Skip to content

Update container images digest #732

Update container images digest

Update container images digest #732

name: Update container images digest
on:
workflow_dispatch:
schedule:
# At the start of every day
- cron: "0 0 * * *"
jobs:
build:
runs-on: ubuntu-20.04
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Set git identity
run: |
git config --global user.name $GITHUB_USER
git config --global user.email $GITHUB_EMAIL
env:
GITHUB_USER: roboquat
GITHUB_EMAIL: [email protected]
- uses: imjasonh/[email protected]
- name: Check if an update is available
shell: bash
run: |
while IFS= read -r -d '' file; do
if [[ "$file" == *testdata* ]]; then
echo "Skipping testdata ${file}"
continue
fi
images=$(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" | cut -d @ -f1 | rev | cut -d ' ' -f1 | cut -d '"' -f1 | rev | sed -e "s/^docker:\/\///" | tr '\n' ',' || true)
digests=$(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" | cut -d @ -f2 | cut -d ' ' -f1 | cut -d '"' -f1 | tr '\n' ',' || true)
IFS=',' read -r -a images2 <<< "$images"
IFS=',' read -r -a digests2 <<< "$digests"
if [ -n "$images" ]; then
for i in "${!images2[@]}"; do
if [[ ${images2[i]} != *":"* ]]; then
echo "Image ${images2[i]} in file $file does not have a tag, ignoring..."
continue
fi
if [[ ${images2[i]} == *\.local:* ]]; then
echo "Skipping local registry image ${images2[i]}"
continue
fi
echo "Processing ${images2[i]} in file $file"
updated_digest=$(crane digest "${images2[i]}" || true)
if [ -n "$updated_digest" ]; then
if [ "$updated_digest" != "${digests2[i]}" ]; then
echo "Digest ${digests2[i]} for image ${images2[i]} is different, new digest is $updated_digest, updating..."
sed -i -e "s/${digests2[i]}/$updated_digest/g" "$file"
fi
else
echo "Failed to get digest for image ${images2[i]}, skipping..."
fi
done
fi
done < <(find "$(pwd)" -type f \( -name "*.yaml" -o -name "*.yml" -o -name "Dockerfile*" -o -name "leeway.Dockerfile" \) -print0)
# update for chainguard redis
redisImageDigest=$(crane digest cgr.dev/chainguard/redis:latest)
# we switch to the quay.io image for the redis exporter, because cgr.dev/chainguard/prometheus-redis-exporter is not public anymore.
# see detail in https://linear.app/gitpod/issue/CLC-1039/#comment-c90cb270
redisExporterDigest=$(crane digest quay.io/oliver006/redis_exporter:latest)
sed -i -e "s/^\(\s*ImageDigest\s*=\s*\)\".*\"/\1\"$redisImageDigest\"/" install/installer/pkg/components/redis/constants.go
sed -i -e "s/^\(\s*ExporterImageDigest\s*=\s*\)\".*\"/\1\"$redisExporterDigest\"/" install/installer/pkg/components/redis/constants.go
go fmt install/installer/pkg/components/redis/constants.go
- name: Check workspace
id: create_pr
shell: bash
run: |
if [[ $(git diff --stat) != '' ]]; then
echo "create_pr=true" >> $GITHUB_OUTPUT
fi
- name: Create Pull Request
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
if: ${{ steps.create_pr.outputs.create_pr == 'true' }}
with:
token: ${{ secrets.ROBOQUAT_AUTOMATIC_CHANGELOG }}
commit-message: update index
title: "Update images digests"
body: |
Update images digests using the latest version available for image/s
## How to test
- [ ] Start a workspace in the preview environment and verify that it functions properly.
### Preview status
gitpod:summary
<details>
<summary>Preview Environment / Integration Tests</summary>
- [x] /werft with-preview
- [x] /werft with-gce-vm
If enabled this will create the environment on GCE infra
- [x] /werft preemptible
Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
- [x] with-integration-tests=ssh
Valid options are `all`, `workspace`, `webapp`, `ide`, `jetbrains`, `vscode`, `ssh`. If enabled, `with-preview` and `with-large-vm` will be enabled.
</details>
labels: automated pr, kind/cleanup, release-note-none
branch: update-digests
delete-branch: true
- name: Get previous job's status
id: lastrun
uses: filiptronicek/get-last-job-status@main
- name: Slack Notification
if: ${{ (success() && steps.lastrun.outputs.status == 'failed') || failure() }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_WEBHOOK: ${{ secrets.RELEASE_SLACK_WEBHOOK }}
SLACK_COLOR: ${{ job.status }}
SLACK_TITLE: "Update container images digest"
SLACK_FOOTER: "<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Workflow logs>"