs: username: ${{ secrets.CI_USER }} password: ${{ secrets.CI_TOKEN }} - - name: Pull, retag, push + - name: Pull, retag, push ${{ matrix.image.src }} run: | set -euo pipefail - SRC=docker.io/library/python:3.12-slim - DST=repo.anhonesthost.net/cloud-hosting-platform/python:3.12-slim + SRC="${{ matrix.image.src }}" + DST="repo.anhonesthost.net/${{ matrix.image.dst_path }}:${{ matrix.image.tag }}" echo "::group::Pulling ${SRC}" docker pull "${SRC}" diff --git a/coraza-spoa/Dockerfile b/coraza-spoa/Dockerfile index b6830f3..3f5c401 100644 --- a/coraza-spoa/Dockerfile +++ b/coraza-spoa/Dockerfile @@ -11,10 +11,12 @@ ARG CORAZA_SPOA_VERSION=v0.7.1 -# golang:1.25 from docker.io. Mirror to repo.anhonesthost.net if Cloudflare -# reliability becomes a recurring concern (the 2026-05-12 incident drove -# the same mirror for python:3.12-slim in the parent Dockerfile). -FROM golang:1.25 AS build +# golang:1.25 from the in-house mirror. The 2026-05-12 Cloudflare incident +# took out docker.io blob pulls TWICE in one day (first for python:3.12-slim, +# then for this image's golang:1.25), so both are mirrored at +# repo.anhonesthost.net via the .gitea/workflows/mirror-base-image.yaml +# weekly job. +FROM repo.anhonesthost.net/cloud-hosting-platform/golang:1.25 AS build ARG CORAZA_SPOA_VERSION WORKDIR /src RUN apt-get update \