ci: migrate to AWS oidc authorization

.github/workflows/build-docker-image.yml

@@ -0,0 +1,55 @@
+name: Docker Image CI
+
+on:
+  schedule:
+    - cron: 0 0 * * 6
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    container: neuralegion/devops
+
+    strategy:
+      matrix:
+        package:
+          - chromium
+          - chromium-headful
+          - chrome
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.AWS_DEFAULT_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Get version
+        id: get_version
+        run: echo ::set-output name=result::$(make --file ${{ matrix.package }}/Makefile get-version)
+
+      - name: Build image
+        run: make --file ${{ matrix.package }}/Makefile build version=${{ steps.get_version.outputs.result }}
+
+      - name: Login into Docker
+        run: docker login --username=anatol1988 --password=${{ secrets.DOCKER_TOKEN }}
+
+      - name: Push image to Docker
+        run: docker push neuralegion/nextools-${{ matrix.package }}
+
+      - name: Push Docker image to AWS ECR
+        run: docker push 454884832027.dkr.ecr.us-east-1.amazonaws.com/nextools-${{ matrix.package }}
+

.github/workflows/on-schedule.yml

@@ -4,8 +4,8 @@ on:
   repository_dispatch:
     types: check
   schedule:
-    # every 12 hours
-    - cron:  '0 */12 * * *'
+    # every 3 days
+    - cron: 0 0 * * 3
 
 jobs:
   check:
@@ -15,7 +15,7 @@ jobs:
       matrix:
         package:
           - chromium
-          - firefox
+          - chromium-headful
 
     steps:
       - name: Checkout
@@ -31,7 +31,7 @@ jobs:
 
       - name: Check status
         id: check_status
-        run: echo ::set-output name=result::$(git tag | grep --quiet ${{ matrix.package }}@${{ steps.get_version.outputs.result }} && echo 'up-to-date' || echo 'outdated')
+        run: echo ::set-output name=result::$(git tag | grep --quiet chromium@${{ steps.get_version.outputs.result }} && echo 'up-to-date' || echo 'outdated')
 
       - name: Print results
         run: |
@@ -84,18 +84,10 @@ jobs:
         if: steps.check_status.outputs.result == 'outdated'
         run: git push --force --tags origin master
 
-      - name: Docker GitHub Packages login
+      - name: Login into Docker
         if: steps.check_status.outputs.result == 'outdated'
-        run: echo ${{ secrets.GITHUB_TOKEN }} | docker login --username ${{ github.actor }} --password-stdin docker.pkg.github.com
+        run: docker login --username=anatol1988 --password=${{ secrets.DOCKER_TOKEN }}
 
-      - name: Docker GitHub Packages push
+      - name: Push image to Docker
         if: steps.check_status.outputs.result == 'outdated'
-        run: docker push docker.pkg.github.com/nextools/images/${{ matrix.package }}
-
-      - name: Docker Hub login
-        if: steps.check_status.outputs.result == 'outdated'
-        run: echo ${{ secrets.DOCKER_HUB_TOKEN }} | docker login --username nextoolsbot --password-stdin
-
-      - name: Docker Hub push
-        if: steps.check_status.outputs.result == 'outdated'
-        run: docker push nextools/${{ matrix.package }}
+        run: docker push neuralegion/nextools-${{ matrix.package }}

chrome/Dockerfile

@@ -0,0 +1,29 @@
+FROM ubuntu:bionic
+
+ARG VERSION
+ARG DEBIAN_FRONTEND=noninteractive
+ENV DBUS_SESSION_BUS_ADDRESS disabled:
+ENV RD_PORT=9222
+
+RUN apt-get update \
+    # https://github.com/phusion/baseimage-docker/issues/319
+    && apt-get install --yes apt-utils 2>&1 | grep -v "debconf: delaying package configuration, since apt-utils is not installed" \
+    && apt-get install -y wget gnupg \
+    && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /usr/share/keyrings/googlechrome-linux-keyring.gpg \
+    && sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/googlechrome-linux-keyring.gpg] https://dl-ssl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \
+    && wget --no-verbose -O /tmp/chrome.deb https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${VERSION}_amd64.deb \
+    && apt-get update \
+    && apt-get install -y /tmp/chrome.deb fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst fonts-freefont-ttf libxss1 dumb-init socat dbus dbus-x11 \
+      --no-install-recommends \
+    && service dbus start \
+    && rm -rf /var/lib/apt/lists/* \
+    && groupadd -r chrome && useradd --create-home -rm -g chrome -G audio,video chrome
+
+
+WORKDIR /home/chrome
+
+COPY --chown=chrome:chrome entrypoint.sh /home/chrome/
+
+USER chrome
+
+ENTRYPOINT ["dumb-init", "--", "/bin/sh", "/home/chrome/entrypoint.sh"]

