Build Image Job
Overview
The build image job builds a Docker image. This document explains how dependencies are incorporated into the image, lists the available image configuration options, and answers frequently asked questions.
Copying Dependencies Into Image
Copy project dependencies from the build job cache into the Docker image. Do not re-download dependencies. Dockerfiles containing commands to re-download dependencies will be flagged in the compliance check stage.
WARNING
In the future, egress will be blocked in the build image job.
There are several reasons re-downloading dependencies in the build image job is forbidden:
- Dependencies downloaded in the build job are scanned by the dependency check job. If dependencies are then downloaded again in the Dockerfile, they may never be scanned.
- Reusing downloaded dependencies increases the speed of the build image job and conserves resources.
| Tech | Dependency Cache Location | Docker Command to Copy Dependencies into Image |
|---|---|---|
| python | ./.cache/python-packages | COPY .cache/python-packages python-packages/ |
| golang | ./bin | COPY bin/ bin/ |
| gradle | ./.gradle/wrapper | COPY build/ build/ |
| dotnet | ./dist | COPY dist/ dist/ |
| npm | ./.npm | COPY node_modules/ node_modules/ |
| yarn | ./.yarn | COPY node_modules/ node_modules/ |
| maven | ./.m2/repository | COPY target/ target/ |
Available Image Options
These images are kept up to date with the latest active patch releases from Iron Bank. If your project uses a different job image than your current setting, select the correct available option.
:::Note: This approach is separate from, and does not work for, your Dockerfile. You cannot replicate this with your Dockerfile. Make sure your Dockerfile is kept up to date by following the Renovate How-To Guide.:::
To change your image variable:
- Navigate to Settings > CI/CD
- Select Variable
- Select Add Variable
- Check the Expand variable reference box (this is not checked by default)
- Change the default setting Masked to Visible
If you need assistance changing your image variable, submit a pipeline issue ticket .
Python
Set the appropriate variable: PYTHON_CI_IMAGE
${PYTHON_BUILDER_IMAGE_310}(Less encouraged; will reach end of life in November)${PYTHON_BUILDER_IMAGE_311}${PYTHON_BUILDER_IMAGE_312}${PYTHON_BUILDER_IMAGE_313}${PYTHON_BUILDER_IMAGE_314}
NPM
Set the appropriate variable: NPM_CI_IMAGE
${NPM_CI_IMAGE_20}${NPM_CI_IMAGE_22}${NPM_CI_IMAGE_24}${NPM_CI_IMAGE_25}
Debian-Based Images (for use regarding FIPS issues)
${NPM_CI_IMAGE_20_DEBIAN}${NPM_CI_IMAGE_22_DEBIAN}${NPM_CI_IMAGE_24_DEBIAN}
.NET
Set the appropriate variable: DOTNET_CI_IMAGE
${DOTNET_CI_IMAGE_8}${DOTNET_CI_IMAGE_10}
FAQs
I want to download dependencies again in the Dockerfile. Can I?
No. As mentioned above, there are several reasons this is not permitted - primarily security and resource conservation.
Copying dependencies into the Dockerfile breaks my local configuration. Help!
Try using a different Dockerfile for local testing, or emulating the pipeline by installing dependencies locally in a similarly named directory. Note that the Dockerfile used by the pipeline must be named Dockerfile exactly.
What determines the container version used for npi-ci jobs? Our Dockerfile specifies a different version than the one the container is running.
Defaults are set by language, and may be overridden on a case-by-case basis in pipeline products. You can update the version yourself, or submit a pipeline issue ticket if you need assistance.
How do I update my Dockerfile?
Follow the instructions in the Renovate How-To Guide to update your Dockerfile.