Make it possible to bump container base image with renovatebot #29
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Containers | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| branches: [main] | |
| paths: | |
| - '**Containerfile' | |
| - '.containerignore' | |
| - '.github/workflows/containers.yml' | |
| pull_request: | |
| paths: | |
| - '**Containerfile' | |
| - '.containerignore' | |
| - '.github/workflows/containers.yml' | |
| workflow_dispatch: | |
| jobs: | |
| # podman can handle lowercase. So normalize the outputs | |
| get-meta: | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 5 | |
| outputs: | |
| started_at: ${{ steps.timestamp.outputs.started_at }} | |
| ref_tag: ${{ steps.tags.outputs.ref }} | |
| special_tag: ${{ steps.tags.outputs.special }} | |
| timestamp_tag: ${{ steps.tags.outputs.timestamp }} | |
| steps: | |
| - name: Get started timestamp | |
| id: timestamp | |
| run: | | |
| # Do not use ":" delimiter as iso-8601/rfc-3339, it cannot be used in container tag | |
| echo started_at="$(date --utc '+%Y%m%d-%H%M%S-%Z')" | ruby -pe '$_.downcase!' | tee -a "$GITHUB_OUTPUT" | |
| - name: Generate tags for the image | |
| id: tags | |
| # https://github.com/orgs/community/discussions/26557#discussioncomment-3252327 | |
| run: | | |
| echo "timestamp=${{ steps.timestamp.outputs.started_at }}" | tee -a "$GITHUB_OUTPUT" | |
| special='' | |
| ref='' | |
| if [ '${{ github.event_name }}' = 'pull_request' ]; then | |
| special='pr-${{ github.event.number }}-${{ github.event.pull_request.head.sha }}' | |
| ref='${{ github.event.pull_request.head.sha }}' | |
| elif [ '${{ github.event_name }}' = 'push' ] && [ '${{ github.ref_name }}' = '${{ github.event.repository.default_branch }}' ]; then | |
| special='latest' | |
| ref='${{ github.sha }}' | |
| else | |
| exit 1 | |
| fi | |
| echo "special=${special}" | tee -a "$GITHUB_OUTPUT" | |
| echo "ref=${ref}" | tee -a "$GITHUB_OUTPUT" | |
| ubuntu-nix-sudoer: | |
| needs: [get-meta] | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 30 | |
| outputs: | |
| package-json: ${{ steps.inspect-package.outputs.json }} | |
| steps: | |
| - name: Logging dependency versions | |
| run: | | |
| podman version | |
| crun --version | |
| buildah version | |
| - uses: actions/checkout@v4 | |
| - name: Install gh-action-escape | |
| run: curl -fsSL https://raw.githubusercontent.com/kachick/gh-action-escape/main/scripts/install-in-github-action.sh | sh -s v0.2.0 | |
| - name: Build Image | |
| id: build-image | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 #v2.13 | |
| with: | |
| image: ubuntu-24.04-nix-sudoer | |
| tags: ${{ needs.get-meta.outputs.special_tag }} ${{ needs.get-meta.outputs.ref_tag }} ${{ needs.get-meta.outputs.timestamp_tag }} | |
| containerfiles: | | |
| ./images/ubuntu-nix-sudoer/Containerfile | |
| build-args: | | |
| username=user | |
| oci: true | |
| # - name: Setup tmate session | |
| # uses: mxschmitt/action-tmate@v3 | |
| # with: | |
| # limit-access-to-actor: true | |
| - name: Inspect the created image | |
| run: | | |
| podman inspect localhost/${{ steps.build-image.outputs.image }}:${{ needs.get-meta.outputs.ref_tag }} | |
| - name: Push To ghcr.io | |
| id: push-to-ghcr | |
| if: ${{ github.actor == github.repository_owner }} | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c #v2.8 | |
| with: | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: ghcr.io/${{ github.repository_owner }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ github.token }} | |
| - name: Log outputs | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: echo "${{ toJSON(steps.push-to-ghcr.outputs) }}" | |
| - name: Inspect the package | |
| id: inspect-package | |
