Skip to content

Automatic Updates

Automatic Updates #632

Workflow file for this run

name: Automatic Updates
on:
schedule:
- cron: 0 0 * * *
workflow_dispatch:
defaults:
run:
shell: 'bash -Eeuo pipefail -x {0}'
jobs:
update:
runs-on: ubuntu-22.04
steps:
-
uses: actions/checkout@v4
with:
token: ${{ secrets.REPO_GHA_PAT }}
fetch-depth: 0
-
name: Get latest PgBouncer
run: |
echo PGBOUNCER_VERSION=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/pgbouncer/pgbouncer/releases/latest | jq -r '.assets[].name' | grep -oP "pgbouncer-\K([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)(?=\.tar\.gz)") >> $GITHUB_ENV
-
name: Get latest Debian base image
run: |
echo DEBIAN_VERSION=$(curl -SsL "https://registry.hub.docker.com/v2/repositories/library/debian/tags/?name=buster-20&ordering=last_updated&" | jq -r ".results[].name | match(\"buster.*-slim\") | .string" | head -n1) >> $GITHUB_ENV
-
name: Update Dockerfile
run: |
INITIAL_RELEASE_VERSION=$(jq -r '.IMAGE_RELEASE_VERSION' .versions.json)
sed \
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
-e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \
-e "s/%%IMAGE_RELEASE_VERSION%%/${INITIAL_RELEASE_VERSION}/" \
Dockerfile.template > Dockerfile
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and export to Docker
uses: docker/build-push-action@v5
with:
context: .
load: true
push: false
tags: newimage
-
name: Dockle scan
uses: erzz/dockle-action@v1
with:
image: newimage
exit-code: '1'
failure-threshold: WARN
env:
DOCKLE_IGNORES: DKL-DI-0006
-
name: Extract package list from container
run: |
docker run -t --entrypoint bash newimage -c 'apt list --installed | sort' > packages.txt
-
# We verify if there has been any change in the image. It could be:
# * a pgbouncer update
# * a new Debian base image
# * any change in the installed packages
# * any change in the git repository except the pipeline
name: Check if the image has been updated since the latest tag
run: |
echo UPDATED=false >> $GITHUB_ENV
if git describe --tags; then
current_tag=$(git describe --tags --abbrev=0)
if [[ -n $(git diff --name-status ${current_tag} -- . ':(exclude)README.md' ':(exclude).github' ':(exclude).gitignore') ]]; then
echo UPDATED=true >> $GITHUB_ENV
fi
fi
-
name: Define tag
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
run: |
release_number=1
if git describe --tags; then
current_tag=$(git describe --tags --abbrev=0)
current_pgbouncer_version=$(echo $current_tag | cut -d'-' -f 1)
current_pgbouncer_version=${current_pgbouncer_version##v}
current_release=$(echo $current_tag | cut -d'-' -f 2)
if [ $current_pgbouncer_version = ${{ env.PGBOUNCER_VERSION }} ]; then
release_number=$((current_release+1))
fi
fi
echo IMAGE_RELEASE_VERSION=${release_number} >> $GITHUB_ENV
echo TAG=${{ env.PGBOUNCER_VERSION }}-${release_number} >> $GITHUB_ENV
-
# In case we are releasing, we need to re-generate the Dockerfile from
# the template again since now we also know the proper release version.
name: Update Dockerfile and the JSON version file
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
run: |
sed \
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
-e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \
-e 's/%%IMAGE_RELEASE_VERSION%%/${{ env.IMAGE_RELEASE_VERSION }}/' \
Dockerfile.template > Dockerfile
jq -S '.PGBOUNCER_VERSION = "${{ env.PGBOUNCER_VERSION }}" | .IMAGE_RELEASE_VERSION = "${{ env.IMAGE_RELEASE_VERSION }}" | .DEBIAN_VERSION = "${{ env.DEBIAN_VERSION }}"' < .versions.json >> .versions.json.new
mv .versions.json.new .versions.json
-
name: Temporarily disable "include administrators" branch protection
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
id: disable_include_admins
uses: benjefferies/[email protected]
with:
access_token: ${{ secrets.REPO_GHA_PAT }}
branch: main
enforce_admins: false
-
name: Commit changes
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
uses: EndBug/add-and-commit@v9
with:
author_name: CloudNativePG Automated Updates
author_email: [email protected]
message: 'Automatic update'
tag: v${{ env.TAG }}
-
name: Make sure a tag is created in case of update
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.REPO_GHA_PAT }}
custom_tag: ${{ env.TAG }}
tag_prefix: 'v'
-
name: Enable "include administrators" branch protection
uses: benjefferies/[email protected]
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
with:
access_token: ${{ secrets.REPO_GHA_PAT }}
branch: main
enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}