Updates SHA process (#5230)

Updates SHA process. 

Fixes #5229

Author: atsansone

.gitignore

@@ -30,3 +30,8 @@ tmp
 # Misc
 trash
 /src/_data/ci.yaml
+
+# SHA Update
+# The script generates the .save file in case you need a rollback.
+*.save
+tool/new-dart-hashes.txt

Dockerfile

@@ -33,24 +33,26 @@ ENV DART_SDK=/usr/lib/dart
 ENV PATH=$DART_SDK/bin:$PATH
 RUN set -eu; \
     case "$(dpkg --print-architecture)_${DART_CHANNEL}" in \
+      # BEGIN dart-sha
       amd64_stable) \
-        DART_SHA256="be679ccef3a0b28f19e296dd5b6374ac60dd0deb06d4d663da9905190489d48b"; \
+        DART_SHA256="0150dff731ac017646941ebfa46ca2a7bbe5c634be0928262d524420341fc739"; \
         SDK_ARCH="x64";; \
       arm64_stable) \
-        DART_SHA256="395180693ccc758e4e830d3b13c4879e6e96b6869763a56e91721bf9d4228250"; \
+        DART_SHA256="2b2830001cd8732d356c4beee7be25c947e6cb6e8ca7b8ea748da47f6cc9d222"; \
         SDK_ARCH="arm64";; \
       amd64_beta) \
-        DART_SHA256="bd0311f604def7e49215c6fbed823dc01284586f83963b6891cc6dee36da2488"; \
+        DART_SHA256="dc85f9d7a739b4002ddeda181ce53c4e2c653c01fbd3c8096676ee99930f61f6"; \
         SDK_ARCH="x64";; \
       arm64_beta) \
-        DART_SHA256="02de2c59d14fe4fcbcc6da756457be6966cd399bee507b2980d0e3c76fa4a2e3"; \
+        DART_SHA256="a6166776794dd06f146877de94e09e688314a53b1c44429ed06ee03e29a6e5a8"; \
         SDK_ARCH="arm64";; \
       amd64_dev) \
-        DART_SHA256="4b411a63f3b20dcb2fa8ad81d7ec0caf3fa19deb13b7ae5fbd66acce99cb992b"; \
+        DART_SHA256="33adbd575bd4ec9ee682404d305002fd816ae909fe8c1007777f20c67712ec32"; \
         SDK_ARCH="x64";; \
       arm64_dev) \
-        DART_SHA256="df63b26de4699be1738ddec36fcb98b98ac880e2223d1137caf40a529e8c0799"; \
+        DART_SHA256="4cffcd38f32ddf1ca6ce2b361113cb85e7eb1300932f41031c7cb45206f5b045"; \
         SDK_ARCH="arm64";; \
+      # END dart-sha
     esac; \
     SDK="dartsdk-linux-${SDK_ARCH}-release.zip"; \
     BASEURL="https://storage.googleapis.com/dart-archive/channels"; \

