Update container images digest #732
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update container images digest | |
on: | |
workflow_dispatch: | |
schedule: | |
# At the start of every day | |
- cron: "0 0 * * *" | |
jobs: | |
build: | |
runs-on: ubuntu-20.04 | |
permissions: | |
contents: write | |
pull-requests: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set git identity | |
run: | | |
git config --global user.name $GITHUB_USER | |
git config --global user.email $GITHUB_EMAIL | |
env: | |
GITHUB_USER: roboquat | |
GITHUB_EMAIL: [email protected] | |
- uses: imjasonh/[email protected] | |
- name: Check if an update is available | |
shell: bash | |
run: | | |
while IFS= read -r -d '' file; do | |
if [[ "$file" == *testdata* ]]; then | |
echo "Skipping testdata ${file}" | |
continue | |
fi | |
images=$(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" | cut -d @ -f1 | rev | cut -d ' ' -f1 | cut -d '"' -f1 | rev | sed -e "s/^docker:\/\///" | tr '\n' ',' || true) | |
digests=$(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" | cut -d @ -f2 | cut -d ' ' -f1 | cut -d '"' -f1 | tr '\n' ',' || true) | |
IFS=',' read -r -a images2 <<< "$images" | |
IFS=',' read -r -a digests2 <<< "$digests" | |
if [ -n "$images" ]; then | |
for i in "${!images2[@]}"; do | |
if [[ ${images2[i]} != *":"* ]]; then | |
echo "Image ${images2[i]} in file $file does not have a tag, ignoring..." | |
continue | |
fi | |
if [[ ${images2[i]} == *\.local:* ]]; then | |
echo "Skipping local registry image ${images2[i]}" | |
continue | |
fi | |
echo "Processing ${images2[i]} in file $file" | |
updated_digest=$(crane digest "${images2[i]}" || true) | |
if [ -n "$updated_digest" ]; then | |
if [ "$updated_digest" != "${digests2[i]}" ]; then | |
echo "Digest ${digests2[i]} for image ${images2[i]} is different, new digest is $updated_digest, updating..." | |
sed -i -e "s/${digests2[i]}/$updated_digest/g" "$file" | |
fi | |
else | |
echo "Failed to get digest for image ${images2[i]}, skipping..." | |
fi | |
done | |
fi | |
done < <(find "$(pwd)" -type f \( -name "*.yaml" -o -name "*.yml" -o -name "Dockerfile*" -o -name "leeway.Dockerfile" \) -print0) | |
# update for chainguard redis | |
redisImageDigest=$(crane digest cgr.dev/chainguard/redis:latest) | |
# we switch to the quay.io image for the redis exporter, because cgr.dev/chainguard/prometheus-redis-exporter is not public anymore. | |
# see detail in https://linear.app/gitpod/issue/CLC-1039/#comment-c90cb270 | |
redisExporterDigest=$(crane digest quay.io/oliver006/redis_exporter:latest) | |
sed -i -e "s/^\(\s*ImageDigest\s*=\s*\)\".*\"/\1\"$redisImageDigest\"/" install/installer/pkg/components/redis/constants.go | |
sed -i -e "s/^\(\s*ExporterImageDigest\s*=\s*\)\".*\"/\1\"$redisExporterDigest\"/" install/installer/pkg/components/redis/constants.go | |
go fmt install/installer/pkg/components/redis/constants.go | |
- name: Check workspace | |
id: create_pr | |
shell: bash | |
run: | | |
if [[ $(git diff --stat) != '' ]]; then | |
echo "create_pr=true" >> $GITHUB_OUTPUT | |
fi | |
- name: Create Pull Request | |
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6 | |
if: ${{ steps.create_pr.outputs.create_pr == 'true' }} | |
with: | |
token: ${{ secrets.ROBOQUAT_AUTOMATIC_CHANGELOG }} | |
commit-message: update index | |
title: "Update images digests" | |
body: | | |
Update images digests using the latest version available for image/s | |
## How to test | |
- [ ] Start a workspace in the preview environment and verify that it functions properly. | |
### Preview status | |
gitpod:summary | |
<details> | |
<summary>Preview Environment / Integration Tests</summary> | |
- [x] /werft with-preview | |
- [x] /werft with-gce-vm | |
If enabled this will create the environment on GCE infra | |
- [x] /werft preemptible | |
Saves cost. Untick this only if you're really sure you need a non-preemtible machine. | |
- [x] with-integration-tests=ssh | |
Valid options are `all`, `workspace`, `webapp`, `ide`, `jetbrains`, `vscode`, `ssh`. If enabled, `with-preview` and `with-large-vm` will be enabled. | |
</details> | |
labels: automated pr, kind/cleanup, release-note-none | |
branch: update-digests | |
delete-branch: true | |
- name: Get previous job's status | |
id: lastrun | |
uses: filiptronicek/get-last-job-status@main | |
- name: Slack Notification | |
if: ${{ (success() && steps.lastrun.outputs.status == 'failed') || failure() }} | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_WEBHOOK: ${{ secrets.RELEASE_SLACK_WEBHOOK }} | |
SLACK_COLOR: ${{ job.status }} | |
SLACK_TITLE: "Update container images digest" | |
SLACK_FOOTER: "<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Workflow logs>" |