Skip to content

feat: add Windows 2019 and Windows 2022 infrastructure bundle images(NR-528123) #641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
nravada wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

feat: add Windows 2019 and Windows 2022 infrastructure bundle images(NR-528123) #641

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
de2812c
feat: add Windows 2019 and Windows 2022 infrastructure bundle images …
nravada Mar 4, 2026
79c89ff
fix: replace DockerCli.exe with daemon reconfiguration for Windows co…
nravada Mar 4, 2026
fa6ba64
fix: base image tag (NR-528123)
nravada Mar 4, 2026
3615523
fix: build 2019 image on 2022 runner as 2019 runner depricated (NR-5…
nravada Mar 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 55 additions & 1 deletion .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@

- name: Check if CHANGELOG is valid
uses: newrelic/release-toolkit/validate-markdown@v1

build-fips:
name: Build fips and scan image
runs-on: ubuntu-latest
Expand Down Expand Up @@ -71,3 +71,57 @@

- name: Check if CHANGELOG is valid
uses: newrelic/release-toolkit/validate-markdown@v1

build-windows-2019:
name: Build Windows 2019 image
runs-on: windows-2022
env:
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: ci
WINDOWS_VERSION: ltsc2019
steps:
- uses: actions/checkout@v4
- name: Switch to Windows containers
run: |
Stop-Service docker -Force
$configPath = "$env:ProgramData\docker\config\daemon.json"
if (-not (Test-Path (Split-Path $configPath))) {
New-Item -ItemType Directory -Force -Path (Split-Path $configPath) | Out-Null
}
Set-Content -Path $configPath -Value '{"experimental":true}'
Start-Service docker
Start-Sleep 5
shell: pwsh
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build Windows 2019 image
shell: bash
run: ./docker-build-windows.sh

build-windows-2022:
Comment on lines +76 to +102

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the fix is to add an explicit permissions: block that grants only the minimal required scopes for GITHUB_TOKEN. Since these jobs just build and scan images, check out code, and validate markdown, they only need read access to repository contents; no write scopes are required.

The best minimal fix without changing existing functionality is to add a workflow‑level permissions: block after the name: (or after on:) setting contents: read. This will apply to all jobs (build, build-fips, build-windows-2019, build-windows-2022) since none of them define their own permissions:. No additional imports or definitions are needed; this is a pure YAML configuration change in .github/workflows/build.yml.

Concretely:

  • Edit .github/workflows/build.yml.
  • Insert:
permissions:
  contents: read

right after the name: Container build line (line 2 in the snippet). This constrains GITHUB_TOKEN for all jobs, resolving the CodeQL finding for the build-windows-2019 job and the workflow as a whole.

Suggested changeset 1
.github/workflows/build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,7 @@
 ---
 name: Container build
+permissions:
+  contents: read
 on:
   push:
     branches:
EOF
@@ -1,5 +1,7 @@
---
name: Container build
permissions:
contents: read
on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Build Windows 2022 image
runs-on: windows-2022
env:
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: ci
WINDOWS_VERSION: ltsc2022
steps:
- uses: actions/checkout@v4
- name: Switch to Windows containers
run: |
Stop-Service docker -Force
$configPath = "$env:ProgramData\docker\config\daemon.json"
if (-not (Test-Path (Split-Path $configPath))) {
New-Item -ItemType Directory -Force -Path (Split-Path $configPath) | Out-Null
}
Set-Content -Path $configPath -Value '{"experimental":true}'
Start-Service docker
Start-Sleep 5
shell: pwsh
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build Windows 2022 image
shell: bash
run: ./docker-build-windows.sh
64 changes: 63 additions & 1 deletion .github/workflows/nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
setup_go: true
go_version_file: go.mod
trivy_scan: true

nightly-fips:
name: Nightly FIPS build
uses: newrelic/coreint-automation/.github/workflows/reusable_nightly.yaml@v3
Expand All @@ -56,3 +56,65 @@
setup_go: true
go_version_file: go.mod
trivy_scan: true