Dockerfile.save

@@ -0,0 +1,168 @@
+FROM ruby:3.2-slim-bookworm@sha256:6ff55a14560f94d6c199033e4aa90cc7f0b7afaea5a50bc91cfbc4905f366f39 as base
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV TZ=US/Pacific
+RUN apt update && apt install -yq --no-install-recommends \
+      build-essential \
+      ca-certificates \
+      curl \
+      git \
+      gnupg \
+      lsof \
+      make \
+      unzip \
+      vim-nox \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN echo "alias lla='ls -lAhG --color=auto'" >> ~/.bashrc
+WORKDIR /root
+
+
+# google-chrome-stable
+
+
+# ============== DART ==============
+# See https://github.com/dart-lang/dart-docker
+# See https://github.com/dart-lang/setup-dart/blob/main/setup.sh
+FROM base as dart
+ARG DART_VERSION=latest
+ARG DART_CHANNEL=stable
+ENV DART_VERSION=$DART_VERSION
+ENV DART_CHANNEL=$DART_CHANNEL
+ENV DART_SDK=/usr/lib/dart
+ENV PATH=$DART_SDK/bin:$PATH
+RUN set -eu; \
+    case "$(dpkg --print-architecture)_${DART_CHANNEL}" in \
+      # BEGIN dart-sha
+      amd64_stable) \
+        DART_SHA256="be679ccef3a0b28f19e296dd5b6374ac60dd0deb06d4d663da9905190489d48b"; \
+        SDK_ARCH="x64";; \
+      arm64_stable) \
+        DART_SHA256="395180693ccc758e4e830d3b13c4879e6e96b6869763a56e91721bf9d4228250"; \
+        SDK_ARCH="arm64";; \
+      amd64_beta) \
+        DART_SHA256="bd0311f604def7e49215c6fbed823dc01284586f83963b6891cc6dee36da2488"; \
+        SDK_ARCH="x64";; \
+      arm64_beta) \
+        DART_SHA256="02de2c59d14fe4fcbcc6da756457be6966cd399bee507b2980d0e3c76fa4a2e3"; \
+        SDK_ARCH="arm64";; \
+      amd64_dev) \
+        DART_SHA256="4b411a63f3b20dcb2fa8ad81d7ec0caf3fa19deb13b7ae5fbd66acce99cb992b"; \
+        SDK_ARCH="x64";; \
+      arm64_dev) \
+        DART_SHA256="df63b26de4699be1738ddec36fcb98b98ac880e2223d1137caf40a529e8c0799"; \
+        SDK_ARCH="arm64";; \
+      # END dart-sha
+    esac; \
+    SDK="dartsdk-linux-${SDK_ARCH}-release.zip"; \
+    BASEURL="https://storage.googleapis.com/dart-archive/channels"; \
+    URL="$BASEURL/$DART_CHANNEL/release/$DART_VERSION/sdk/$SDK"; \
+    curl -fsSLO "$URL"; \
+    echo "$DART_SHA256 *$SDK" | sha256sum --check --status --strict - || (\
+        echo -e "\n\nDART CHECKSUM FAILED! Run 'make fetch-sums' for updated values.\n\n" && \
+        rm "$SDK" && \
+        exit 1 \
+    ); \
+    unzip "$SDK" > /dev/null && mv dart-sdk "$DART_SDK" && rm "$SDK";
+ENV PUB_CACHE="${HOME}/.pub-cache"
+RUN dart --disable-analytics
