Introduce SHAs

gitpod-io · Aug 3, 2023 · 61fe6d4 · 61fe6d4
1 parent 2d2fe08
commit 61fe6d4
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 3 deletions.
diff --git a/.github/workflows/update-base.yml b/.github/workflows/update-base.yml
@@ -0,0 +1,76 @@
+name: Update base image base
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Every Monday at midnight
+    - cron: "0 0 * * 1"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set git identity
+        run: |
+          git config --global user.name $GITHUB_USER
+          git config --global user.email $GITHUB_EMAIL
+        env:
+          GITHUB_USER: roboquat
+          GITHUB_EMAIL: [email protected]
+
+      - uses: imjasonh/[email protected]
+
+      - name: Check if an update is available
+        shell: bash
+        run: |
+          file="$(pwd)/base/Dockerfile"
+          images=$(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" | cut -d @ -f1 | rev | cut -d ' ' -f1 | cut -d '"' -f1 | rev | sed -e "s/^docker:\/\///" | tr '\n' ',' || true)
+          digests=$(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" | cut -d @ -f2 | cut -d ' ' -f1 | cut -d '"' -f1 | tr '\n' ',' || true)
+          IFS=',' read -r -a images2 <<< "$images"
+          IFS=',' read -r -a digests2 <<< "$digests"
+
+          if [ -n "$images" ]; then
+              for i in "${!images2[@]}"; do
+                if [[ ${images2[i]} != *":"* ]]; then
+                  echo "Image ${images2[i]} in file $file does not have a tag, ignoring..."
+                  continue
+                fi
+                if [[ ${images2[i]} == *\.local:* ]]; then
+                  echo "Skipping local registry image ${images2[i]}"
+                  continue
+                fi
+                echo "Processing ${images2[i]} in file $file"
+                updated_digest=$(crane digest "${images2[i]}")
+                if [ "$updated_digest" != "${digests2[i]}" ] && [ -n "$updated_digest" ]; then
+                  echo "Digest ${digests2[i]} for image ${images2[i]} is different, new digest is $updated_digest, updating..."
+                  sed -i -e "s/${digests2[i]}/$updated_digest/g" "$file"
+                else
+                  echo "Digest for image ${images2[i]} is up-to-date."
+                fi
+              done
+          fi
+
+      - name: Check workspace
+        id: create_pr
+        shell: bash
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            echo "create_pr=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@923ad837f191474af6b1721408744feb989a4c27 # v4
+        if: ${{ steps.create_pr.outputs.create_pr == 'true' }}
+        with:
+          token: ${{ secrets.ROBOQUAT_AUTOMATIC_CHANGELOG }}
+          commit-message: update index
+          title: "Update base image digest"
+          body: "Updating the base image's base image"
+          branch: update-digests
+          delete-branch: true
diff --git a/base/Dockerfile b/base/Dockerfile
@@ -1,6 +1,4 @@
-FROM buildpack-deps:jammy
-
-ENV TRIGGER_REBUILD=1
+FROM buildpack-deps:jammy@sha256:9b7ec77e64b6837e10968f9e2b0760af52fe7da4f66c1d008532f2bb80c0f1e2
 
 COPY install-packages upgrade-packages /usr/bin/