Improve updating image deps workflow

replicatedhq · Dec 14, 2023 · 6c9c4bc · 6c9c4bc
1 parent 819e8b4
commit 6c9c4bc
Show file tree

Hide file tree

Showing 25 changed files with 354 additions and 189 deletions.
diff --git a/.github/workflows/alpha.yaml b/.github/workflows/alpha.yaml
@@ -32,42 +32,6 @@ jobs:
           registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
 
-  build-rqlite:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/rqlite/apko.yaml
-          image-name: index.docker.io/kotsadm/rqlite:alpha
-          registry-username: ${{ secrets.DOCKERHUB_USER }}
-          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-
-  build-minio:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/minio/apko.yaml
-          image-name: index.docker.io/kotsadm/minio:alpha
-          registry-username: ${{ secrets.DOCKERHUB_USER }}
-          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-
-  build-dex:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/dex/apko.yaml
-          image-name: index.docker.io/kotsadm/dex:alpha
-          registry-username: ${{ secrets.DOCKERHUB_USER }}
-          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-
   build-kotsadm:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
@@ -113,7 +77,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/kotsadm/rqlite:alpha"
+          image-ref: "docker.io/kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'rqlite-scan-output.sarif'
@@ -140,7 +104,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/kotsadm/minio:alpha"
+          image-ref: "docker.io/kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'minio-scan-output.sarif'
@@ -168,7 +132,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/kotsadm/dex:alpha"
+          image-ref: "docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'dex-scan-output.sarif'
@@ -218,7 +182,7 @@ jobs:
         id: scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/replicated/local-volume-provider:${{ steps.dotenv.outputs.lvp_tag }}"
+          image-ref: "docker.io/replicated/local-volume-provider:${{ steps.dotenv.outputs.LVP_TAG }}"
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'scan-output.sarif'

diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -423,10 +423,11 @@ jobs:
         with:
           path: .image.env
 
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/minio/apko.yaml
-          image-name: ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
+      - name: push minio
+        run: |
+          docker pull kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
+          docker tag kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }} ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
+          docker push ttl.sh/automated-${{ github.run_id }}/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
 
 
   push-rqlite:
@@ -447,11 +448,11 @@ jobs:
         with:
           path: .image.env
 
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/rqlite/apko.yaml
-          image-name: ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
-
+      - name: push rqlite
+        run: |
+          docker pull kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+          docker tag kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }} ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
+          docker push ttl.sh/automated-${{ github.run_id }}/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
 
   push-dex:
     runs-on: ubuntu-20.04
@@ -471,11 +472,11 @@ jobs:
         with:
           path: .image.env
 
-      - uses: ./.github/actions/build-push-image-with-apko
-        with:
-          apko-config: deploy/dex/apko.yaml
-          image-name: ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
-
+      - name: push dex
+        run: |
+          docker pull kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+          docker tag kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }} ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
+          docker push ttl.sh/automated-${{ github.run_id }}/dex:${{ steps.dotenv.outputs.DEX_TAG }}
 
   # only run validate-kurl-addon if changes to "deploy/kurl/kotsadm/template/**"
   kurl-addon-changes-filter:

diff --git a/.github/workflows/image-deps-updater.yaml b/.github/workflows/image-deps-updater.yaml
@@ -0,0 +1,113 @@
+name: Update image deps
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+    inputs:
+      overwrite:
+        description: "Overwrite the existing image tags."
+        required: false
+        default: "false"
+jobs:
+  build-3rd-party-images:
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Get tags
+      id: get-tags
+      run: |
+        export minio_yaml=$(curl -s --fail --show-error https://raw.githubusercontent.com/wolfi-dev/os/main/minio.yaml)
+        export minio_version=$(echo "$minio_yaml" | grep "version:" | awk '{print $2}' | tr -d '\n')
+        export minio_epoch=$(echo "$minio_yaml" | grep "epoch:" | awk '{print $2}' | tr -d '\n')
+
+        export rqlite_yaml=$(curl -s --fail --show-error https://raw.githubusercontent.com/wolfi-dev/os/main/rqlite.yaml)
+        export rqlite_version=$(echo "$rqlite_yaml" | grep "version:" | awk '{print $2}' | tr -d '\n')
+        export rqlite_epoch=$(echo "$rqlite_yaml" | grep "epoch:" | awk '{print $2}' | tr -d '\n')
+
+        export dex_yaml=$(curl -s --fail --show-error https://raw.githubusercontent.com/wolfi-dev/os/main/dex.yaml)
+        export dex_version=$(echo "$dex_yaml" | grep "version:" | awk '{print $2}' | tr -d '\n')
+        export dex_epoch=$(echo "$dex_yaml" | grep "epoch:" | awk '{print $2}' | tr -d '\n')
+
+        echo "minio-tag=$minio_version-$minio_epoch" >> "$GITHUB_OUTPUT"
+        echo "rqlite-tag=$rqlite_version-$rqlite_epoch" >> "$GITHUB_OUTPUT"
+        echo "dex-tag=$dex_version-$dex_epoch" >> "$GITHUB_OUTPUT"
+
+    - name: Build and push minio image
+      uses: ./.github/actions/build-push-image-with-apko
+      with:
+        apko-config: deploy/minio/apko.yaml
+        image-name: index.docker.io/kotsadm/minio:${{ steps.get-tags.outputs.minio-tag }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+    - name: Build and push rqlite image
+      uses: ./.github/actions/build-push-image-with-apko
+      with:
+        apko-config: deploy/rqlite/apko.yaml
+        image-name: index.docker.io/kotsadm/rqlite:${{ steps.get-tags.outputs.rqlite-tag }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+    - name: Build and push dex image
+      uses: ./.github/actions/build-push-image-with-apko
+      with:
+        apko-config: deploy/dex/apko.yaml
+        image-name: index.docker.io/kotsadm/dex:${{ steps.get-tags.outputs.dex-tag }}
+        registry-username: ${{ secrets.DOCKERHUB_USER }}
+        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+  update-image-deps:
+    needs: [build-3rd-party-images]
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '^1.20.0'
+
+      - name: Run Update Script
+        env:
+          GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          go run ./cmd/imagedeps
+
+      - name: Create Pull Request # creates a PR if there are differences
+        uses: peter-evans/create-pull-request@v5
+        id: cpr
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update KOTS image dependency tags
+          title: 'Automated KOTS Image Dependency Tag Update'
+          branch: automation/image-dependencies
+          delete-branch: true
+          labels: |
+            automated-pr
+            images
+            type::security
+          draft: false
+          base: "main"
+          body: "Automated changes by the [image-deps-updater](https://github.com/replicatedhq/kots/blob/main/.github/workflows/image-deps-updater.yaml) GitHub action"
+
+      - name: Check outputs
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+      - name: Slack Notification
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        uses: slackapi/[email protected]
+        with: 
+          payload: |
+            {
+              "version": "${{ github.event.client_payload.version }}",
+              "pull_request_url": "${{steps.cpr.outputs.pull-request-url}}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.KOTS_IMAGE_DEPS_SLACK_WEBHOOK }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -146,63 +146,6 @@ jobs:
         name: kots
         path: ./bin/kots
 
