Add git commit SHA to Docker images

Add the full git commit SHA to the generated Docker images using the
`org.opencontainers.image.revision` metadata label.

Fixes jenkinsci#865
Closes jenkinsci#892

.ci/publish.sh

@@ -71,6 +71,7 @@ publish() {
     export JENKINS_SHA=$sha
     export LATEST_WEEKLY=$latest_weekly
     export LATEST_LTS=$latest_lts
+    export COMMIT_SHA=$(git rev-parse HEAD)
     set -x
     docker buildx bake --file docker-bake.hcl \
                  "${build_opts[@]+"${build_opts[@]}"}" linux

11/almalinux/almalinux8/hotspot/Dockerfile

@@ -14,6 +14,7 @@ FROM almalinux:8.4
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 
 RUN dnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y \
 	fontconfig \
@@ -118,4 +119,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

11/alpine/hotspot/Dockerfile

@@ -28,6 +28,7 @@ RUN apk add --no-cache \
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -166,4 +167,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

11/centos/centos7/hotspot/Dockerfile

@@ -14,11 +14,13 @@ FROM centos:centos7.9.2009
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 
 RUN yum install -y git curl freetype fontconfig unzip which && \
     yum clean all
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -131,4 +133,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

11/debian/bullseye-slim/hotspot/Dockerfile

@@ -17,6 +17,7 @@ RUN apt-get update && \
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -129,4 +130,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

11/debian/bullseye/hotspot/Dockerfile

@@ -15,6 +15,7 @@ RUN apt-get update && \
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -127,4 +128,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

11/rhel/ubi8/hotspot/Dockerfile

@@ -14,6 +14,7 @@ FROM registry.access.redhat.com/ubi8/ubi:8.4-211
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 
 RUN dnf install --disableplugin=subscription-manager --setopt=install_weak_deps=0 --setopt=tsflags=nodocs -y \
         git \
@@ -121,4 +122,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

11/windows/windowsservercore-2019/hotspot/Dockerfile

@@ -6,6 +6,8 @@ ARG http_port=8080
 ARG agent_port=50000
 ARG JENKINS_HOME=C:/ProgramData/Jenkins/JenkinsHome
 
+ARG COMMIT_SHA
+
 ENV JENKINS_HOME $JENKINS_HOME
 ENV JENKINS_AGENT_PORT ${agent_port}
 
@@ -79,4 +81,5 @@ LABEL `
     org.opencontainers.image.version="${JENKINS_VERSION}" `
     org.opencontainers.image.url="https://www.jenkins.io/" `
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" `
+    org.opencontainers.image.revision="${COMMIT_SHA}" `
     org.opencontainers.image.licenses="MIT"

17/debian/bullseye/hotspot/Dockerfile

@@ -15,6 +15,7 @@ RUN apt-get update && \
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -128,4 +129,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

8/alpine/hotspot/Dockerfile

@@ -18,6 +18,7 @@ RUN apk add --no-cache \
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -116,4 +117,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

8/centos/centos7/hotspot/Dockerfile

@@ -3,6 +3,7 @@ FROM centos:centos7.9.2009
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 
 RUN echo -e '[AdoptOpenJDK]\n\
 name=AdoptOpenJDK\n\
@@ -14,6 +15,7 @@ gpgkey=https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public' > /etc/yum
     yum clean all
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -122,4 +124,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

8/debian/bullseye-slim/hotspot/Dockerfile

@@ -9,6 +9,7 @@ RUN apt-get update && \
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -121,4 +122,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

8/debian/bullseye/hotspot/Dockerfile

@@ -9,6 +9,7 @@ RUN apt-get update && \
 ENV LANG C.UTF-8
 
 ARG TARGETARCH
+ARG COMMIT_SHA
 ARG GIT_LFS_VERSION=3.0.1
 
 # required for multi-arch support, revert to package cloud after:
@@ -121,4 +122,5 @@ LABEL \
     org.opencontainers.image.version="${JENKINS_VERSION}" \
     org.opencontainers.image.url="https://www.jenkins.io/" \
     org.opencontainers.image.source="https://github.com/jenkinsci/docker" \
+    org.opencontainers.image.revision="${COMMIT_SHA}" \
     org.opencontainers.image.licenses="MIT"

