add renovate and fix ci

.github/CODEOWNERS

@@ -1,2 +1,2 @@
-# PRs require approval from the earthly core team
-* @earthly/core
+# PRs require approval from the EarthBuild core team
+* @EarthBuild/fork-admins

.github/renovate.json5

@@ -0,0 +1,24 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'config:best-practices',
+    'security:openssf-scorecard',
+    ':semanticCommits',
+    ':pinVersions',
+  ],
+  configMigration: true,
+  dockerfile: {
+    managerFilePatterns: ['/Earthfile/'],
+  },
+  customManagers: [
+    {
+      customType: 'regex',
+      description: 'Update _version ARGs and ENVs in Earthfile',
+      managerFilePatterns: ['/^Earthfile$/'],
+      matchStrings: [
+        '#\\s*renovate:\\s*datasource=(?<datasource>[a-z-]+?)(?:\\s+depName=(?<depName>.+?))?\\s+packageName=(?<packageName>.+?)(?:\\s+versioning=(?<versioning>[a-z-]+?))?\\s+(?:ENV|ARG)\\s+.+?(_VERSION|_VER|_version)=(?<currentValue>.+?)\\s',
+      ],
+    },
+  ],
+  labels: ['renovate'],
+}

.github/workflows/ci.yml

@@ -9,54 +9,67 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
-  
+
 jobs:
   test:
     name: +test
-    runs-on: [earthly-satellite#gha-lib] # https://docs.earthly.dev/earthly-cloud/satellites/gha-runners
+    runs-on: ubuntu-24.04
     env:
       FORCE_COLOR: 1
       EARTHLY_CONVERSION_PARALLELISM: "5"
       EARTHLY_TOKEN: "${{ secrets.EARTHLY_TOKEN }}"
       EARTHLY_INSTALL_ID: "earthly-lib-githubactions"
     steps:
-      - uses: actions/checkout@v2
-      - name: Docker mirror login (non fork only)
-        run: docker login registry-1.docker.io.mirror.corp.earthly.dev --username "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" --password "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}"
-        if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
-      - name: Configure Earthly to use mirror (non fork only)
-        run: |-
-          earthly config global.buildkit_additional_config "'[registry.\"docker.io\"]
-          mirrors = [\"registry-1.docker.io.mirror.corp.earthly.dev\"]'"
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  #v5.0.0
+      - uses: docker/login-action@v3
+        # if fork no secret access, so skip and take chances on rate limiting.
         if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: earthly/actions-setup@bda7cee4972033c6d6b77d77165e787f389f8752
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run tests
-        run: |-
-          earthly config git "{github.com: {auth: ssh, user: git}}" && \
-          eval $(ssh-agent) && \
-          earthly secrets --org earthly-technologies --project core get littleredcorvette-id_rsa | ssh-add - && \
-          earthly --ci -P +test
+        run: |
+          earthly config git "{github.com: {auth: ssh, user: git}}"
+          eval $(ssh-agent)
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          printf '%s\n' "${{ secrets.EARTHBUILDCI_GITHUB_USER_SSH_PRIVATE_KEY }}" | tr -d '\r' > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-add ~/.ssh/id_ed25519
+          earthly --ci -P --secret-file earthbuildci_id_ed25519=~/.ssh/id_ed25519 +test
 
   test-native-arm:
     name: +test-native-arm
-    runs-on: [earthly-satellite#gha-arm-lib] # https://docs.earthly.dev/earthly-cloud/satellites/gha-runners
+    runs-on: ubuntu-24.04-arm
     env:
       FORCE_COLOR: 1
       EARTHLY_CONVERSION_PARALLELISM: "5"
       EARTHLY_TOKEN: "${{ secrets.EARTHLY_TOKEN }}"
       EARTHLY_INSTALL_ID: "earthly-lib-githubactions"
     steps:
-      - uses: actions/checkout@v2
-      - name: Docker mirror login (non fork only)
-        run: docker login registry-1.docker.io.mirror.corp.earthly.dev --username "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" --password "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}"
-        if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
-      - name: Configure Earthly to use mirror (non fork only)
-        run: |-
-          earthly config global.buildkit_additional_config "'[registry.\"docker.io\"]
-          mirrors = [\"registry-1.docker.io.mirror.corp.earthly.dev\"]'"
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  #v5.0.0
+      - uses: docker/login-action@v3
+        # if fork no secret access, so skip and take chances on rate limiting.
         if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: earthly/actions-setup@bda7cee4972033c6d6b77d77165e787f389f8752
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run tests
-        run: |-
-          earthly config git "{github.com: {auth: ssh, user: git}}" && \
-          eval $(ssh-agent) && \
-          earthly secrets --org earthly-technologies --project core get littleredcorvette-id_rsa | ssh-add - && \
-          earthly --ci -P ./utils/dind+test
+        run: |
+          earthly config git "{github.com: {auth: ssh, user: git}}"
+          eval $(ssh-agent)
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          printf '%s\n' "${{ secrets.EARTHBUILDCI_GITHUB_USER_SSH_PRIVATE_KEY }}" | tr -d '\r' > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-add ~/.ssh/id_ed25519
+          ssh-keyscan -t rsa,ecdsa,ed25519 -H github.com >> ~/.ssh/known_hosts
+          ssh-keyscan -p 443 -t rsa,ecdsa,ed25519 -H ssh.github.com >> ~/.ssh/known_hosts
+          chmod 644 ~/.ssh/known_hosts
+          earthly --ci -P --secret-file earthbuildci_id_ed25519=~/.ssh/id_ed25519 +test