nightly-windows-2019:
name: Nightly Windows 2019 build
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- name: Switch to Windows containers
run: |
Stop-Service docker -Force
$configPath = "$env:ProgramData\docker\config\daemon.json"
if (-not (Test-Path (Split-Path $configPath))) {
New-Item -ItemType Directory -Force -Path (Split-Path $configPath) | Out-Null
}
Set-Content -Path $configPath -Value '{"experimental":true}'
Start-Service docker
Start-Sleep 5
shell: pwsh
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: docker/login-action@v3
with:
username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
- name: Build and push nightly Windows 2019 image
shell: bash
env:
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: nightly
WINDOWS_VERSION: ltsc2019
run: ./docker-build-windows.sh --push

nightly-windows-2022:
Comment on lines +61 to +91

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, fix this by explicitly setting a permissions block either at the workflow root (applies to all jobs without their own permissions) or on each job, granting only the scopes actually required (usually contents: read for build jobs that just check out code). For the shown workflow, the nightly-windows-2019 and nightly-windows-2022 jobs only need to read repository contents and use external credentials (via secrets) to log into Docker Hub; they don’t appear to call GitHub APIs that require write access. The simplest, least-disruptive fix is to define a single workflow-level permissions block with contents: read, which will apply to all jobs here (including the reusable-workflow jobs, unless they override it). This both satisfies CodeQL and enforces least privilege going forward.

Concretely, edit .github/workflows/nightly.yml to add:

permissions:
  contents: read

near the top of the workflow, after the name: and before on:. No imports or additional definitions are needed, since this is just YAML configuration. This change should not affect existing functionality, as the jobs already behave correctly with at least contents: read (required by actions/checkout).

Suggested changeset 1
.github/workflows/nightly.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,4 +1,6 @@
 name: Nightly build
+permissions:
+  contents: read
 on:
   schedule:
     - cron: "0 3 * * *"
EOF
@@ -1,4 +1,6 @@
name: Nightly build
permissions:
contents: read
on:
schedule:
- cron: "0 3 * * *"
Copilot is powered by AI and may make mistakes. Always verify output.
name: Nightly Windows 2022 build
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- name: Switch to Windows containers
run: |
Stop-Service docker -Force
$configPath = "$env:ProgramData\docker\config\daemon.json"
if (-not (Test-Path (Split-Path $configPath))) {
New-Item -ItemType Directory -Force -Path (Split-Path $configPath) | Out-Null
}
Set-Content -Path $configPath -Value '{"experimental":true}'
Start-Service docker
Start-Sleep 5
shell: pwsh
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: docker/login-action@v3
with:
username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
- name: Build and push nightly Windows 2022 image
shell: bash
env:
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: nightly
WINDOWS_VERSION: ltsc2022
run: ./docker-build-windows.sh --push
66 changes: 65 additions & 1 deletion .github/workflows/on-demand.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
- name: Build and push docker image
run: ./docker-build.sh . --push

build-fips:
name: Build fips and push image
runs-on: ubuntu-latest
Expand Down Expand Up @@ -92,3 +92,67 @@
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
- name: Build and push docker image
run: ./docker-build.sh . --push

build-windows-2019:
name: Build and push Windows 2019 image
runs-on: windows-2022
env:
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: dev
AGENT_VERSION: ${{ github.event.inputs.agent_version }}
WINDOWS_VERSION: ltsc2019
steps:
- uses: actions/checkout@v4
- name: Switch to Windows containers
run: |
Stop-Service docker -Force
$configPath = "$env:ProgramData\docker\config\daemon.json"
if (-not (Test-Path (Split-Path $configPath))) {
New-Item -ItemType Directory -Force -Path (Split-Path $configPath) | Out-Null
}
Set-Content -Path $configPath -Value '{"experimental":true}'
Start-Service docker
Start-Sleep 5
shell: pwsh
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: docker/login-action@v3
with:
username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
- name: Build and push Windows 2019 image
shell: bash
run: ./docker-build-windows.sh --push

build-windows-2022:
Comment on lines +97 to +128

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, you fix this by explicitly setting permissions for the GITHUB_TOKEN either at the workflow root (applies to all jobs without their own permissions) or on each job, and restricting it to the minimal scope needed, typically contents: read for build/publish workflows that don’t modify repo state.