Makefile

@@ -6,6 +6,8 @@ export DOCKER_BUILDKIT=1
 export DOCKER_CLI_EXPERIMENTAL=enabled
 ## Required to have docker build output always printed on stdout
 export BUILDKIT_PROGRESS=plain
+## Required to have the commit SHA added as a Docker image label
+export COMMIT_SHA=$(shell git rev-parse HEAD)
 
 current_arch := $(shell uname -m)
 export ARCH ?= $(shell case $(current_arch) in (x86_64) echo "amd64" ;; (i386) echo "386";; (aarch64|arm64) echo "arm64" ;; (armv6*) echo "arm/v6";; (armv7*) echo "arm/v7";; (ppc64*|s390*|riscv*) echo $(current_arch);; (*) echo "UNKNOWN-CPU";; esac)

docker-bake.hcl

@@ -65,12 +65,17 @@ variable "PLUGIN_CLI_VERSION" {
   default = "2.11.0"
 }
 
+variable "COMMIT_SHA" {
+  default = ""
+}
+
 target "almalinux_jdk11" {
   dockerfile = "11/almalinux/almalinux8/hotspot/Dockerfile"
   context = "."
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
   }
   tags = [
     "${REGISTRY}/${JENKINS_REPO}:${JENKINS_VERSION}-almalinux",
@@ -86,6 +91,7 @@ target "alpine_jdk8" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
@@ -103,6 +109,7 @@ target "alpine_jdk11" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
@@ -123,6 +130,7 @@ target "centos7_jdk8" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
@@ -140,6 +148,7 @@ target "centos7_jdk11" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
@@ -160,6 +169,7 @@ target "debian_jdk8" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
@@ -177,6 +187,7 @@ target "debian_jdk11" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
@@ -200,6 +211,7 @@ target "debian_slim_jdk8" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
@@ -217,6 +229,7 @@ target "debian_slim_jdk11" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
@@ -237,6 +250,7 @@ target "rhel_ubi8_jdk11" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }
   tags = [
@@ -253,6 +267,7 @@ target "debian_jdk17" {
   args = {
     JENKINS_VERSION = JENKINS_VERSION
     JENKINS_SHA = JENKINS_SHA
+    COMMIT_SHA = COMMIT_SHA
     GIT_LFS_VERSION = GIT_LFS_VERSION
     PLUGIN_CLI_VERSION = PLUGIN_CLI_VERSION
   }

tests/runtime.Tests.ps1

@@ -40,6 +40,7 @@ Describe "[$TEST_TAG] test jenkins arguments" {
   BeforeEach {
     $folder = Get-EnvOrDefault 'FOLDER' ''
     $version=Get-Content $(Join-Path $folder 'Dockerfile') | Select-String -Pattern 'ENV JENKINS_VERSION.*' | %{$_ -replace '.*:-(.*)}','$1'} | Select-Object -First 1
+    $revision=Get-Content $(Join-Path $folder 'Dockerfile') | Select-String -Pattern 'ENV COMMIT_SHA.*' | %{$_ -replace '.*:-(.*)}','$1'} | Select-Object -First 1
   }
 
   It 'running --help --version should return the version, not the help' {
@@ -54,6 +55,12 @@ Describe "[$TEST_TAG] test jenkins arguments" {
     $exitCode | Should -Be 0
     $stdout.Trim() | Should -Match $version
   }
+
+  It 'commit SHA in docker metadata' {
+    $exitCode, $stdout, $stderr = Run-Program 'docker.exe' "inspect -f `"{{index .Config.Labels \`"org.opencontainers.image.revision\`"}}`" $SUT_IMAGE"
+    $exitCode | Should -Be 0
+    $stdout.Trim() | Should -Match $revision
+  }
 }
 
 Describe "[$TEST_TAG] create test container" {

tests/runtime.bats

@@ -13,6 +13,16 @@ SUT_DESCRIPTION="${IMAGE}-runtime"
   assert "${version}" docker inspect --format '{{ index .Config.Labels "org.opencontainers.image.version"}}' $SUT_IMAGE
 }
 
+@test "[${SUT_DESCRIPTION}] test commit SHA in docker metadata is not empty" {
+  run docker inspect --format '{{ index .Config.Labels "org.opencontainers.image.revision"}}' $SUT_IMAGE
+  refute_output ""
+}
+
+@test "[${SUT_DESCRIPTION}] test commit SHA in docker metadata" {
+  local revision=$(get_commit_sha)
+  assert "${revision}" docker inspect --format '{{ index .Config.Labels "org.opencontainers.image.revision"}}' $SUT_IMAGE
+}
+
 @test "[${SUT_DESCRIPTION}] test multiple JENKINS_OPTS" {
   local container_name version
   # running --help --version should return the version, not the help

tests/test_helpers.bash

@@ -49,6 +49,12 @@ function get_jenkins_version() {
   make --silent show | jq -r ".target.${IMAGE}.args.JENKINS_VERSION"
 }
 
+function get_commit_sha() {
+  test -n "${IMAGE:?"[sut_image] Please set the variable 'IMAGE' to the name of the image to test in 'docker-bake.hcl'."}"
+
+  make --silent show | jq -r ".target.${IMAGE}.args.COMMIT_SHA"
+}
+
 function get_test_image {
     test -n "${BATS_TEST_NUMBER:?"[get_test_image] Please set the variable BATS_TEST_NUMBER."}"
     test -n "${SUT_DESCRIPTION:?"[get_test_image] Please set the variable SUT_DESCRIPTION."}"