-
Notifications
You must be signed in to change notification settings - Fork 2
139 lines (136 loc) · 5.74 KB
/
update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Automatic Updates
on:
schedule:
- cron: 0 0 * * *
workflow_dispatch:
defaults:
run:
shell: 'bash -Eeuo pipefail -x {0}'
jobs:
update:
runs-on: ubuntu-22.04
steps:
-
uses: actions/checkout@v3
with:
token: ${{ secrets.REPO_GHA_PAT }}
fetch-depth: 0
-
name: Get latest PgBouncer
run: |
echo PGBOUNCER_VERSION=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/pgbouncer/pgbouncer/releases/latest | jq -r '.assets[].name' | grep -oP "pgbouncer-\K([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)(?=\.tar\.gz)") >> $GITHUB_ENV
-
name: Get latest Debian base image
run: |
echo DEBIAN_VERSION=$(curl -SsL "https://registry.hub.docker.com/v2/repositories/library/debian/tags/?name=buster-20&ordering=last_updated&" | jq -r ".results[].name | match(\"buster.*-slim\") | .string" | head -n1) >> $GITHUB_ENV
-
name: Update Dockerfile
run: |
INITIAL_RELEASE_VERSION=$(jq -r '.IMAGE_RELEASE_VERSION' .versions.json)
sed \
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
-e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \
-e "s/%%IMAGE_RELEASE_VERSION%%/${INITIAL_RELEASE_VERSION}/" \
Dockerfile.template > Dockerfile
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
-
name: Build and export to Docker
uses: docker/build-push-action@v4
with:
context: .
load: true
push: false
tags: newimage
-
name: Dockle scan
uses: erzz/dockle-action@v1
with:
image: newimage
exit-code: '1'
failure-threshold: WARN
env:
DOCKLE_IGNORES: DKL-DI-0006
-
name: Extract package list from container
run: |
docker run -t --entrypoint bash newimage -c 'apt list --installed | sort' > packages.txt
-
# We verify if there has been any change in the image. It could be:
# * a pgbouncer update
# * a new Debian base image
# * any change in the installed packages
# * any change in the git repository except the pipeline
name: Check if the image has been updated since the latest tag
run: |
echo UPDATED=false >> $GITHUB_ENV
if git describe --tags; then
current_tag=$(git describe --tags --abbrev=0)
if [[ -n $(git diff --name-status ${current_tag} -- . ':(exclude)README.md' ':(exclude).github' ':(exclude).gitignore') ]]; then
echo UPDATED=true >> $GITHUB_ENV
fi
fi
-
name: Define tag
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
run: |
release_number=1
if git describe --tags; then
current_tag=$(git describe --tags --abbrev=0)
current_pgbouncer_version=$(echo $current_tag | cut -d'-' -f 1)
current_pgbouncer_version=${current_pgbouncer_version##v}
current_release=$(echo $current_tag | cut -d'-' -f 2)
if [ $current_pgbouncer_version = ${{ env.PGBOUNCER_VERSION }} ]; then
release_number=$((current_release+1))
fi
fi
echo IMAGE_RELEASE_VERSION=${release_number} >> $GITHUB_ENV
echo TAG=${{ env.PGBOUNCER_VERSION }}-${release_number} >> $GITHUB_ENV
-
# In case we are releasing, we need to re-generate the Dockerfile from
# the template again since now we also know the proper release version.
name: Update Dockerfile and the JSON version file
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
run: |
sed \
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
-e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \
-e 's/%%IMAGE_RELEASE_VERSION%%/${{ env.IMAGE_RELEASE_VERSION }}/' \
Dockerfile.template > Dockerfile
jq -S '.PGBOUNCER_VERSION = "${{ env.PGBOUNCER_VERSION }}" | .IMAGE_RELEASE_VERSION = "${{ env.IMAGE_RELEASE_VERSION }}" | .DEBIAN_VERSION = "${{ env.DEBIAN_VERSION }}"' < .versions.json >> .versions.json.new
mv .versions.json.new .versions.json
-
name: Temporarily disable "include administrators" branch protection
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
id: disable_include_admins
uses: benjefferies/[email protected]
with:
access_token: ${{ secrets.REPO_GHA_PAT }}
branch: main
enforce_admins: false
-
name: Commit changes
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
uses: EndBug/add-and-commit@v9
with:
author_name: CloudNativePG Automated Updates
author_email: [email protected]
message: 'Automatic update'
tag: v${{ env.TAG }}
-
name: Make sure a tag is created in case of update
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.REPO_GHA_PAT }}
custom_tag: ${{ env.TAG }}
tag_prefix: 'v'
-
name: Enable "include administrators" branch protection
uses: benjefferies/[email protected]
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
with:
access_token: ${{ secrets.REPO_GHA_PAT }}
branch: main
enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}