Update #744
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update | |
on: | |
schedule: | |
- cron: 0 0 * * * | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: 'bash -Eeuo pipefail -x {0}' | |
jobs: | |
update: | |
runs-on: ubuntu-22.04 | |
steps: | |
- | |
uses: actions/checkout@v3 | |
with: | |
token: ${{ secrets.REPO_GHA_PAT }} | |
fetch-depth: 0 | |
- | |
name: Get latest PgBouncer | |
run: | | |
echo PGBOUNCER_VERSION=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/pgbouncer/pgbouncer/releases/latest | jq -r '.assets[].name' | grep -oP "pgbouncer-\K([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)(?=\.tar\.gz)") >> $GITHUB_ENV | |
- | |
name: Get latest UBI | |
run: | | |
echo UBI_VERSION=$(curl -sL https://registry.access.redhat.com/v2/ubi8-minimal/tags/list | jq -r '.tags[]' | grep -vE "(latest|source)" |sort -Vr | head -n 1) >> $GITHUB_ENV | |
- | |
name: Update Dockerfile | |
run: | | |
INITIAL_RELEASE_VERSION=$(jq -r '.IMAGE_RELEASE_VERSION' .versions.json) | |
sed \ | |
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \ | |
-e 's/%%UBI_VERSION%%/${{ env.UBI_VERSION }}/' \ | |
-e "s/%%IMAGE_RELEASE_VERSION%%/${INITIAL_RELEASE_VERSION}/" \ | |
Dockerfile.template > Dockerfile | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- | |
name: Build and export to Docker | |
uses: docker/build-push-action@v4 | |
with: | |
secrets: | | |
"cs_script=${{ secrets.CS_SCRIPT }}" | |
context: . | |
load: true | |
push: false | |
tags: newimage | |
- | |
name: Dockle scan | |
uses: erzz/dockle-action@v1 | |
with: | |
image: newimage | |
exit-code: '1' | |
failure-threshold: WARN | |
accept-keywords: key | |
env: | |
DOCKLE_IGNORES: DKL-DI-0006,CIS-DI-0009 | |
- | |
name: Extract package list from container | |
run: | | |
docker run -t --entrypoint bash newimage -c 'rpm -qa | sort' > packages.txt | |
- | |
# We verify if there has been any change in the image. It could be: | |
# * a pgbouncer update | |
# * a new UBI base image | |
# * any change in the installed packages | |
# * any change in the git repository except the pipeline | |
name: Check if the image has been updated since the latest tag | |
run: | | |
echo UPDATED=false >> $GITHUB_ENV | |
if git describe --tags; then | |
current_tag=$(git describe --tags --abbrev=0) | |
if [[ -n $(git diff --name-status ${current_tag} -- . ':(exclude)README.md' ':(exclude).github' ':(exclude).gitignore') ]]; then | |
echo UPDATED=true >> $GITHUB_ENV | |
fi | |
fi | |
- | |
name: Define tag | |
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
run: | | |
release_number=1 | |
if git describe --tags; then | |
current_tag=$(git describe --tags --abbrev=0) | |
current_pgbouncer_version=$(echo $current_tag | cut -d'-' -f 1) | |
current_pgbouncer_version=${current_pgbouncer_version##v} | |
current_release=$(echo $current_tag | cut -d'-' -f 2) | |
if [ $current_pgbouncer_version = ${{ env.PGBOUNCER_VERSION }} ]; then | |
release_number=$((current_release+1)) | |
fi | |
fi | |
echo IMAGE_RELEASE_VERSION=${release_number} >> $GITHUB_ENV | |
echo TAG=${{ env.PGBOUNCER_VERSION }}-${release_number} >> $GITHUB_ENV | |
- | |
# In case we are releasing, we need to re-generate the Dockerfile from | |
# the template again since now we also know the proper release version. | |
name: Update Dockerfile and the JSON version file | |
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
run: | | |
sed \ | |
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \ | |
-e 's/%%UBI_VERSION%%/${{ env.UBI_VERSION }}/' \ | |
-e 's/%%IMAGE_RELEASE_VERSION%%/${{ env.IMAGE_RELEASE_VERSION }}/' \ | |
Dockerfile.template > Dockerfile | |
jq -S '.PGBOUNCER_VERSION = "${{ env.PGBOUNCER_VERSION }}" | .IMAGE_RELEASE_VERSION = "${{ env.IMAGE_RELEASE_VERSION }}" | .UBI_VERSION = "${{ env.UBI_VERSION }}"' < .versions.json >> .versions.json.new | |
mv .versions.json.new .versions.json | |
- | |
name: Temporarily disable "include administrators" branch protection | |
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
id: disable_include_admins | |
uses: benjefferies/[email protected] | |
with: | |
access_token: ${{ secrets.REPO_GHA_PAT }} | |
branch: main | |
enforce_admins: false | |
- | |
name: Commit changes | |
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
uses: EndBug/add-and-commit@v9 | |
id: commit | |
with: | |
author_name: EnterpriseDB Automated Updates | |
author_email: [email protected] | |
message: 'Automatic update' | |
tag: v${{ env.TAG }} | |
- | |
name: Make sure a tag is created in case of update | |
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
uses: mathieudutour/[email protected] | |
with: | |
github_token: ${{ secrets.REPO_GHA_PAT }} | |
custom_tag: ${{ env.TAG }} | |
tag_prefix: 'v' | |
- | |
name: Enable "include administrators" branch protection | |
uses: benjefferies/[email protected] | |
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }} | |
with: | |
access_token: ${{ secrets.REPO_GHA_PAT }} | |
branch: main | |
enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }} | |
- | |
name: Slack Notification | |
uses: rtCamp/action-slack-notify@v2 | |
if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
env: | |
SLACK_COLOR: ${{ job.status }} | |
SLACK_ICON: https://avatars.githubusercontent.com/u/44036562?size=48 | |
SLACK_USERNAME: ghBot | |
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
SLACK_MESSAGE: Failure updating PgBouncer image |