chrome/Makefile

@@ -0,0 +1,32 @@
+.PHONY: get-version build test tags
+
+CURRENT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+VERSION:="127.0.6533.88-1"
+
+# get-version:
+# 	@docker pull ubuntu:bionic > /dev/null 2>&1
+# 	@docker run --rm \
+# 		ubuntu:bionic \
+# 		sh -c "apt-get update --quiet=2 && apt-cache policy chromium-browser | sed --regexp-extended --quiet 's/.*Candidate: ([0-9.]+)-.+/\1/p'"
+
+get-version:
+	@echo $(VERSION)
+
+build:
+	@docker build --tag neuralegion/nextools-chrome --tag 454884832027.dkr.ecr.us-east-1.amazonaws.com/nextools-chrome --build-arg VERSION=$(VERSION) $(CURRENT_DIR)
+
+test:
+	@docker run --detach --publish 9222:9222 --name nextools-chrome neuralegion/nextools-chrome
+	@timeout 20s sh -c "trap 'docker container rm --force nextools-chrome' 0; until curl http://localhost:9222/json/version; do sleep 1; done"
+
+tags:
+	@for i in 3 2 1 0 -1; do \
+		if [ $$i -ge 0 ]; then \
+			tag=`echo $(version) | sed --regexp-extended "s/(\.[0-9]+){$$i}$$//"`; \
+		else \
+			tag=latest; \
+		fi; \
+		echo $$tag; \
+		docker tag nextools-chrome neuralegion/nextools-chrome:$$tag; \
+		git tag --force nextools-chrome@$$tag; \
+	done

chrome/entrypoint.sh

@@ -0,0 +1,68 @@
+#!/bin/sh
+
+if [ "$(ls -A /home/chrome/.fonts/)" ]; then
+  fc-cache -f -v
+fi
+
+RD_PORT="${RD_PORT:=9222}"
+
+ip=$(hostname --ip-address)
+socat tcp-listen:$RD_PORT,bind="$ip",fork tcp:127.0.0.1:$RD_PORT &
+
+(ulimit -n 65000 || true) && (ulimit -p 65000 || true) && exec google-chrome-stable \
+  --enable-automation \
+  --silent-debugger-extension-api \
+  --allow-pre-commit-input \
+  --ash-no-nudges \
+  --disable-gpu-process-crash-limit \
+  --disable-background-networking \
+  --disable-background-timer-throttling \
+  --disable-backgrounding-occluded-windows \
+  --disable-renderer-backgrounding \
+  --disable-breakpad \
+  --disable-client-side-phishing-detection \
+  --disable-setuid-sandbox \
+  --disable-default-apps \
+  --disable-speech-api \
+  --disable-dev-shm-usage \
+  --disable-domain-reliability \
+  --disable-notifications \
+  --disable-extensions \
+  --disable-field-trial-config \
+  --disable-popup-blocking \
+  --disable-prompt-on-repost \
+  --disable-search-engine-choice-screen \
+  --disable-offer-store-unmasked-wallet-cards \
+  --disable-sync \
+  --disable-component-extensions-with-background-pages \
+  --deny-permission-prompts \
+  --disable-print-preview \
+  --noerrdialogs \
+  --disable-hang-monitor \
+  --disable-ipc-flooding-protection \
+  --disable-component-update \
+  --headless=old \
+  --export-tagged-pdf \
+  --force-color-profile=srgb \
+  --no-zygote \
+  --start-maximized \
+  --password-store=basic \
+  --use-mock-keychain \
+  --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,ImprovedCookieControls \
+  --enable-features=NetworkServiceInProcess2 \
+  --hide-scrollbars \
+  --ignore-certificate-errors \
+  --ignore-certificate-errors-spki-list \
+  --ignore-ssl-errors \
+  --ignore-unknown-auth-factors \
+  --metrics-recording-only \
+  --mute-audio \
+  --no-first-run \
+  --no-sandbox \
+  --no-default-browser-check \
+  --remote-debugging-address=127.0.0.1 \
+  --remote-debugging-port="$RD_PORT" \
+  --user-data-dir=/home/chrome/ \
+  --window-size=1920,1080 \
+  --window-position=0,0 \
+  "$@"

