-
Notifications
You must be signed in to change notification settings - Fork 2
175 lines (169 loc) · 6.82 KB
/
update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
name: Automatic Updates
on:
schedule:
- cron: 0 0 * * *
workflow_dispatch:
defaults:
run:
shell: 'bash -Eeuo pipefail -x {0}'
jobs:
retrieve-versions:
runs-on: ubuntu-22.04
outputs:
pgbouncer_version: ${{ env.PGBOUNCER_VERSION }}
debian_version: ${{ env.DEBIAN_VERSION }}
steps:
-
name: Get latest PgBouncer
run: |
LATEST_TAG=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/pgbouncer/pgbouncer/releases/latest | jq -r '.tag_name')
if [ -z "$LATEST_TAG" ]
then
echo "PgBouncer latest tag could not be retrieved"
exit 0
fi
pattern="^pgbouncer_[0-9]_[0-9]+_[0-9]+$"
if [[ ! $LATEST_TAG =~ $pattern ]]; then
echo "This version is not a stable release. Exiting."
exit 0
fi
VERSION=${LATEST_TAG//pgbouncer_/}
echo "PGBOUNCER_VERSION=${VERSION//_/.}" >> $GITHUB_ENV
-
name: Get latest Debian base image
run: |
DEBIAN_VERSION=$(curl -SsL "https://registry.hub.docker.com/v2/repositories/library/debian/tags/?name=bookworm-20&ordering=last_updated" | jq -r ".results[].name | match(\"bookworm.*-slim\") | .string" | head -n1)
if [ -z "$DEBIAN_VERSION" ]
then
echo "Debian slim latest tag could not be retrieved"
exit 0
fi
echo "DEBIAN_VERSION=$DEBIAN_VERSION" >> $GITHUB_ENV
update:
runs-on: ubuntu-22.04
needs:
- retrieve-versions
if: |
needs.retrieve-versions.result == 'success' &&
needs.retrieve-versions.outputs.pgbouncer_version != '' &&
needs.retrieve-versions.outputs.debian_version != ''
env:
PGBOUNCER_VERSION: "${{ needs.retrieve-versions.outputs.pgbouncer_version }}"
DEBIAN_VERSION: "${{ needs.retrieve-versions.outputs.debian_version }}"
steps:
-
uses: actions/checkout@v4
with:
token: ${{ secrets.REPO_GHA_PAT }}
fetch-depth: 0
-
name: Update Dockerfile
run: |
INITIAL_RELEASE_VERSION=$(jq -r '.IMAGE_RELEASE_VERSION' .versions.json)
sed \
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
-e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \
-e "s/%%IMAGE_RELEASE_VERSION%%/${INITIAL_RELEASE_VERSION}/" \
Dockerfile.template > Dockerfile
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and export to Docker
uses: docker/build-push-action@v6
with:
context: .
load: true
push: false
tags: newimage
-
name: Dockle scan
uses: erzz/dockle-action@v1
with:
image: newimage
exit-code: '1'
failure-threshold: WARN
env:
DOCKLE_IGNORES: DKL-DI-0006
-
name: Extract package list from container
run: |
docker run -t --entrypoint bash newimage -c 'apt list --installed | sort' > packages.txt
-
# We verify if there has been any change in the image. It could be:
# * a pgbouncer update
# * a new Debian base image
# * any change in the installed packages
# * any change in the git repository except the pipeline
name: Check if the image has been updated since the latest tag
run: |
echo UPDATED=false >> $GITHUB_ENV
if git describe --tags; then
current_tag=$(git describe --tags --abbrev=0)
if [[ -n $(git diff --name-status ${current_tag} -- . ':(exclude)README.md' ':(exclude).github' ':(exclude).gitignore') ]]; then
echo UPDATED=true >> $GITHUB_ENV
fi
fi
-
name: Define tag
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
run: |
release_number=1
if git describe --tags; then
current_tag=$(git describe --tags --abbrev=0)
current_pgbouncer_version=$(echo $current_tag | cut -d'-' -f 1)
current_pgbouncer_version=${current_pgbouncer_version##v}
current_release=$(echo $current_tag | cut -d'-' -f 2)
if [ $current_pgbouncer_version = ${{ env.PGBOUNCER_VERSION }} ]; then
release_number=$((current_release+1))
fi
fi
echo IMAGE_RELEASE_VERSION=${release_number} >> $GITHUB_ENV
echo TAG=${{ env.PGBOUNCER_VERSION }}-${release_number} >> $GITHUB_ENV
-
# In case we are releasing, we need to re-generate the Dockerfile from
# the template again since now we also know the proper release version.
name: Update Dockerfile and the JSON version file
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
run: |
sed \
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
-e 's/%%DEBIAN_VERSION%%/${{ env.DEBIAN_VERSION }}/' \
-e 's/%%IMAGE_RELEASE_VERSION%%/${{ env.IMAGE_RELEASE_VERSION }}/' \
Dockerfile.template > Dockerfile
jq -S '.PGBOUNCER_VERSION = "${{ env.PGBOUNCER_VERSION }}" | .IMAGE_RELEASE_VERSION = "${{ env.IMAGE_RELEASE_VERSION }}" | .DEBIAN_VERSION = "${{ env.DEBIAN_VERSION }}"' < .versions.json >> .versions.json.new
mv .versions.json.new .versions.json
-
name: Temporarily disable "include administrators" branch protection
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
id: disable_include_admins
uses: benjefferies/branch-protection-bot@v1.1.2
with:
access_token: ${{ secrets.REPO_GHA_PAT }}
branch: main
enforce_admins: false
-
name: Commit changes
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
uses: EndBug/add-and-commit@v9
with:
author_name: CloudNativePG Automated Updates
author_email: noreply@cnpg.com
message: 'Automatic update'
tag: v${{ env.TAG }}
-
name: Make sure a tag is created in case of update
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
uses: mathieudutour/github-tag-action@v6.2
with:
github_token: ${{ secrets.REPO_GHA_PAT }}
custom_tag: ${{ env.TAG }}
tag_prefix: 'v'
-
name: Enable "include administrators" branch protection
uses: benjefferies/branch-protection-bot@v1.1.2
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
with:
access_token: ${{ secrets.REPO_GHA_PAT }}
branch: main
enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}