From 0529b526d68cdb1117a20d01c3cf2f88b9af0b34 Mon Sep 17 00:00:00 2001
From: Kim Fehrs <kim.fehrs@rdx.works>
Date: Mon, 5 Feb 2024 23:09:46 +0100
Subject: [PATCH] update workflow to use reusable join action

---
 .github/workflows/docker.yml | 136 +++++++++++------------------------
 Dockerfile                   |   4 +-
 2 files changed, 45 insertions(+), 95 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index f38ab3e9d4..1e9cc435d6 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -20,53 +20,6 @@ jobs:
         with:
           access_token: ${{ github.token }}
 
-  join_multiarch_image_dockerhub:
-    permissions:
-      id-token: write
-      contents: read
-      pull-requests: read
-    name: Join Multiarch Image Dockerhub
-    runs-on: ubuntu-latest
-    needs:
-      - build_push_container_dockerhub
-      - build_push_container_dockerhub_arm
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-        with:
-          fetch-depth: 0
-      ## Dockerhub
-      - name: "Configure AWS credentials"
-        uses: RDXWorks-actions/configure-aws-credentials@main
-        with:
-          role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
-          aws-region: eu-west-2
-      - name: Read secrets from AWS Secrets Manager into environment variables
-        uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main
-        with:
-          secret-ids: |
-            DOCKERHUB, github-actions/rdxworks/dockerhub-images/release-credentials
-          parse-json-secrets: true
-      - name: Login to Docker Hub
-        uses: RDXWorks-actions/login-action@master
-        with:
-          username: ${{ env.DOCKERHUB_USERNAME }}
-          password: ${{ env.DOCKERHUB_TOKEN }}
-      - name: Install and Configure Buildx
-        run: |
-          wget https://github.com/docker/buildx/releases/download/v0.10.4/buildx-v0.10.4.linux-amd64
-          echo "---- Configure Docker plugins ----"
-          mkdir -p /home/runner/.docker/cli-plugins/
-          mv buildx-v0.10.4.linux-amd64 /home/runner/.docker/cli-plugins/docker-buildx
-          chmod +x /home/runner/.docker/cli-plugins/docker-buildx
-          echo "---- Create build context ----"
-          docker context create babylon-node
-          docker buildx create babylon-node --use
-      - name: Join multiarch images
-        run: |
-          docker buildx imagetools create -t docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }} \
-            docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-arm64 \
-            docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-amd64
-
   build_deb:
     name: Build debian package
     runs-on: selfhosted-ubuntu-22.04-16-cores
@@ -111,24 +64,6 @@ jobs:
           path: ~/.gradle/caches
           key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb
           restore-keys: ${{ runner.os }}-gradle-deb
-      - id: auth
-        uses: RDXWorks-actions/auth@main
-        with:
-          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
-          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-          create_credentials_file: true
-          token_format: access_token
-      - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce'
-      - name: 'Register gcloud as Docker credential helper'
-        run: |
-          gcloud auth configure-docker -q
-      - name: Login to Artifact Registry
-        uses: RDXWorks-actions/login-action@master
-        with:
-          registry: europe-west2-docker.pkg.dev
-          username: oauth2accesstoken
-          password: ${{ steps.auth.outputs.access_token }}
       - name: Restore cached image-cache
         id: cache-image-restore
         uses: RDXWorks-actions/cache/restore@main
@@ -169,6 +104,11 @@ jobs:
     name: (PRIVATE) Docker AMD
     needs:
       - setup_tags
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: ubuntu-latest
@@ -201,6 +141,11 @@ jobs:
     name: (PRIVATE) Docker ARM
     needs:
       - setup_tags
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: babylon-node-arm
@@ -229,42 +174,31 @@ jobs:
       build-args: |
         WGET_VERSION=1.21.3-1+b1
 
-  tag_suffix_remover:
-    if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
-    name: Calculate base tag
-    runs-on: ubuntu-latest
-    outputs:
-      BASE_TAG: ${{ steps.tag_suffix_remover.outputs.BASE_TAG }}
-    needs:
-      - build_push_container_private
-      - build_push_container_private_arm
-    steps:
-      - name: tag_suffix_remover
-        id: tag_suffix_remover
-        run: |
-          echo ${{needs.build_push_container_private.outputs.default_tag}} | rev |  cut -d- -f2- | rev
-          echo BASE_TAG=$(echo ${{needs.build_push_container_private.outputs.default_tag}} | rev |  cut -d- -f2- | rev) >> $GITHUB_OUTPUT
-
   join_multiarch_image_private_dockerhub:
     if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
     name: Join Multiarch Image Private Dockerhub
     needs:
       - build_push_container_private
       - build_push_container_private_arm
-      - tag_suffix_remover
-    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
     with:
       aws_dockerhub_secret: github-actions/common/dockerhub-credentials
-      image_tag: ${{needs.tag_suffix_remover.outputs.BASE_TAG}}
-      image_name: "private-babylon-node"
-      tag_suffix_1: "amd64"
-      tag_suffix_2: "arm64"
+      amd_meta_data_json: ${{needs.build_push_container_private.outputs.json}}
     secrets:
       role-to-assume: "arn:aws:iam::308190735829:role/gh-common-secrets-read-access"
 
   build_push_container_dockerhub:
     if: github.event_name == 'release'
     name: (DockerHub) Docker AMD
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: ubuntu-latest
@@ -282,13 +216,16 @@ jobs:
       enable_dockerhub: "true"
       provenance: "false"
     secrets:
-      workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
-      service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
       role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
 
   build_push_container_dockerhub_arm:
     if: github.event_name == 'release'
     name: (DockerHub) Docker ARM
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: babylon-node-arm
@@ -308,10 +245,25 @@ jobs:
       build-args: |
         WGET_VERSION=1.21.3-1+b1
     secrets:
-      workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }}
-      service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
       role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
 
+  join_multiarch_image_dockerhub:
+    if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
+    name: Join Multiarch Image Private Dockerhub
+    needs:
+      - build_push_container_dockerhub
+      - build_push_container_dockerhub_arm
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
+    with:
+      aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
+      amd_meta_data_json: ${{needs.build_push_container_dockerhub.outputs.json}}
+    secrets:
+      role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
   snyk_container_monitor:
     name: Snyk monitor container
     runs-on: ubuntu-latest
@@ -328,10 +280,8 @@ jobs:
         with:
           role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
           app_name: 'babylon-node'
-          step_name: 'snyk-cntr-monitor-amd'
           dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
           snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
           snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
           image: docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-amd64
           target_ref: ${{ github.ref_name }}
diff --git a/Dockerfile b/Dockerfile
index 6db7b1749a..d94f9155cf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,7 +31,7 @@ RUN apt-get update \
     wget=${WGET_VERSION} \
     software-properties-common=0.99.30-4 \
   && apt-get install -y --no-install-recommends \
-    openjdk-17-jdk=17.0.9+9-1~deb12u1 \
+    openjdk-17-jdk=17.0.10+7-1~deb12u1 \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
@@ -206,7 +206,7 @@ LABEL org.opencontainers.image.authors="devops@radixdlt.com"
 # - curl is needed for the docker-healthcheck
 RUN apt-get update -y \
   && apt-get -y --no-install-recommends install \
-    openjdk-17-jre-headless=17.0.9+9-1~deb12u1 \
+    openjdk-17-jre-headless=17.0.10+7-1~deb12u1 \
     # https://security-tracker.debian.org/tracker/CVE-2023-38545
     curl=7.88.1-10+deb12u5 \
     gettext-base=0.21-12 \