+RUN echo -e "Successfully installed Dart SDK:" && dart --version
+
+
+# ============== DART-TESTS ==============
+from dart as dart-tests
+WORKDIR /app
+COPY ./ ./
+RUN dart pub get
+ENV BASE_DIR=/app
+ENV TOOL_DIR=$BASE_DIR/tool
+CMD ["./tool/test.sh"]
+
+
+# ============== NODEJS INSTALL ==============
+FROM dart as node
+
+RUN mkdir -p /etc/apt/keyrings \
+    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_18.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
+    && apt-get update -yq \
+    && apt-get install nodejs -yq \
+    && npm install -g npm # Ensure latest npm
+
+
+# ============== DEV/JEKYLL SETUP ==============
+FROM node as dev
+WORKDIR /app
+
+ENV JEKYLL_ENV=development
+COPY Gemfile Gemfile.lock ./
+RUN gem update --system && gem install bundler
+RUN BUNDLE_WITHOUT="test production" bundle install --jobs=4 --retry=2
+
+ENV NODE_ENV=development
+COPY package.json package-lock.json ./
+RUN npm install -g firebase-tools@12.4.0
+RUN npm install
+
+COPY ./ ./
+
+# Ensure packages are still up-to-date if anything has changed
+# RUN dart pub get --offline
+RUN dart pub get
+
+# Let's not play "which dir is this"
+ENV BASE_DIR=/app
+ENV TOOL_DIR=$BASE_DIR/tool
+
+# Jekyl
+EXPOSE 4000
+EXPOSE 35729
+
+# Firebase emulator port
+# Airplay runs on :5000 by default now
+EXPOSE 5500
+
+# re-enable defult in case we want to test packages
+ENV DEBIAN_FRONTEND=dialog
+
+
+# ============== FIREBASE EMULATE ==============
+FROM dev as emulate
+RUN bundle exec jekyll build --config _config.yml,_config_test.yml
+CMD ["make", "emulate"]
+
+
+# ============== BUILD PROD JEKYLL SITE ==============
+FROM node AS build
+WORKDIR /app
+
+ENV JEKYLL_ENV=production
+COPY Gemfile Gemfile.lock ./
+RUN gem update --system && gem install bundler
+RUN BUNDLE_WITHOUT="test development" bundle install --jobs=4 --retry=2 --quiet
+
+ENV NODE_ENV=production
+COPY package.json package-lock.json ./
+RUN npm install
+
+COPY ./ ./
+
+RUN dart pub get
+
+ENV BASE_DIR=/app
+ENV TOOL_DIR=$BASE_DIR/tool
+
+ARG BUILD_CONFIGS=_config.yml
+ENV BUILD_CONFIGS=$BUILD_CONFIGS
+RUN bundle exec jekyll build --config $BUILD_CONFIGS
+
+
+# ============== DEPLOY to FIREBASE ==============
+FROM build as deploy
+RUN npm install -g firebase-tools@12.4.0
+ARG FIREBASE_TOKEN
+ENV FIREBASE_TOKEN=$FIREBASE_TOKEN
+ARG FIREBASE_PROJECT=default
+ENV FIREBASE_PROJECT=$FIREBASE_PROJECT
+RUN [[ -z "$FIREBASE_TOKEN" ]] && echo "FIREBASE_TOKEN is required for container deploy!"
+RUN make deploy-ci

