chore: change to a secure base image

.cloudbuild/library_generation/cloudbuild-library-generation-integration-tests.yaml

@@ -0,0 +1,55 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+timeout: 7200s # 2 hours
+substitutions:
+  _IMAGE_NAME: "test-image"
+steps:
+  # Library generation build
+  - id: library-generation-image-build
+    name: gcr.io/cloud-builders/docker
+    entrypoint: bash
+    args:
+    - -c
+    - |
+      docker buildx build \
+      -f .cloudbuild/library_generation/library_generation.Dockerfile \
+      -t "${_IMAGE_NAME}" \
+      -o type=image \
+      .
+    waitFor: ["-"]
+  - id: run-integration-test
+    name: python:3.12
+    entrypoint: bash
+    args:
+    - -c
+    - |
+      # copy generator JAR
+      apt-get update && apt-get install -y maven
+      # install docker engine
+      curl -fsSL https://get.docker.com -o get-docker.sh
+      chmod +x get-docker.sh
+      sh get-docker.sh
+      python -m venv .venv
+      source .venv/bin/activate 
+      pip install --upgrade pip
+      pip install --require-hashes -r library_generation/requirements.txt
+      pip install ./library_generation
+      python -m unittest ./library_generation/test/integration_tests.py
+    waitFor: ["library-generation-image-build"]
+
+options:
+  # Builds ran by service accounts we need to either a) specify a logs bucket,
+  # b) use REGIONAL_USER_OWNER_BUCKET, or c) use CLOUD_LOGGING_ONLY. We go for c)
+  logging: CLOUD_LOGGING_ONLY

.cloudbuild/library_generation/library_generation.Dockerfile

@@ -14,7 +14,10 @@
 
 # install gapic-generator-java in a separate layer so we don't overload the image
 # with the transferred source code and jars
-FROM gcr.io/cloud-devrel-public-resources/java21 AS ggj-build
+FROM us-docker.pkg.dev/artifact-foundry-prod/docker-3p-trusted/maven@sha256:2cb7c73ba2fd0f7ae64cfabd99180030ec85841a1197b4ae821d21836cb0aa3b AS ggj-build
+
+# If GOOGLE_APPLICATION_CREDENTIALS is passed in docker build command use it, if not leave it unset to support GCE Metadata in CI builds
+ARG GOOGLE_APPLICATION_CREDENTIALS
 
 WORKDIR /sdk-platform-java
 COPY . .
@@ -27,10 +30,7 @@ RUN cp "/root/.m2/repository/com/google/api/gapic-generator-java/${DOCKER_GAPIC_
   "./gapic-generator-java.jar"
 
 # build from the root of this repo:
-FROM gcr.io/cloud-devrel-public-resources/python
-
-SHELL [ "/bin/bash", "-c" ]
-
+FROM us-docker.pkg.dev/artifact-foundry-prod/docker-3p-trusted/python@sha256:24680ddf8422899b24756d62b31eb5de782fbb42e9c2bb1c70f1f55fcf891721
 
 ARG OWLBOT_CLI_COMMITTISH=ac84fa5c423a0069bbce3d2d869c9730c8fdf550
 ARG PROTOC_VERSION=25.5
@@ -39,9 +39,7 @@ ENV HOME=/home
 ENV OS_ARCHITECTURE="linux-x86_64"
 
 # install OS tools
-RUN apt-get update && apt-get install -y \
-	unzip openjdk-17-jdk rsync maven jq \
-	&& apt-get clean
+RUN apk update && apk add bash curl git jq maven npm rsync unzip
 
 # copy source code
 COPY library_generation /src
@@ -70,15 +68,10 @@ ENV DOCKER_GRPC_VERSION="${GRPC_VERSION}"
 COPY --from=ggj-build "/sdk-platform-java/gapic-generator-java.jar" "${HOME}/.library_generation/gapic-generator-java.jar"
 RUN chmod 755 "${HOME}/.library_generation/gapic-generator-java.jar"
 
-#  use python 3.11 (the base image has several python versions; here we define the default one)
-RUN rm $(which python3)
-RUN ln -s $(which python3.11) /usr/local/bin/python
-RUN ln -s $(which python3.11) /usr/local/bin/python3
 RUN python -m pip install --upgrade pip
-
 # install main scripts as a python package
 WORKDIR /src
-RUN python -m pip install -r requirements.txt
+RUN python -m pip install --require-hashes -r requirements.txt
 RUN python -m pip install .
 
 # Install nvm with node and npm

.github/workflows/verify_library_generation.yaml

@@ -64,7 +64,7 @@ jobs:
       run: |
         set -ex
         pushd library_generation
-        pip install -r requirements.txt
+        pip install --require-hashes -r requirements.txt
         pip install .
         popd
     - name: Run integration tests

library_generation/requirements.in

@@ -20,10 +20,11 @@ colorlog==6.8.2
 watchdog==4.0.1
 nox==2024.4.15
 requests==2.32.3
-setuptools==65.5.1
+setuptools==75.1.0
 jinja2==3.1.4
+requests-mock==1.12.1 # used in owlbot unit tests
 # typing-extensions is a transitive dependency. If we run `pip-compile ... --generate-hashes` it will produce
 # a list where typing extensions is pinned to >=4.0.1. This will produce an error saying "all requirements
 # must have their versions pinned with ==". The following line pins the dependency to a specific version via ==
 typing-extensions==4.0.1
-requests-mock # used in owlbot unit tests
+tomli==1.1.0