jcscottiii
commented
2 years ago @KyleJu I forgot to add this part about that: I decided to pin the system package versions since this repo doesn't get updates often and need to do testing manually. I rather ensure that the next time someone builds the docker image, they get the same package versions I used and verified. If we wanted to we could add a scheduled Github action that builds and scans the container image. Without the pin, sometimes we might get a false positive that everything is okay, since the build might pick up the latest version of the system package while the live image still has a potential vulnerability with the outdated system package.
Regarding this:
does docker use the same build when versions are pinned?
Are you asking if I rebuild, will it use the cached layer and skip the apt-get install instruction? If so, the answer is yes.
KyleJu
Changes: Switch to ubuntu:22.04 from ubuntu:18:04 This brings the python version from 3.6 to python 3.10.4 This should fix the "cannot import name 'TypedDict' error in #64 Pin the apt package versions for repeatable docker builds
Upgrade certbot version from 0.35.1 to 1.29.0 for cert-renewer
Was getting a locale warning after upgrading to bullseye. Changed instructions in Dockerfile to fix the warning.
Update instructions for installing latest gcloud & gsutil cli
Fixes #64 Fixes #55
Screenshots of it working locally
cert-renewer
I forced the cert-renewer to renew the cert and it works
Checked the bucket and saw it was updated
wpt-server
System is able to detect when new certs are available and downloads them like before
System is able to see new updates to wpt like before