Improve updating image deps workflow (#4222)

* Improve updating image deps workflow
replicatedhq · Dec 14, 2023 · 4bd2b94 · 4bd2b94
1 parent 819e8b4
commit 4bd2b94
Show file tree

Hide file tree

Showing 29 changed files with 370 additions and 232 deletions.
diff --git a/.github/actions/build-push-image-with-apko/action.yml b/.github/actions/build-push-image-with-apko/action.yml
@@ -19,6 +19,11 @@ inputs:
     default: ''
     required: false
 
+  overwrite:
+    description: 'Overwrite the existing image tag'
+    default: 'false'
+    required: false
+
 runs:
   using: "composite"
   steps:
@@ -35,7 +40,7 @@ runs:
         fi
 
     - uses: chainguard-images/actions/apko-publish@main
-      if: ${{ steps.check-image-exists.outputs.image-exists == 'false' }}
+      if: ${{ inputs.overwrite == 'true' || steps.check-image-exists.outputs.image-exists == 'false' }}
       with:
         config: ${{ inputs.apko-config }}
         archs: x86_64

diff --git a/.github/workflows/alpha.yaml b/.github/workflows/alpha.yaml
@@ -32,42 +32,6 @@ jobs:
           registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
 
-  build-rqlite:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/rqlite/apko.yaml
-          image-name: index.docker.io/kotsadm/rqlite:alpha
-          registry-username: ${{ secrets.DOCKERHUB_USER }}
-          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-
-  build-minio:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/minio/apko.yaml
-          image-name: index.docker.io/kotsadm/minio:alpha
-          registry-username: ${{ secrets.DOCKERHUB_USER }}
-          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-
-  build-dex:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/dex/apko.yaml
-          image-name: index.docker.io/kotsadm/dex:alpha
-          registry-username: ${{ secrets.DOCKERHUB_USER }}
-          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-
   build-kotsadm:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
@@ -113,7 +77,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/kotsadm/rqlite:alpha"
+          image-ref: "docker.io/kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'rqlite-scan-output.sarif'
@@ -140,7 +104,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/kotsadm/minio:alpha"
+          image-ref: "docker.io/kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'minio-scan-output.sarif'
@@ -168,7 +132,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/kotsadm/dex:alpha"
+          image-ref: "docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'dex-scan-output.sarif'
@@ -218,7 +182,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/replicated/local-volume-provider:${{ steps.dotenv.outputs.lvp_tag }}"
+          image-ref: "docker.io/replicated/local-volume-provider:${{ steps.dotenv.outputs.LVP_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'scan-output.sarif'

diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -423,10 +423,11 @@ jobs:
         with:
           path: .image.env
 
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/minio/apko.yaml
-          image-name: ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
+      - name: push minio
+        run: |
+          docker pull kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
+          docker tag kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
+          docker push ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
 
 
   push-rqlite:
@@ -447,11 +448,11 @@ jobs:
         with:
           path: .image.env
 
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/rqlite/apko.yaml
-          image-name: ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
-
+      - name: push rqlite
+        run: |
+          docker pull kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+          docker tag kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+          docker push ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
 
   push-dex:
     runs-on: ubuntu-20.04
@@ -471,11 +472,11 @@ jobs:
         with:
           path: .image.env
 
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/dex/apko.yaml
-          image-name: ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
-
+      - name: push dex
+        run: |
+          docker pull kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+          docker tag kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }} ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+          docker push ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
 
