Automatic Updates #609
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Automatic Updates | |
on: | |
schedule: | |
- cron: 0 0 * * * | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: 'bash -Eeuo pipefail -x {0}' | |
jobs: | |
update: | |
runs-on: ubuntu-22.04 | |
steps: | |
- | |
uses: actions/checkout@v4 | |
with: | |
token: ${{ secrets.REPO_GHA_PAT }} | |
fetch-depth: 0 | |
- | |
name: Get latest PgBouncer | |
run: | | |
echo PGBOUNCER_VERSION=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/pgbouncer/pgbouncer/releases/latest | jq -r '.assets[].name' | grep -oP "pgbouncer-\K([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)(?=\.tar\.gz)") >> $GITHUB_ENV | |
- | |
name: Get latest Debian base image | |
run: | | |
echo DEBIAN_VERSION=$(curl -SsL "https://registry.hub.docker.com/v2/repositories/library/debian/tags/?name=buster-20&ordering=last_updated&" | jq -r ".results[].name | match(\"buster.*-slim\") | .string" | head -n1) >> $GITHUB_ENV | |
- | |
name: Update Dockerfile | |
run: | | |
INITIAL_RELEASE_VERSION=$(jq -r '.IMAGE_RELEASE_VERSION' .versions.json) | |
sed \ | |
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \ | |
-e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \ | |
-e "s/%%IMAGE_RELEASE_VERSION%%/${INITIAL_RELEASE_VERSION}/" \ | |
Dockerfile.template > Dockerfile | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build and export to Docker | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
load: true | |
push: false | |
tags: newimage | |
- | |
name: Dockle scan | |
uses: erzz/dockle-action@v1 | |
with: | |
image: newimage | |
exit-code: '1' | |
failure-threshold: WARN | |
env: | |
DOCKLE_IGNORES: DKL-DI-0006 | |
- | |
name: Extract package list from container | |
run: | | |
docker run -t --entrypoint bash newimage -c 'apt list --installed | sort' > packages.txt | |
- | |
# We verify if there has been any change in the image. It could be: | |
# * a pgbouncer update | |
# * a new Debian base image | |
# * any change in the installed packages | |
# * any change in the git repository except the pipeline | |
name: Check if the image has been updated since the latest tag | |
run: | | |
echo UPDATED=false >> $GITHUB_ENV | |
if git describe --tags; then | |
current_tag=$(git describe --tags --abbrev=0) | |
if [[ -n $(git diff --name-status ${current_tag} -- . ':(exclude)README.md' ':(exclude).github' ':(exclude).gitignore') ]]; then | |
echo UPDATED=true >> $GITHUB_ENV | |
fi | |
fi | |
- | |
name: Define tag | |
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
run: | | |
release_number=1 | |
if git describe --tags; then | |
current_tag=$(git describe --tags --abbrev=0) | |
current_pgbouncer_version=$(echo $current_tag | cut -d'-' -f 1) | |
current_pgbouncer_version=${current_pgbouncer_version##v} | |
current_release=$(echo $current_tag | cut -d'-' -f 2) | |
if [ $current_pgbouncer_version = ${{ env.PGBOUNCER_VERSION }} ]; then | |
release_number=$((current_release+1)) | |
fi | |
fi | |
echo IMAGE_RELEASE_VERSION=${release_number} >> $GITHUB_ENV | |
echo TAG=${{ env.PGBOUNCER_VERSION }}-${release_number} >> $GITHUB_ENV | |
- | |
# In case we are releasing, we need to re-generate the Dockerfile from | |
# the template again since now we also know the proper release version. | |
name: Update Dockerfile and the JSON version file | |
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
run: | | |
sed \ | |
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \ | |
-e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \ | |
-e 's/%%IMAGE_RELEASE_VERSION%%/${{ env.IMAGE_RELEASE_VERSION }}/' \ | |
Dockerfile.template > Dockerfile | |
jq -S '.PGBOUNCER_VERSION = "${{ env.PGBOUNCER_VERSION }}" | .IMAGE_RELEASE_VERSION = "${{ env.IMAGE_RELEASE_VERSION }}" | .DEBIAN_VERSION = "${{ env.DEBIAN_VERSION }}"' < .versions.json >> .versions.json.new | |
mv .versions.json.new .versions.json | |
- | |
name: Temporarily disable "include administrators" branch protection | |
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
id: disable_include_admins | |
uses: benjefferies/[email protected] | |
with: | |
access_token: ${{ secrets.REPO_GHA_PAT }} | |
branch: main | |
enforce_admins: false | |
- | |
name: Commit changes | |
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
uses: EndBug/add-and-commit@v9 | |
with: | |
author_name: CloudNativePG Automated Updates | |
author_email: [email protected] | |
message: 'Automatic update' | |
tag: v${{ env.TAG }} | |
- | |
name: Make sure a tag is created in case of update | |
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
uses: mathieudutour/[email protected] | |
with: | |
github_token: ${{ secrets.REPO_GHA_PAT }} | |
custom_tag: ${{ env.TAG }} | |
tag_prefix: 'v' | |
- | |
name: Enable "include administrators" branch protection | |
uses: benjefferies/[email protected] | |
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
with: | |
access_token: ${{ secrets.REPO_GHA_PAT }} | |
branch: main | |
enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }} |