-
Notifications
You must be signed in to change notification settings - Fork 1
199 lines (193 loc) · 7.68 KB
/
update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
name: Update
on:
schedule:
- cron: 0 0 * * *
workflow_dispatch:
defaults:
run:
shell: 'bash -Eeuo pipefail -x {0}'
jobs:
retrieve-versions:
runs-on: ubuntu-22.04
outputs:
pgbouncer_version: ${{ env.PGBOUNCER_VERSION }}
ubi_version: ${{ env.UBI_VERSION }}
steps:
-
name: Get latest PgBouncer
run: |
LATEST_TAG=$(curl -s -H "Accept: application/vnd.github.v3+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/pgbouncer/pgbouncer/releases/latest | jq -r '.tag_name')
if [ -z "$LATEST_TAG" ]
then
echo "PgBouncer latest tag could not be retrieved"
exit 0
fi
pattern="^pgbouncer_[0-9]_[0-9]+_[0-9]+$"
if [[ ! $LATEST_TAG =~ $pattern ]]; then
echo "This version is not a stable release. Exiting."
exit 0
fi
VERSION=${LATEST_TAG//pgbouncer_/}
echo "PGBOUNCER_VERSION=${VERSION//_/.}" >> $GITHUB_ENV
-
name: Get latest UBI
run: |
UBI_VERSION=$(skopeo list-tags docker://registry.access.redhat.com/ubi9-minimal | jq -r '.Tags[]' | grep -vE "(latest|source|.att|.sig)" | sort -Vr | head -n1)
if [ -z "$UBI_VERSION" ]
then
echo "UBI9 minimal latest tag could not be retrieved"
exit 0
fi
echo "UBI_VERSION=$UBI_VERSION" >> $GITHUB_ENV
-
name: Slack Notification
uses: rtCamp/action-slack-notify@v2
if: ${{ failure() && github.ref == 'refs/heads/main' }}
env:
SLACK_COLOR: ${{ job.status }}
SLACK_ICON: https://avatars.githubusercontent.com/u/44036562?size=48
SLACK_USERNAME: ghBot
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_MESSAGE: Failure retrieving PgBouncer and UBI versions
update:
runs-on: ubuntu-22.04
needs:
- retrieve-versions
if: |
needs.retrieve-versions.result == 'success' &&
needs.retrieve-versions.outputs.pgbouncer_version != '' &&
needs.retrieve-versions.outputs.ubi_version != ''
env:
PGBOUNCER_VERSION: "${{ needs.retrieve-versions.outputs.pgbouncer_version }}"
UBI_VERSION: "${{ needs.retrieve-versions.outputs.ubi_version }}"
steps:
-
uses: actions/checkout@v4
with:
token: ${{ secrets.REPO_GHA_PAT }}
fetch-depth: 0
-
name: Update Dockerfile
run: |
INITIAL_RELEASE_VERSION=$(jq -r '.IMAGE_RELEASE_VERSION' .versions.json)
sed \
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
-e 's/%%UBI_VERSION%%/${{ env.UBI_VERSION }}/' \
-e "s/%%IMAGE_RELEASE_VERSION%%/${INITIAL_RELEASE_VERSION}/" \
Dockerfile.template > Dockerfile
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and export to Docker
uses: docker/build-push-action@v6
with:
secrets: |
"cs_token=${{ secrets.CLOUDSMITH_READ_ALL }}"
context: .
load: true
push: false
tags: newimage
-
name: Dockle scan
uses: erzz/dockle-action@v1
with:
image: newimage
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
env:
DOCKLE_IGNORES: DKL-DI-0006,CIS-DI-0009
-
name: Extract package list from container
run: |
docker run -t --entrypoint bash newimage -c 'rpm -qa | sort' > packages.txt
-
# We verify if there has been any change in the image. It could be:
# * a pgbouncer update
# * a new UBI base image
# * any change in the installed packages
# * any change in the git repository except the pipeline
name: Check if the image has been updated since the latest tag
run: |
echo UPDATED=false >> $GITHUB_ENV
if git describe --tags; then
current_tag=$(git describe --tags --abbrev=0)
if [[ -n $(git diff --name-status ${current_tag} -- . ':(exclude)README.md' ':(exclude).github' ':(exclude).gitignore') ]]; then
echo UPDATED=true >> $GITHUB_ENV
fi
fi
-
name: Define tag
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
run: |
release_number=1
if git describe --tags; then
current_tag=$(git describe --tags --abbrev=0)
current_pgbouncer_version=$(echo $current_tag | cut -d'-' -f 1)
current_pgbouncer_version=${current_pgbouncer_version##v}
current_release=$(echo $current_tag | cut -d'-' -f 2)
if [ $current_pgbouncer_version = ${{ env.PGBOUNCER_VERSION }} ]; then
release_number=$((current_release+1))
fi
fi
echo IMAGE_RELEASE_VERSION=${release_number} >> $GITHUB_ENV
echo TAG=${{ env.PGBOUNCER_VERSION }}-${release_number} >> $GITHUB_ENV
-
# In case we are releasing, we need to re-generate the Dockerfile from
# the template again since now we also know the proper release version.
name: Update Dockerfile and the JSON version file
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
run: |
sed \
-e 's/%%PGBOUNCER_VERSION%%/${{ env.PGBOUNCER_VERSION }}/' \
-e 's/%%UBI_VERSION%%/${{ env.UBI_VERSION }}/' \
-e 's/%%IMAGE_RELEASE_VERSION%%/${{ env.IMAGE_RELEASE_VERSION }}/' \
Dockerfile.template > Dockerfile
jq -S '.PGBOUNCER_VERSION = "${{ env.PGBOUNCER_VERSION }}" | .IMAGE_RELEASE_VERSION = "${{ env.IMAGE_RELEASE_VERSION }}" | .UBI_VERSION = "${{ env.UBI_VERSION }}"' < .versions.json >> .versions.json.new
mv .versions.json.new .versions.json
-
name: Temporarily disable "include administrators" branch protection
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
id: disable_include_admins
uses: benjefferies/[email protected]
with:
access_token: ${{ secrets.REPO_GHA_PAT }}
branch: main
enforce_admins: false
-
name: Commit changes
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
uses: EndBug/add-and-commit@v9
id: commit
with:
author_name: EnterpriseDB Automated Updates
author_email: [email protected]
message: 'Automatic update'
tag: v${{ env.TAG }}
-
name: Make sure a tag is created in case of update
if: ${{ github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.REPO_GHA_PAT }}
custom_tag: ${{ env.TAG }}
tag_prefix: 'v'
-
name: Enable "include administrators" branch protection
uses: benjefferies/[email protected]
if: ${{ always() && github.ref == 'refs/heads/main' && env.UPDATED == 'true' }}
with:
access_token: ${{ secrets.REPO_GHA_PAT }}
branch: main
enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}
-
name: Slack Notification
uses: rtCamp/action-slack-notify@v2
if: ${{ failure() && github.ref == 'refs/heads/main' }}
env:
SLACK_COLOR: ${{ job.status }}
SLACK_ICON: https://avatars.githubusercontent.com/u/44036562?size=48
SLACK_USERNAME: ghBot
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_MESSAGE: Failure updating PgBouncer image