Makefile

@@ -145,6 +145,16 @@ fetch-sums:
 		--version ${DART_VERSION} \
 		--channel ${DART_CHANNEL}
 
+# Check Dart sums pulls the set of Dart SDK SHA256 hashes
+# and writes them to a temp file.
+check-sums:
+	tool/check-dart-sdk.sh
+
+# Update Dart sums replaces the Dart SDK SHA256 hashes
+# in the Dockerfile and deletes the temp file.
+update-sums:
+	tool/update-dart-sdk.sh
+
 # Test the dev container with pure docker
 test-builds:
 	docker build -t ${BUILD_TAG}:stable \

tool/check-dart-sdk.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# Use this file locally to update Dart SDK checksum values in the Dockerfile
+# Prints output similar to cases in Dockerfile for easy composition 
+# when having to update checksum values for updates dart SDK.
+set -eu -o pipefail
+TOOL_DIR="${TOOL_DIR:=$(dirname "$0")}"
+source $TOOL_DIR/utils.sh
+
+VERSION="latest"
+CHANNEL="stable"
+
+while (( "$#" )); do
+  case "$1" in
+    --version)
+      VERSION=$2
+      shift 2
+      ;;
+    --channel)
+      CHANNEL=$2
+      shift 2
+      ;;
+    *)
+      echo "Unsupported argument $1" >&2
+      exit 1
+      ;;
+  esac
+done
+
+echo -e "\nPulling latest Dart SHA hashes.\n\nThis will take a moment.\n"
+
+BASEURL="https://storage.googleapis.com/dart-archive/channels"
+CHANNELS="stable beta dev"
+ARCHS="amd64 arm64"
+ENDING='\\\n'
+FILE=$TOOL_DIR/new-dart-hashes.txt
+
+true > $FILE
+
+for CHANNEL in $CHANNELS; do
+  for ARCH in $ARCHS; do
+    printf "      ${ARCH}_${CHANNEL}) $ENDING" >> $FILE
+    _arch=$ARCH
+    if [[ "$_arch" == "amd64" ]]; then
+      _arch='x64'
+    fi
+    _filename="dartsdk-linux-${_arch}-release.zip"
+    _url="$BASEURL/$CHANNEL/release/$VERSION/sdk/$_filename"
+    curl -fsSLO $_url
+    _checksum=$(shasum -a 256 $_filename)
+    read -a _fname_arr <<< "${_checksum}" # Read in string output as array
+    _checkonly="${_fname_arr%:*}" # Remove filename portion of checksum output
+    printf "        DART_SHA256=\"$_fname_arr\"; $ENDING" >> $FILE
+    printf "        SDK_ARCH=\"$_arch\";; $ENDING" >> $FILE
+    echo "Pulled ${ARCH}_${CHANNEL}: $_fname_arr"
+    rm $_filename
+  done
+done
+
+echo -e "\n\nPulled latest Dart SHA hashes and saved to $FILE.\n"
+
+lead='# BEGIN dart-sha$'
+tail='# END dart-sha$'
+new_file='tool/new-dart-hashes.txt'
+existing_file='Dockerfile'
+
+new_hash=$(sed -n -e '/DART_SHA/ p' -e '/DART_SHA/ q' $new_file)
+old_hash=$(sed -n -e '/DART_SHA/ p' -e '/DART_SHA/ q' $existing_file)
+
+echo -e "Old $old_hash"
+echo -e "New $new_hash"
+
+# Compare the SHA hashes.
+if [[ "$new_hash" == "$old_hash" ]]; then
+  echo -e "Current SHA hashes are the latest hashes.\n"
+  echo -e "No update needed.\n"
+  rm $new_file
+  echo -e "Removed $new_file.\n"
+  echo -e "Re-run check-dart-sdk.sh to pull the current SHA hashes.\n"
+else
+  if [[ -f "$new_file" ]]; then
+    echo -e "Retrieved replacement hashes and saved to $new_file.\n"
+    if [[ -f "$existing_file" ]]; then
+      echo -e "Found Dockerfile at $existing_file.\n"
+      echo -e "Run tool/update-dart-sums.sh."
+    else
+      echo -e "No Dockerfile found."
+    fi
+  else
+    echo -e "No replacement hashes found at this time.\n"
+  fi
+fi

tool/fetch-dart-sdk-sums.sh

@@ -34,7 +34,6 @@ ENDING='\\\n'
 printf "\n$(blue "Copy the following output and replace the existing code in the Dockerfile")\n"
 printf "$(blue "inside the 'set -eu' run statement:")\n\n"
 
-
 for CHANNEL in $CHANNELS; do
   for ARCH in $ARCHS; do
     printf "$(yellow "${ARCH}_${CHANNEL})") $ENDING"

tool/update-dart-sums.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Use this file to update the Dart SHA256 hashes 
+# in the Dockerfile. Run after check-dart-sdk.sh
+
+lead='# BEGIN dart-sha$'
+tail='# END dart-sha$'
+new_file='tool/new-dart-hashes.txt'
+existing_file='Dockerfile'
+
+new_hash=$(sed -n -e '/DART_SHA/ p' -e '/DART_SHA/ q' $new_file)
+old_hash=$(sed -n -e '/DART_SHA/ p' -e '/DART_SHA/ q' $existing_file)
+
+echo -e "Old $old_hash"
+echo -e "New $new_hash"
+
+if [[ -z "$new_hash" ]]; then
+    echo "No new hash found."
+else [[ -z "$old_hash" ]]
+    echo "Comparing hashes"
+    if [["$new_hash" = "$old_hash"]]; then
+        echo "Hashes match. No changes needed."
+    else
+        echo "New hashes found. Replacing hashes.\n"
+        echo $(sed -i.save -e "/$lead/,/$tail/{ /$lead/{p; r $new_file
+                }; /$tail/p;d;}" $existing_file)
+        echo "Replaced hashes"
+    fi
+fi
+
+rm $new_file
+echo -e "Removed $new_file. Re-run check-dart-sdk.sh to pull the current SHA hashes.\n"
+
+echo -e "Update completed."