   # only run validate-kurl-addon if changes to "deploy/kurl/kotsadm/template/**"
   kurl-addon-changes-filter:

diff --git a/.github/workflows/image-deps-updater.yaml b/.github/workflows/image-deps-updater.yaml
@@ -0,0 +1,117 @@
+name: Update image deps
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+    inputs:
+      overwrite:
+        description: 'Overwrite the existing image tags'
+        required: false
+        default: 'false'
+jobs:
+  build-3rd-party-images:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Get tags
+      id: get-tags
+      run: |
+        minio_yaml=$(curl -s --fail --show-error https://raw.githubusercontent.com/wolfi-dev/os/main/minio.yaml)
+        minio_version=$(echo "$minio_yaml" | grep "version:" | awk '{print $2}' | tr -d '\n')
+        minio_epoch=$(echo "$minio_yaml" | grep "epoch:" | awk '{print $2}' | tr -d '\n')
+
+        rqlite_yaml=$(curl -s --fail --show-error https://raw.githubusercontent.com/wolfi-dev/os/main/rqlite.yaml)
+        rqlite_version=$(echo "$rqlite_yaml" | grep "version:" | awk '{print $2}' | tr -d '\n')
+        rqlite_epoch=$(echo "$rqlite_yaml" | grep "epoch:" | awk '{print $2}' | tr -d '\n')
+
+        dex_yaml=$(curl -s --fail --show-error https://raw.githubusercontent.com/wolfi-dev/os/main/dex.yaml)
+        dex_version=$(echo "$dex_yaml" | grep "version:" | awk '{print $2}' | tr -d '\n')
+        dex_epoch=$(echo "$dex_yaml" | grep "epoch:" | awk '{print $2}' | tr -d '\n')
+
+        {
+          echo "minio-tag=$minio_version-$minio_epoch"
+          echo "rqlite-tag=$rqlite_version-$rqlite_epoch"
+          echo "dex-tag=$dex_version-$dex_epoch"
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Build and push minio image
+      uses: ./.github/actions/build-push-image-with-apko
+      with:
+        apko-config: deploy/minio/apko.yaml
+        image-name: index.docker.io/kotsadm/minio:${{ steps.get-tags.outputs.minio-tag }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+        overwrite: ${{ github.event.inputs.overwrite }}
+
+    - name: Build and push rqlite image
+      uses: ./.github/actions/build-push-image-with-apko
+      with:
+        apko-config: deploy/rqlite/apko.yaml
+        image-name: index.docker.io/kotsadm/rqlite:${{ steps.get-tags.outputs.rqlite-tag }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+        overwrite: ${{ github.event.inputs.overwrite }}
+
+    - name: Build and push dex image
+      uses: ./.github/actions/build-push-image-with-apko
+      with:
+        apko-config: deploy/dex/apko.yaml
+        image-name: index.docker.io/kotsadm/dex:${{ steps.get-tags.outputs.dex-tag }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+        overwrite: ${{ github.event.inputs.overwrite }}
+
+  update-image-deps:
+    needs: [build-3rd-party-images]
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '^1.20.0'
+
+      - name: Run Update Script
+        env:
+          GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          go run ./cmd/imagedeps
+
+      - name: Create Pull Request # creates a PR if there are differences
+        uses: peter-evans/create-pull-request@v5
+        id: cpr
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update KOTS image dependency tags
+          title: 'Automated KOTS Image Dependency Tag Update'
+          branch: automation/image-dependencies
+          delete-branch: true
+          labels: |
+            automated-pr
+            images
+            type::security
+          draft: false
+          base: "main"
+          body: "Automated changes by the [image-deps-updater](https://github.com/replicatedhq/kots/blob/main/.github/workflows/image-deps-updater.yaml) GitHub action"
+
+      - name: Check outputs
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+      - name: Slack Notification
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        uses: slackapi/[email protected]
+        with: 
+          payload: |
+            {
+              "pull_request_url": "${{steps.cpr.outputs.pull-request-url}}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.KOTS_IMAGE_DEPS_SLACK_WEBHOOK }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -26,42 +26,6 @@ jobs:
           git tag "$GIT_TAG"
           git push origin "$GIT_TAG"
 
-  image-deps-updater:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: '^1.20.0'
-      - name: Run Update Script
-        env:
-          GITHUB_AUTH_TOKEN: ${{ secrets.NIGHTLY_GH_PAT }}
-        run: |
-          go run ./cmd/imagedeps
-      - name: Create Pull Request # creates a PR if there are differences
-        uses: peter-evans/create-pull-request@v5
-        id: cpr
-        with:
-          token: ${{ secrets.NIGHTLY_GH_PAT }}
-          commit-message: update kots image dependency tags
-          title: 'Automated Kots Image Dependency Tag Update'
-          branch: automation/image-dependencies
-          delete-branch: true
-          labels: |
-            automated-pr
-            images
-            type::security
-          draft: false
-          base: "main"
-          body: "Automated changes by the [release](https://github.com/replicatedhq/kots/blob/main/.github/workflows/release.yaml) GitHub action"
-
-      - name: Check outputs
-        run: |
-          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
-          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
-
   build-kotsadm-migrations:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
@@ -146,63 +110,6 @@ jobs:
         name: kots
         path: ./bin/kots
 
-  build-minio:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Read image tags from env file
-      uses: falti/dotenv-action@v1
-      id: dotenv
-      with:
-        path: .image.env
-
-    - uses: ./.github/actions/build-push-image-with-apko
-      with:
-        apko-config: deploy/minio/apko.yaml
-        image-name: index.docker.io/kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
-        registry-username: ${{ secrets.DOCKERHUB_USER }}
-        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-  build-rqlite:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Read image tags from env file
-      uses: falti/dotenv-action@v1
-      id: dotenv
-      with:
-        path: .image.env
-
-    - uses: ./.github/actions/build-push-image-with-apko
-      with:
-        apko-config: deploy/rqlite/apko.yaml
-        image-name: index.docker.io/kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
-        registry-username: ${{ secrets.DOCKERHUB_USER }}
-        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-  build-dex:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Read image tags from env file
-      uses: falti/dotenv-action@v1
-      id: dotenv
-      with:
-        path: .image.env
-
-    - uses: ./.github/actions/build-push-image-with-apko
-      with:
-        apko-config: deploy/dex/apko.yaml
-        image-name: index.docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}
-        registry-username: ${{ secrets.DOCKERHUB_USER }}
-        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
   build-kotsadm:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
@@ -224,7 +131,7 @@ jobs:
 
   build-release:
     runs-on: ubuntu-20.04
-    needs: [generate-tag, build-kotsadm-migrations, build-kotsadm, build-minio, build-rqlite, build-dex]
+    needs: [generate-tag, build-kotsadm-migrations, build-kotsadm]
     steps:
     - name: Checkout
       uses: actions/checkout@v4

diff --git a/cmd/imagedeps/image-spec b/cmd/imagedeps/image-spec
@@ -1,5 +1,5 @@
-minio kotsadm/minio
-rqlite kotsadm/rqlite
-dex kotsadm/dex
+minio kotsadm/minio ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)-([0-9]|[1-9][0-9]*)$
+rqlite kotsadm/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)-([0-9]|[1-9][0-9]*)$
+dex kotsadm/dex ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)-([0-9]|[1-9][0-9]*)$
 schemahero schemahero/schemahero ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
 lvp replicated/local-volume-provider ^v([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$