-  build-minio:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Read image tags from env file
-      uses: falti/dotenv-action@v1
-      id: dotenv
-      with:
-        path: .image.env
-
-    - uses: ./.github/actions/build-push-image-with-apko
-      with:
-        apko-config: deploy/minio/apko.yaml
-        image-name: index.docker.io/kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}
-        registry-username: ${{ secrets.DOCKERHUB_USER }}
-        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-  build-rqlite:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Read image tags from env file
-      uses: falti/dotenv-action@v1
-      id: dotenv
-      with:
-        path: .image.env
-
-    - uses: ./.github/actions/build-push-image-with-apko
-      with:
-        apko-config: deploy/rqlite/apko.yaml
-        image-name: index.docker.io/kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}
-        registry-username: ${{ secrets.DOCKERHUB_USER }}
-        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-  build-dex:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Read image tags from env file
-      uses: falti/dotenv-action@v1
-      id: dotenv
-      with:
-        path: .image.env
-
-    - uses: ./.github/actions/build-push-image-with-apko
-      with:
-        apko-config: deploy/dex/apko.yaml
-        image-name: index.docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}
-        registry-username: ${{ secrets.DOCKERHUB_USER }}
-        registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
   build-kotsadm:
     runs-on: ubuntu-20.04
     needs: [generate-tag]
@@ -224,7 +167,7 @@ jobs:
 
   build-release:
     runs-on: ubuntu-20.04
-    needs: [generate-tag, build-kotsadm-migrations, build-kotsadm, build-minio, build-rqlite, build-dex]
+    needs: [generate-tag, build-kotsadm-migrations, build-kotsadm]
     steps:
     - name: Checkout
       uses: actions/checkout@v4

diff --git a/cmd/imagedeps/image-spec b/cmd/imagedeps/image-spec
@@ -1,5 +1,5 @@
-minio kotsadm/minio
-rqlite kotsadm/rqlite
-dex kotsadm/dex
+minio kotsadm/minio ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)-([0-9]|[1-9][0-9]*)$
+rqlite kotsadm/rqlite ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)-([0-9]|[1-9][0-9]*)$
+dex kotsadm/dex ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)-([0-9]|[1-9][0-9]*)$
 schemahero schemahero/schemahero ^([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
 lvp replicated/local-volume-provider ^v([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)\.([0-9]|[1-9][0-9]*)$
diff --git a/cmd/imagedeps/main.go b/cmd/imagedeps/main.go
@@ -55,9 +55,9 @@ var (
 	replacers = []*replacer{
 		getMakefileReplacer("Makefile"),
 		getMakefileReplacer("migrations/Makefile"),
-		getApkoFileReplacer("deploy/minio/apko.yaml", "minio"),
-		getApkoFileReplacer("deploy/rqlite/apko.yaml", "rqlite"),
-		getApkoFileReplacer("deploy/dex/apko.yaml", "dex"),
+		getApkoFileReplacer("deploy/minio/apko.yaml"),
+		getApkoFileReplacer("deploy/rqlite/apko.yaml"),
+		getApkoFileReplacer("deploy/dex/apko.yaml"),
 	}
 )
 
@@ -230,11 +230,11 @@ func getDockerfileReplacer(path string) *replacer {
 	}
 }
 
-func getApkoFileReplacer(path string, pkg string) *replacer {
+func getApkoFileReplacer(path string) *replacer {
 	return &replacer{
 		path: path,
 		regexFn: func(ir *ImageRef) string {
-			return fmt.Sprintf(`- %s~\d+\.\d+\.\d+`, ir.name)
+			return fmt.Sprintf(`- %s~\d+\.\d+\.\d+(?:-\d+)?`, ir.name)
 		},
 		valueFn: func(ir *ImageRef) string {
 			return ir.GetApkoFileLine(ir.name)