Skip to content

Commit

Permalink
Forced SHA update workflow (nginx#5560)
Browse files Browse the repository at this point in the history
  • Loading branch information
oseoin authored and ssrahul96 committed Jun 20, 2024
1 parent 4cf0950 commit 279e74f
Show file tree
Hide file tree
Showing 2 changed files with 144 additions and 0 deletions.
75 changes: 75 additions & 0 deletions .github/scripts/docker-updater.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
#!/usr/bin/env bash

set -o pipefail

SCRIPT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd -P)"
DOCKER_FILE=${SCRIPT_ROOT}/build/Dockerfile
exclude_strings=""

# Parse command line arguments
while [[ $# -gt 0 ]]; do
key="$1"
case $key in
--exclude)
exclude_strings="$2"
shift
shift
;;
*)
DOCKER_FILE="$1"
shift
;;
esac
done

# Check if the file exists
if [ ! -f "$DOCKER_FILE" ]; then
echo "File $DOCKER_FILE does not exist."
exit 1
fi

function contains_excluded() {
local line="$1"
local exclude="$2"
local IFS=','
local excluded=($exclude)
for word in "${excluded[@]}"; do
if [[ "$line" == *"$word"* ]]; then
return 0
fi
done
return 1
}

function check_sha() {
image_sha="$1"
image=$(echo "$image_sha" | cut -d '@' -f1)
tag_sha=$(echo "$image_sha" | cut -d '@' -f2)

docker pull -q "$image" > /dev/null
latest_digest=$(docker inspect --format='{{index .RepoDigests 0}}' "$image")
latest_sha=$(echo "$latest_digest" | cut -d '@' -f2)

if [ "$tag_sha" = "$latest_sha" ]; then
echo "The provided SHA256 hash is the latest for $image"
else
echo "> A newer version of $image is available:"
echo "> - $image@$tag_sha"
echo "> + $image@$latest_sha"
echo "> updating $DOCKER_FILE"
sed -i -e "s/$tag_sha/$latest_sha/g" "$DOCKER_FILE"
fi
}
if [ -n "$exclude_strings" ]; then
echo "excluding images containing one of: '$exclude_strings'"
fi
while IFS= read -r line; do
if [[ $line =~ ^FROM\ (.+@.+) ]]; then
image=$(echo "${BASH_REMATCH[1]}" | awk '{print $1}')
if [ -n "$exclude_strings" ] && contains_excluded "$line" "$exclude_strings"; then
echo "Skipping $image"
continue
fi
check_sha "$image"
fi
done < "$DOCKER_FILE"
69 changes: 69 additions & 0 deletions .github/workflows/update-docker-sha.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: "Update pinned container SHAs"

on:
workflow_dispatch:
inputs:
source_branch:
required: true
type: string
default: 'main'
excludes:
description: Comma separated list of strings to exclude images from the update
required: false
type: string
default: ''
dry_run:
type: boolean
default: false

defaults:
run:
shell: bash

permissions:
contents: read

jobs:
update-docker-sha:
permissions:
contents: write
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
ref: ${{ inputs.source_branch }}

- name: Update images
id: update_images
run: |
docker_md5=$(find . -type f \( -wholename "build/Dockerfile" -o -wholename "tests/Dockerfile" \) -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }')
echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT
ARGS=""
if [ -n ${{ github.event.inputs.excludes }} ]; then
ARGS="--exclude ${{ github.event.inputs.excludes }}"
fi
.github/scripts/docker-updater.sh ./build/Dockerfile $ARGS
.github/scripts/docker-updater.sh ./tests/Dockerfile $ARGS
files=$(git diff --name-only)
if [[ $files == *"Dockerfile"* ]]; then
echo "change_detected=true" >> $GITHUB_OUTPUT
else
echo "change_detected=false" >> $GITHUB_OUTPUT
fi
echo $GITHUB_OUTPUT
- name: Create Pull Request
uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
with:
token: ${{ secrets.NGINX_PAT }}
commit-message: Update docker images ${{ steps.update_images.outputs.docker_md5 }}
title: Docker image update ${{ steps.update_images.outputs.docker_md5 }}
branch: chore/image-update-${{ inputs.source_branch }}-${{ steps.update_images.outputs.docker_md5 }}
author: nginx-bot <integrations@nginx.com>
labels: |
chore
dependency
body: |
This automated PR updates pinned container image SHAs to latest.
if: ${{ !inputs.dry_run && steps.update_images.outputs.change_detected == 'true' }}

0 comments on commit 279e74f

Please sign in to comment.