chrome/license.md

@@ -0,0 +1,22 @@
+# The MIT License (MIT)
+
+* Copyright (c) 2018–2020 Kir Belevich
+* Copyright (c) 2020–present NexTools
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

chrome/readme.md

@@ -0,0 +1,36 @@
+# chrome
+
+Dockerized Chrome
+
+## Usage
+
+### Docker Hub
+
+```sh
+docker run -it --rm -p 9222:9222 neuralegion/nextools-chrome:<TAG>
+```
+-->
+
+## How to
+
+### specify a different port
+
+Container uses a `RD_PORT` [environment variable](https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file), which is `9222` by default:
+
+```
+docker run -it --rm -p 9223:9223 -e RD_PORT=9223 neuralegion/nextools-chrome:<TAG>
+```
+
+### pass additional Chrome arguments
+
+```
+docker run -it --rm -p 9222:9222 neuralegion/nextools-chrome:<TAG> --some-chrome-arg
+```
+
+### add custom fonts
+
+It's possible to mount a folder with custom fonts to be used later by Chrome: 
+
+```
+docker run -it --rm -p 9222:9222 -v $(pwd)/path/to/fonts:/home/chrome/.fonts neuralegion/nextools-chrome:<TAG>
+```

chromium-headful/Dockerfile

@@ -0,0 +1,31 @@
+FROM ubuntu:bionic
+
+ARG VERSION
+ARG DEBIAN_FRONTEND=noninteractive
+ENV RD_PORT=9222
+
+RUN apt-get update \
+    # https://github.com/phusion/baseimage-docker/issues/319
+    && apt-get install --yes apt-utils 2>&1 | grep -v "debconf: delaying package configuration, since apt-utils is not installed" \
+    && apt-get install --no-install-recommends --yes \
+        htop \
+        net-tools \
+        dumb-init \
+        fontconfig \
+        chromium-browser=${VERSION}\* \
+        curl \
+        xvfb \
+        socat \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd chromium
+RUN useradd --create-home --gid chromium chromium
+RUN chown --recursive chromium:chromium /home/chromium/
+
+VOLUME ["/home/chromium/.fonts"]
+
+COPY --chown=chromium:chromium entrypoint.sh /home/chromium/
+
+USER chromium
+
+ENTRYPOINT ["dumb-init", "--", "/bin/sh", "/home/chromium/entrypoint.sh"]

chromium-headful/Makefile

@@ -0,0 +1,28 @@
+.PHONY: get-version build test tags
+
+CURRENT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+get-version:
+	@docker pull ubuntu:bionic > /dev/null 2>&1
+	@docker run --rm \
+		ubuntu:bionic \
+		sh -c "apt-get update --quiet=2 && apt-cache policy chromium-browser | sed --regexp-extended --quiet 's/.*Candidate: ([0-9.]+)-.+/\1/p'"
+
+build:
+	@docker build --tag neuralegion/nextools-chromium-headful --tag 454884832027.dkr.ecr.us-east-1.amazonaws.com/nextools-chromium-headful --build-arg VERSION=$(version) $(CURRENT_DIR)
+
+test:
+	@docker run --detach --publish 9222:9222 --name nextools-chromium-headful neuralegion/nextools-chromium-headful
+	@timeout 20s sh -c "trap 'docker container rm --force nextools-chromium' 0; until curl http://localhost:9222/json/version; do sleep 1; done"
+
+tags:
+	@for i in 3 2 1 0 -1; do \
+		if [ $$i -ge 0 ]; then \
+			tag=`echo $(version) | sed --regexp-extended "s/(\.[0-9]+){$$i}$$//"`; \
+		else \
+			tag=latest; \
+		fi; \
+		echo $$tag; \
+		docker tag nextools-chromium-headful neuralegion/nextools-chromium-headful:$$tag; \
+		git tag --force nextools-chromium-headful@$$tag; \
+	done