For this workflow, the best minimal change without altering existing functionality is to add a root-level permissions: block right under the workflow name: (before on:). None of the jobs require write access to the repository with GITHUB_TOKEN; they use actions/checkout, Docker-related actions, Trivy, and Docker Hub credentials via secrets, all of which work with contents: read. Therefore, we set:

permissions:
  contents: read

This will cover all jobs (build, build-fips, build-windows-2019, build-windows-2022) without needing per-job edits. Concretely, in .github/workflows/on-demand.yml, insert the permissions: block between line 1 (name: On demand build) and line 2 (on:). No imports or other definitions are required.

Suggested changeset 1
.github/workflows/on-demand.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/on-demand.yml b/.github/workflows/on-demand.yml
--- a/.github/workflows/on-demand.yml
+++ b/.github/workflows/on-demand.yml
@@ -1,4 +1,6 @@
 name: On demand build
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
EOF
@@ -1,4 +1,6 @@
name: On demand build
permissions:
contents: read
on:
workflow_dispatch:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Build and push Windows 2022 image
runs-on: windows-2022
env:
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: dev
AGENT_VERSION: ${{ github.event.inputs.agent_version }}
WINDOWS_VERSION: ltsc2022
steps:
- uses: actions/checkout@v4
- name: Switch to Windows containers
run: |
Stop-Service docker -Force
$configPath = "$env:ProgramData\docker\config\daemon.json"
if (-not (Test-Path (Split-Path $configPath))) {
New-Item -ItemType Directory -Force -Path (Split-Path $configPath) | Out-Null
}
Set-Content -Path $configPath -Value '{"experimental":true}'
Start-Service docker
Start-Sleep 5
shell: pwsh
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: docker/login-action@v3
with:
username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
- name: Build and push Windows 2022 image
shell: bash
run: ./docker-build-windows.sh --push
106 changes: 101 additions & 5 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@
with:
original_repo_name: 'newrelic/infrastructure-bundle'
docker_image_name: 'newrelic/infrastructure-bundle'

release_command_sh: |
go run downloader.go
./docker-build.sh . --push
if [[ "${{ github.event.release.prerelease }}" == "false" ]]; then
export DOCKER_IMAGE_TAG=latest
./docker-build.sh . --push
fi

secrets:
docker_username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
docker_password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
Expand All @@ -30,7 +30,7 @@
with:
original_repo_name: 'newrelic/infrastructure-bundle'
docker_image_name: 'newrelic/infrastructure-bundle-fips'

release_command_sh: |
go run downloader.go -bundle=bundle-fips.yml -outdir=out-fips
export DOCKER_PLATFORMS=linux/amd64,linux/arm64
Expand All @@ -42,10 +42,106 @@
export DOCKER_IMAGE_TAG=latest
./docker-build.sh . --push
fi

secrets:
docker_username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
docker_password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
bot_token: ${{ secrets.COREINT_BOT_TOKEN }}
slack_channel: ${{ secrets.COREINT_SLACK_CHANNEL }}
slack_token: ${{ secrets.COREINT_SLACK_TOKEN }}
slack_token: ${{ secrets.COREINT_SLACK_TOKEN }}

