forked from chainguard-dev/digestabot
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
142 lines (130 loc) · 5.79 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# Copyright 2023 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: 'Update the image digest'
description: 'Update the image digest when have a mutating tag'
inputs:
working-dir:
description: Working directory to run the digestabot, to run in a specific path, if not set will run from the root
required: false
default: .
token:
description: 'GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)'
required: true
default: ${{ github.token }}
signoff:
description: 'Add `Signed-off-by` line by the committer at the end of the commit log message.'
default: false
author:
description: >
The author name and email address in the format `Display Name <[email protected]>`.
Defaults to the user who triggered the workflow run.
default: '${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>'
committer:
description: >
The committer name and email address in the format `Display Name <[email protected]>`.
Defaults to the GitHub Actions bot user.
default: 'github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>'
labels-for-pr:
description: 'A comma or newline separated list of labels to be used in the pull request.'
default: automated pr, kind/cleanup, release-note-none
branch-for-pr:
description: 'The pull request branch name.'
default: 'update-digests'
title-for-pr:
description: 'The title of the pull request.'
default: 'Update images digests'
description-for-pr:
description: 'The description of the pull request.'
default: |
Update images digests
```release-note
NONE
```
commit-message:
description: 'The message to use when committing changes.'
default: 'Update images digests'
create-pr:
description: 'Create a PR or just keep the changes locally.'
default: true
outputs:
pull_request_number:
description: "Pull Request Number"
value: ${{ steps.pull_request.outputs.pull-request-number }}
runs:
using: "composite"
steps:
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- shell: bash
run: |
# disable the errexit github enable that by default
set +o errexit
while IFS= read -r -d '' file; do
if [[ "$file" == *testdata* ]]; then
echo "Skipping testdata ${file}"
continue
fi
images=$(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" | cut -d @ -f1 | rev | cut -d = -f1 | cut -d ' ' -f1 | cut -d '"' -f1 | rev | sed -e "s/^docker:\/\///" | tr '\n' ',' || true)
digests=$(grep -i -E '[a-z0-9]+([._-][a-z0-9]+)*(/[a-z0-9]+([._-][a-z0-9]+)*)*@sha256:[a-z0-9]+' "$file" | cut -d @ -f2 | cut -d ' ' -f1 | cut -d '"' -f1 | tr '\n' ',' || true)
IFS=',' read -r -a images2 <<< "$images"
IFS=',' read -r -a digests2 <<< "$digests"
if [ -n "$images" ]; then
for i in "${!images2[@]}"; do
if [[ ${images2[i]} != *":"* ]]; then
echo "Image ${images2[i]} in file $file does not have a tag, ignoring..."
continue
fi
if [[ ${images2[i]} == *\.local:* ]]; then
echo "Skipping local registry image ${images2[i]}"
continue
fi
images2[i]=${images2[i]#\'}
echo "Processing ${images2[i]} in file $file"
updated_digest=
crane digest "${images2[i]}" > digest.log 2> logerror.txt
if [ $? -eq 0 ]; then
updated_digest=$(cat digest.log)
else
ERRMSG="Failed to retrieve digest info for ${images2[i]}"
echo "${ERRMSG}"
echo "${ERRMSG}" >> "$GITHUB_STEP_SUMMARY"
cat logerror.txt >> "$GITHUB_STEP_SUMMARY"
fi
rm -f logerror.txt
rm -f digest.log
digests2[i]=${digests2[i]#\'}
if [ "$updated_digest" != "${digests2[i]}" ] && [ -n "$updated_digest" ]; then
echo "Digest ${digests2[i]} for image ${images2[i]} is different, new digest is $updated_digest, updating..."
sed -i -e "s/${digests2[i]}/$updated_digest/g" "$file"
fi
done
fi
done < <(find "${{ inputs.working-dir }}" -type f \( -name "*.yaml" -o -name "*.yml" -o -name "Dockerfile*" -o -name "Makefile*" -o -name "*.sh" -o -name "*.tf" -o -name "*.tfvars" \) -print0)
- name: Check workspace
id: create_pr_update
env:
CREATE_PR: ${{ inputs.create-pr }}
shell: bash
run: |
git diff --stat
echo "create_pr_update=false" >> $GITHUB_OUTPUT
if [[ $(git diff --stat) != '' ]] && [[ "${CREATE_PR}" == 'true' ]]; then
echo "create_pr_update=true" >> $GITHUB_OUTPUT
fi
# Configure signed commits
- uses: chainguard-dev/actions/setup-gitsign@57cb0b7560d9b9b081c15ac5ef689f73f4dda03e # main branch as of 2024-08-02
if: ${{ steps.create_pr_update.outputs.create_pr_update == 'true' }}
- name: Create Pull Request
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
if: ${{ steps.create_pr_update.outputs.create_pr_update == 'true' }}
id: pull_request
with:
token: ${{ inputs.token }}
commit-message: ${{ inputs.commit-message }}
title: ${{ inputs.title-for-pr }}
body: ${{ inputs.description-for-pr }}
labels: ${{ inputs.labels-for-pr }}
branch: ${{ inputs.branch-for-pr }}
signoff: ${{ inputs.signoff }}
committer: ${{ inputs.committer }}
author: ${{ inputs.author }}
delete-branch: true