| if: ${{ github.actor == github.repository_owner }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euxo pipefail | |
| echo "${{ toJSON(steps.push-to-ghcr.outputs) }}" | |
| gh api --paginate \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| /users/${{ github.repository_owner }}/packages/container/ubuntu-24.04-nix-sudoer/versions \ | |
| --jq '.[] | select(.name == "${{ steps.push-to-ghcr.outputs.digest }}")' | \ | |
| jq | gh-action-escape -name=json | tee -a "$GITHUB_OUTPUT" | |
| ubuntu-nix-systemd: | |
| needs: [get-meta] | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 30 | |
| outputs: | |
| package-json: ${{ steps.inspect-package.outputs.json }} | |
| steps: | |
| - name: Logging dependency versions | |
| run: | | |
| podman version | |
| crun --version | |
| buildah version | |
| - uses: actions/checkout@v4 | |
| - name: Install gh-action-escape | |
| run: curl -fsSL https://raw.githubusercontent.com/kachick/gh-action-escape/main/scripts/install-in-github-action.sh | sh -s v0.2.0 | |
| - name: Build Image | |
| id: build-image | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 #v2.13 | |
| with: | |
| image: ubuntu-24.04-nix-systemd | |
| tags: ${{ needs.get-meta.outputs.special_tag }} ${{ needs.get-meta.outputs.ref_tag }} ${{ needs.get-meta.outputs.timestamp_tag }} | |
| containerfiles: | | |
| ./images/ubuntu-nix-systemd/Containerfile | |
| oci: true | |
| # - name: Setup tmate session | |
| # uses: mxschmitt/action-tmate@v3 | |
| # with: | |
| # limit-access-to-actor: true | |
| - name: Inspect the created image | |
| run: | | |
| podman inspect localhost/${{ steps.build-image.outputs.image }}:${{ needs.get-meta.outputs.ref_tag }} | |
| - name: Push To ghcr.io | |
| id: push-to-ghcr | |
| if: ${{ github.actor == github.repository_owner }} | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c #v2.8 | |
| with: | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: ghcr.io/${{ github.repository_owner }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ github.token }} | |
| - name: Log outputs | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: echo "${{ toJSON(steps.push-to-ghcr.outputs) }}" | |
| - name: Inspect the package | |
| id: inspect-package | |
| if: ${{ github.actor == github.repository_owner }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euxo pipefail | |
| echo "${{ toJSON(steps.push-to-ghcr.outputs) }}" | |
| gh api --paginate \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| /users/${{ github.repository_owner }}/packages/container/ubuntu-24.04-nix-systemd/versions \ | |
| --jq '.[] | select(.name == "${{ steps.push-to-ghcr.outputs.digest }}")' | \ | |
| jq | gh-action-escape -name=json | tee -a "$GITHUB_OUTPUT" | |
| announce-staging: | |
| needs: [get-meta, ubuntu-nix-systemd, ubuntu-nix-sudoer] | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Prepare git to run gh commands | |
| uses: actions/checkout@v4 | |
| - name: Post comments | |
| if: ${{ (github.actor == github.repository_owner) && (github.event_name == 'pull_request') }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| ( | |
| cat <<'EOF' | |
| ⬢🦭 Staging container-image has been deployed 🚀\ | |
| You can check in package URL | |
| * systemd: https://github.com/${{ github.repository }}/pkgs/container/ubuntu-24.04-nix-systemd/${{ fromJson(needs.ubuntu-nix-systemd.outputs.package-json).id }}?tag=${{ needs.get-meta.outputs.special_tag }} | |
| * sudoer: https://github.com/${{ github.repository }}/pkgs/container/ubuntu-24.04-nix-sudoer/${{ fromJson(needs.ubuntu-nix-sudoer.outputs.package-json).id }}?tag=${{ needs.get-meta.outputs.special_tag }} | |
| This image will be automatically 🤖 removed from ghcr.io 🗑️ if you merged/closed this PR 😌 | |
| EOF | |
| ) | gh pr comment ${{ github.event.number }} --body-file - |