container-release-windows-2019:
name: Release Windows 2019 image
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- name: Switch to Windows containers
run: |
Stop-Service docker -Force
$configPath = "$env:ProgramData\docker\config\daemon.json"
if (-not (Test-Path (Split-Path $configPath))) {
New-Item -ItemType Directory -Force -Path (Split-Path $configPath) | Out-Null
}
Set-Content -Path $configPath -Value '{"experimental":true}'
Start-Service docker
Start-Sleep 5
shell: pwsh
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: docker/login-action@v3
with:
username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
- name: Set release tag
id: release_tag
shell: bash
run: |
TAG="${{ github.event.release.tag_name }}"
TAG="${TAG#v}"
if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
TAG="${TAG}-rc"
fi
echo "tag=${TAG}" >> $GITHUB_OUTPUT
- name: Build and push Windows 2019 image
shell: bash
env:
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: ${{ steps.release_tag.outputs.tag }}
WINDOWS_VERSION: ltsc2019
run: ./docker-build-windows.sh --push
- name: Push latest tag for Windows 2019
if: ${{ github.event.release.prerelease == false }}
shell: bash
run: |
docker tag "newrelic/infrastructure-bundle:${{ steps.release_tag.outputs.tag }}-servercore-ltsc2019" \
"newrelic/infrastructure-bundle:latest-servercore-ltsc2019"
docker push "newrelic/infrastructure-bundle:latest-servercore-ltsc2019"

container-release-windows-2022:
Comment on lines +54 to +101

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, fix this by explicitly defining a permissions block that grants only the scopes the workflow actually needs, either at the workflow root (applies to all jobs) or per job. Here, none of the jobs appear to need to write back to the GitHub repository; they only read the release event and source code. Therefore contents: read is a safe minimal permission set.

The best fix with minimal functional change is to add a single top-level permissions block after the on: section, e.g. on a new line after line 4. This will apply to all jobs (container-release, container-release-fips, container-release-windows-2019, and container-release-windows-2022) that don’t override permissions, satisfying CodeQL’s requirement and constraining GITHUB_TOKEN to read-only repository contents. No additional methods, imports, or definitions are needed; this is a pure YAML configuration change.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,9 @@
   release:
     types: [ prereleased, released ]
 
+permissions:
+  contents: read
+
 jobs:
   container-release:
     uses: newrelic/coreint-automation/.github/workflows/reusable_image_release.yaml@v3
EOF
@@ -3,6 +3,9 @@
release:
types: [ prereleased, released ]

permissions:
contents: read

jobs:
container-release:
uses: newrelic/coreint-automation/.github/workflows/reusable_image_release.yaml@v3
Copilot is powered by AI and may make mistakes. Always verify output.
name: Release Windows 2022 image
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- name: Switch to Windows containers
run: |
Stop-Service docker -Force
$configPath = "$env:ProgramData\docker\config\daemon.json"
if (-not (Test-Path (Split-Path $configPath))) {
New-Item -ItemType Directory -Force -Path (Split-Path $configPath) | Out-Null
}
Set-Content -Path $configPath -Value '{"experimental":true}'
Start-Service docker
Start-Sleep 5
shell: pwsh
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: docker/login-action@v3
with:
username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
- name: Set release tag
id: release_tag
shell: bash
run: |
TAG="${{ github.event.release.tag_name }}"
TAG="${TAG#v}"
if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
TAG="${TAG}-rc"
fi
echo "tag=${TAG}" >> $GITHUB_OUTPUT
- name: Build and push Windows 2022 image
shell: bash
env:
DOCKER_IMAGE: newrelic/infrastructure-bundle
DOCKER_IMAGE_TAG: ${{ steps.release_tag.outputs.tag }}
WINDOWS_VERSION: ltsc2022
run: ./docker-build-windows.sh --push
- name: Push latest tag for Windows 2022
if: ${{ github.event.release.prerelease == false }}
shell: bash
run: |
docker tag "newrelic/infrastructure-bundle:${{ steps.release_tag.outputs.tag }}-servercore-ltsc2022" \
"newrelic/infrastructure-bundle:latest-servercore-ltsc2022"
docker push "newrelic/infrastructure-bundle:latest-servercore-ltsc2022"
4 changes: 4 additions & 0 deletions Dockerfile.windows
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
ARG base_image_tag=latest
ARG base_image_name=newrelic/infrastructure-windows

FROM ${base_image_name}:${base_image_tag}
Loading
Loading