chore: secure hermetic-build docker image

.cloudbuild/library_generation/cloudbuild-hermetic-library-generation.yaml

@@ -0,0 +1,73 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+timeout: 7200s # 2 hours
+substitutions:
+  _IMAGE_NAME: "gcr.io/cloud-devrel-public-resources/java-library-generation"
+  _GAPIC_GENERATOR_JAVA_VERSION: '2.45.1-SNAPSHOT' # {x-version-update:gapic-generator-java:current}
+  _VERSIONED_IMAGE_ID: "${_IMAGE_NAME}:${_GAPIC_GENERATOR_JAVA_VERSION}"
+steps:
+  # Skip the
+  - id: skip-if-coming-from-fork
+    name: bash
+    allowFailure: true # in case we `exit 1`, assume it's not a failure
+    script: |
+      if [[ "${_HEAD_REPO_URL}" != "https://www.github.com/googleapis/sdk-platform-java" ]]; then
+        echo "this PR comes from a fork. Aborting."
+        exit 1
+      fi
+  - id: library-generation-build
+    name: gcr.io/cloud-builders/docker
+    waitFor: ["skip-if-coming-from-fork"]
+    args: [
+      "build",
+      "-t", "${_VERSIONED_IMAGE_ID}",
+      "--file", ".cloudbuild/library_generation/library_generation.Dockerfile", "."]
+    env:
+    - 'DOCKER_BUILDKIT=1'
+    volumes:
+    - name: docker-local
+      path: /var/lib/docker/overlay2
+  - id: maven-build
+    name: gcr.io/cloud-builders/mvn
+    waitFor: ["skip-if-coming-from-fork"]
+    args: [
+      "mvn",
+      "install", "-B", "-ntp", "-T2C"
+      "-DskipTests", "-Dmaven.test.skip", "-Dcheckstyle.skip", "-Dclirr.skip",
+      "-Dmaven.javadoc.skip"
+    ]
+    volumes:
+    - name: maven-local
+      path: /home/.m2
+  - id: script-run
+    name: gcr.io/google.com/cloudsdktool/cloud-sdk # contains docker and git
+    waitFor: ["maven-build", "library-generation-build"]
+    script: |
+      set -x
+      [ -z "$(git config user.email)" ] && git config --global user.email "[email protected]"
+      [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot"
+      bash .github/scripts/hermetic_library_generation.sh \
+        --target_branch "${_BASE_BRANCH}" \
+        --current_branch "${_HEAD_BRANCH}" \
+        --image_tag "${_VERSIONED_IMAGE_ID}"
+    volumes:
+    - name: maven-local
+      path: /home/.m2
+    - name: docker-local
+      path: /var/lib/docker/overlay2
+options:
+  # Builds ran by service accounts we need to either a) specify a logs bucket,
+  # b) use REGIONAL_USER_OWNER_BUCKET, or c) use CLOUD_LOGGING_ONLY. We go for c)
+  logging: CLOUD_LOGGING_ONLY

.cloudbuild/library_generation/cloudbuild-library-generation-integration-tests.yaml

@@ -0,0 +1,72 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This is a tentative Cloud Build workflow to replace the existing integration
+# tests setup in GitHub Actions
+timeout: 7200s # 2 hours
+substitutions:
+  _IMAGE_NAME: "test-image"
+steps:
+  # Library generation build
+  - id: library-generation-image-build
+    name: gcr.io/cloud-builders/docker
+    waitFor: ["-"]
+    args: [
+      "build",
+      "-t", "${_IMAGE_NAME}",
+      "--file", ".cloudbuild/library_generation/library_generation.Dockerfile", "."]
+    env:
+    - 'DOCKER_BUILDKIT=1'
+    volumes:
+    - name: docker-local
+      path: /var/lib/docker/overlay2
+  # Dependency installation
+  - id: library-generation-python-libs
+    name: gcr.io/google.com/cloudsdktool/cloud-sdk
+    waitFor: ["-"]
+    args: [ "python", "-m", "pip", "install", "--require-hashes", "-r",
+            "--target", "/usr/lib/python3.9",
+            "library_generation/requirements.txt" ]
+    volumes:
+    - name: python-local
+      path: /usr/lib/python3.9
+  # Python scripts compilation
+  - id: library-generation-python-compile
+    name: gcr.io/google.com/cloudsdktool/cloud-sdk
+    waitFor: ["-"]
+    args: [ "python", "-m", "pip", "install",
+            "--target", "/usr/lib/python3.9",
+            "library_generation" ]
+    volumes:
+    - name: python-local
+      path: /usr/lib/python3.9
+  # Python integration tests execution
+  - id: run-integration-tests
+    name: gcr.io/google.com/cloudsdktool/cloud-sdk
+    waitFor: [
+      "library-generation-python-compile",
+      "library-generation-python-libs",
+      "library-generation-image-build"
+    ]
+    args: [ "python3", "-m", "unittest",
+            "library_generation/test/integration_tests.py" ]
+    volumes:
+    - name: docker-local
+      path: /var/lib/docker/overlay2
+    - name: python-local
+      path: /usr/lib/python3.9
+options:
+  # Builds ran by service accounts we need to either a) specify a logs bucket,
+  # b) use REGIONAL_USER_OWNER_BUCKET, or c) use CLOUD_LOGGING_ONLY. We go for c)
+  logging: CLOUD_LOGGING_ONLY

.cloudbuild/library_generation/cloudbuild-library-generation-push.yaml

@@ -29,6 +29,8 @@ steps:
       "-t", "${_VERSIONED_IMAGE_ID}",
       "--file", ".cloudbuild/library_generation/library_generation.Dockerfile", "."]
     id: library-generation-build
+    env:
+    - 'DOCKER_BUILDKIT=1'
     waitFor: ["-"]
 
 images:

.cloudbuild/library_generation/image-configuration/airlock-pip.conf

@@ -0,0 +1,5 @@
+[global]
+index-url = https://us-python.pkg.dev/artifact-foundry-prod/ah-3p-staging-python/simple/
+# TODO: use the following index URL when `lxml` and `versions` are available in the `trusted` airlock registry
+# We can confirm their availability in https://airlock.corp.goog/search?query=&type=Python
+# index-url = https://us-python.pkg.dev/artifact-foundry-prod/python-3p-trusted/simple/

.cloudbuild/library_generation/image-configuration/airlock-pypirc

@@ -0,0 +1,11 @@
+[distutils]
+index-servers = ah-3p-staging-python
+# TODO: use this index instead when `lxml` and `versions` are available in the `trusted` airlock registry
+# We can confirm their availability in https://airlock.corp.goog/search?query=&type=Python
+# index-servers = python-3p-trusted
+
+[ah-3p-staging-python]
+repository: https://us-python.pkg.dev/artifact-foundry-prod/ah-3p-staging-python/
+# TODO: use this repository instead when `lxml` and `versions` are available in the `trusted` airlock registry
+# We can confirm their availability in https://airlock.corp.goog/search?query=&type=Python
+# repository: https://us-python.pkg.dev/artifact-foundry-prod/python-3p-trusted/