CONTRIBUTING.md

@@ -3,13 +3,3 @@
 ## Code of Conduct
 
 Please refer to the [CNCF Community Code of Conduct v1.0](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)
-
-## CLA
-
-### Individual
-
-All contributions must indicate agreement to the [Earthly Contributor License Agreement](https://gist.github.com/vladaionescu/ed990fa149a38a53ac74b64155bc6766) by logging into GitHub via the CLA assistant and signing the provided CLA. The CLA assistant will automatically notify the PRs that require CLA signing.
-
-### Entity
-
-If you are an entity, please use the [Earthly Contributor License Agreement form](https://earthly.dev/cla-form) in addition to requiring your individual contributors to sign all contributions.

utils/dind/tests/Earthfile

@@ -1,9 +1,12 @@
-VERSION 0.7
+VERSION 0.8
 
 all:
+    # renovate: datasource=docker packageName=alpine
+    LET alpine_version=3.22.2
+
     BUILD +test-install-dind-for-image \
         --base_image=docker:dind \
-        --base_image=alpine:latest \
+        --base_image=alpine:${alpine_version} \
         --base_image=debian:stable \
         --base_image=debian:stable-slim \
         --base_image=debian:oldstable \

utils/git/Earthfile

@@ -22,7 +22,7 @@ DEEP_CLONE:
     IF [ -z $SECRET_PATH ]
         RUN --ssh git fetch --unshallow
     ELSE
-        RUN --mount=type=secret,id=$SECRET_PATH,mode=0400,target=/root/.ssh/id_rsa \
+        RUN --mount=type=secret,id=$SECRET_PATH,mode=0400,target=/root/.ssh/id_ed25519 \
             git fetch --unshallow
     END
 

utils/git/tests/Earthfile

@@ -1,21 +1,19 @@
 VERSION --arg-scope-and-set --pass-args 0.7
 
-PROJECT earthly-technologies/core
-
 all:
-    BUILD --platform=linux/amd64 --platform=linux/arm64 +test-deep-clone-image \
+    BUILD +test-deep-clone-image \
         --base_image=alpine/git:latest \
         --base_image=alpine:latest \
         --base_image=debian:stable \
         --base_image=debian:stable-slim \
         --base_image=ubuntu:latest \
         --base_image=amazonlinux:1 \
         --base_image=amazonlinux:2 \
-        --GIT_URL=https://github.com/earthly/hello-world.git \
-        --GIT_URL=git@github.com:earthly/hello-world.git \
-        --GIT_URL=git@github.com:earthly/hello-world \
+        --GIT_URL=https://github.com/EarthBuild/hello-world.git \
+        --GIT_URL=git@github.com:EarthBuild/hello-world.git \
+        --GIT_URL=git@github.com:EarthBuild/hello-world \
         --SECRET_PATH="" \
-        --SECRET_PATH="littleredcorvette-id_rsa" \
+        --SECRET_PATH="earthbuildci_id_ed25519" \
         --DEST_DIR="" \
         --DEST_DIR="some-other-dir"
 

utils/ssh/Earthfile

@@ -6,8 +6,9 @@ ADD_KNOWN_HOSTS:
     ARG target_file=~/.ssh/known_hosts
     LET expanded_target_file="$(eval echo $target_file)"
     COPY +known-hosts/known_hosts /tmp/.
-    RUN mkdir -p $(dirname $expanded_target_file) && cat /tmp/known_hosts >> $expanded_target_file
-    RUN rm /tmp/known_hosts
+    RUN mkdir -p $(dirname $expanded_target_file) \
+      && cat /tmp/known_hosts >> $expanded_target_file \
+      && rm /tmp/known_hosts
 
 # known-hosts is used to copy the known_hosts file into the build context (internal use)
 known-hosts:

utils/ssh/tests/Earthfile

@@ -1,7 +1,7 @@
 VERSION --pass-args --arg-scope-and-set 0.7
 
 all:
-    BUILD --platform=linux/amd64 --platform=linux/arm64 +test-add-known-hosts-image \
+    BUILD +test-add-known-hosts-image \
         --base_image=alpine:latest \
         --base_image=debian:stable \
         --base_image=debian:stable-slim \