ci: mirror golang:1.25 alongside python:3.12-slim, switch coraza-spoa FROM
Cloudflare's bot-management incident on 2026-05-12 took out docker.io blob
pulls twice in one day — first for python:3.12-slim (mirrored in 5a2ebf9),
then again for golang:1.25 when the PR 1 coraza-spoa build hit the same
R2-via-Cloudflare failure on the build stage's base image.
Restructure .gitea/workflows/mirror-base-image.yaml into a matrix that
iterates over a list of (src, dst_path, tag) entries. Adding a new base
image is now a one-line matrix entry. fail-fast: false so one image's
upstream being down doesn't block refreshing the others.
Switch coraza-spoa/Dockerfile's build stage FROM to the in-house golang
mirror. Runtime FROM (gcr.io/distroless/static-debian12:nonroot) stays
on upstream — distroless is on Google's registry, separate from Docker
Hub's Cloudflare R2 setup, and didn't fail during today's incident.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,22 +1,35 @@
|
|||||||
name: Mirror python:3.12-slim base image
|
name: Mirror base images
|
||||||
run-name: weekly base-image mirror
|
run-name: weekly base-image mirror
|
||||||
# Pulls python:3.12-slim from docker.io and re-pushes it to the in-house
|
|
||||||
# registry, so haproxy-manager-base's build (and any future image that
|
# Pulls each declared base image from upstream and re-pushes to the in-house
|
||||||
# uses the same mirror) doesn't depend on docker.io's Cloudflare R2
|
# registry, so any of our images that FROM these don't depend on docker.io's
|
||||||
# blob storage being reachable. The 2026-05-12 Cloudflare incident
|
# Cloudflare R2 blob storage being reachable. The 2026-05-12 Cloudflare
|
||||||
# motivated this; manual refresh was the workaround at the time.
|
# incident motivated this for python:3.12-slim and again for golang:1.25
|
||||||
|
# when the coraza-spoa build hit the same blob-fetch failure.
|
||||||
|
#
|
||||||
|
# Adding a new mirror = add one entry to the matrix below. The destination
|
||||||
|
# tag is always cloud-hosting-platform/<image>:<tag>, matching upstream.
|
||||||
|
|
||||||
on:
|
on:
|
||||||
schedule:
|
schedule:
|
||||||
# Mondays 06:00 UTC — outside customer peak hours and well before
|
# Mondays 06:00 UTC — outside customer peak hours and well before the
|
||||||
# the typical Tuesday/Thursday push cycles. workflow_dispatch lets us
|
# typical Tuesday/Thursday push cycles. workflow_dispatch lets us trigger
|
||||||
# trigger manually from the Gitea UI when Python publishes patches.
|
# manually from the Gitea UI when upstream publishes patches.
|
||||||
- cron: '0 6 * * 1'
|
- cron: '0 6 * * 1'
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
Mirror-Base:
|
Mirror-Base:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
strategy:
|
||||||
|
# fail-fast=false so one image's upstream being down doesn't block the
|
||||||
|
# others from refreshing.
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
image:
|
||||||
|
- { src: 'docker.io/library/python:3.12-slim', dst_path: 'cloud-hosting-platform/python', tag: '3.12-slim' }
|
||||||
|
- { src: 'docker.io/library/golang:1.25', dst_path: 'cloud-hosting-platform/golang', tag: '1.25' }
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Login to in-house registry
|
- name: Login to in-house registry
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
@@ -25,11 +38,11 @@ jobs:
|
|||||||
username: ${{ secrets.CI_USER }}
|
username: ${{ secrets.CI_USER }}
|
||||||
password: ${{ secrets.CI_TOKEN }}
|
password: ${{ secrets.CI_TOKEN }}
|
||||||
|
|
||||||
- name: Pull, retag, push
|
- name: Pull, retag, push ${{ matrix.image.src }}
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
SRC=docker.io/library/python:3.12-slim
|
SRC="${{ matrix.image.src }}"
|
||||||
DST=repo.anhonesthost.net/cloud-hosting-platform/python:3.12-slim
|
DST="repo.anhonesthost.net/${{ matrix.image.dst_path }}:${{ matrix.image.tag }}"
|
||||||
|
|
||||||
echo "::group::Pulling ${SRC}"
|
echo "::group::Pulling ${SRC}"
|
||||||
docker pull "${SRC}"
|
docker pull "${SRC}"
|
||||||
|
|||||||
@@ -11,10 +11,12 @@
|
|||||||
|
|
||||||
ARG CORAZA_SPOA_VERSION=v0.7.1
|
ARG CORAZA_SPOA_VERSION=v0.7.1
|
||||||
|
|
||||||
# golang:1.25 from docker.io. Mirror to repo.anhonesthost.net if Cloudflare
|
# golang:1.25 from the in-house mirror. The 2026-05-12 Cloudflare incident
|
||||||
# reliability becomes a recurring concern (the 2026-05-12 incident drove
|
# took out docker.io blob pulls TWICE in one day (first for python:3.12-slim,
|
||||||
# the same mirror for python:3.12-slim in the parent Dockerfile).
|
# then for this image's golang:1.25), so both are mirrored at
|
||||||
FROM golang:1.25 AS build
|
# repo.anhonesthost.net via the .gitea/workflows/mirror-base-image.yaml
|
||||||
|
# weekly job.
|
||||||
|
FROM repo.anhonesthost.net/cloud-hosting-platform/golang:1.25 AS build
|
||||||
ARG CORAZA_SPOA_VERSION
|
ARG CORAZA_SPOA_VERSION
|
||||||
WORKDIR /src
|
WORKDIR /src
|
||||||
RUN apt-get update \
|
RUN apt-get update \
|
||||||
|
|||||||
Reference in New Issue
Block a user