Skip to content
update-bundle-images

update-bundle-images #315

Sign in to view logs

update-bundle-images

update-bundle-images #315

Workflow file for this run

.github/workflows/rebuild-trivy-bundle.yaml at 5b5a807
name: update-bundle-images
on:
workflow_dispatch:
schedule:
# at 6 a.m. every Wednesday
- cron: "0 6 * * 3"
env:
# WEEK_PARITY variable determines if the workflow will run on even or odd weeks.
# This is to complement the schedule.cron instruction, which does not support defining "every other week" type of schedules.
# Set as "even" to run only on weeks of the year whos parity is even, and "odd" for weeks of the year whos parity is odd.
WEEK_PARITY: "odd"
TAGS_TO_FETCH: 3
TRIVY_IMAGE_NAME: mesosphere/trivy-bundles
jobs:
determine-if-workflow-should-run:
runs-on: ubuntu-latest
outputs:
WORKFLOW_SHOULD_RUN: ${{ steps.determine-if-workflow-should-run.outputs.WORKFLOW_SHOULD_RUN }}
steps:
- name: Check if Workflow Should Run Based on value of WEEK_PARITY
id: determine-if-workflow-should-run
run: |
WORKFLOW_SHOULD_RUN=true
week_number=$(date +%U)
if [ "$(($week_number % 2))" -eq 0 ] && [ $WEEK_PARITY = "odd" ]; then
WORKFLOW_SHOULD_RUN=false
elif [ "$(($week_number % 2))" -ne 0 ] && [ $WEEK_PARITY = "even" ]; then
WORKFLOW_SHOULD_RUN=false
fi
echo "WORKFLOW_SHOULD_RUN=$WORKFLOW_SHOULD_RUN" >> $GITHUB_OUTPUT
obtain-trivy-image-tags:
needs: [determine-if-workflow-should-run]
if: needs.determine-if-workflow-should-run.outputs.WORKFLOW_SHOULD_RUN
runs-on: ubuntu-latest
env:
# leave blank if you don't want to rebuild trivy-bundles image for the main branch
dkp_insights_main_branch_name: "origin/main"
steps:
- name: Clone dkp-insights Repository
uses: actions/checkout@v3
with:
repository: mesosphere/dkp-insights
ref: main
submodules: 'false'
token: ${{ secrets.MERGEBOT_TOKEN }}
- name: Create Artifact for trivy-bundles Image Tags
run: mkdir -p artifacts && touch ./artifacts/tags-to-rebuild.txt
- name: Fetch All Branches from dkp-insights Repository
run: git fetch
- name: Obtain trivy-bundles Image Tags for each dkp-insights Release Branch
run: |
dkp_insights_release_branches=($(git branch -r | grep 'origin/release' | tail -n $TAGS_TO_FETCH))
if [[ ! -z "dkp_insights_main_branch_name" ]]; then
dkp_insights_release_branches+=($dkp_insights_main_branch_name)
fi
echo "dkp_insights_release_branches: ${dkp_insights_release_branches[@]}"
for branch in "${dkp_insights_release_branches[@]}"
do
git checkout $branch
trivy_image_tag=$(cat ./charts/dkp-insights/values.yaml | grep -o 'mesosphere/trivy-bundles:.*' | cut -f2- -d: || :)
echo $trivy_image_tag
if [[ ! -z "$trivy_image_tag" ]]; then
echo "${branch}=${trivy_image_tag}" >> ./artifacts/tags-to-rebuild.txt
fi
done
- name: Upload Artifact with trivy-bundles Image Tags
uses: actions/upload-artifact@v3
with:
name: trivy-tags-to-rebuild
path: ./artifacts/tags-to-rebuild.txt
rebuild-trivy-bundles-images:
needs: [obtain-trivy-image-tags, determine-if-workflow-should-run]
if: needs.determine-if-workflow-should-run.outputs.WORKFLOW_SHOULD_RUN
runs-on: ubuntu-latest
outputs:
UPDATED_TIMESTAMP: ${{ steps.rebuild-and-push-images.outputs.UPDATED_TIMESTAMP }}
steps:
- name: Clone trivy-bundles Repository
uses: actions/checkout@v3
with:
repository: mesosphere/trivy-bundles
ref: main
- name: Download Artifact with dkp-insights Release Branches and their trivy-bundles Image Tags
uses: actions/download-artifact@v3
with:
name: trivy-tags-to-rebuild
- name: Create an Artifact for Saving Updated trivy-bundles Image Tags
run: mkdir -p artifacts && touch ./artifacts/updated-trivy-bundles-image-tags.txt
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_READ_WRITE_USERNAME }}
password: ${{ secrets.DOCKER_READ_WRITE_PASSWORD }}
- name: Rebuild and Push Updated trivy-bundles Images
id: rebuild-and-push-images
run: |
updated_timestamp=$(date -u +%Y%m%dT%H%M%SZ)
while read branch_and_tag; do
dkp_insights_branch=${branch_and_tag%=*}
trivy_bundles_image_tag=${branch_and_tag##*=}
trivy_image_version=${trivy_bundles_image_tag%-*}
echo "dkp_insights_branch: $dkp_insights_branch"
echo "trivy_bundles_image_tag: $trivy_bundles_image_tag"
echo "trivy_image_version: $trivy_image_version"
echo "time_stamp: $updated_timestamp"
TRIVY_VERSION=$trivy_image_version \
TIMESTAMP=$updated_timestamp \
make publish-trivy-bundled-image
echo "${dkp_insights_branch}=${trivy_image_version}-${updated_timestamp}" >> ./artifacts/updated-trivy-bundles-image-tags.txt
done <tags-to-rebuild.txt
echo "UPDATED_TIMESTAMP=$updated_timestamp" >> $GITHUB_OUTPUT
- name: Upload Artifact with dkp-insights Release Branch Names and their Corresponding Updated trivy-bundles Image Tags
uses: actions/upload-artifact@v3
with:
name: updated-trivy-bundles-image-tags
path: ./artifacts/updated-trivy-bundles-image-tags.txt
update-dkp-insights-release-branches:
needs: [rebuild-trivy-bundles-images, determine-if-workflow-should-run]
if: needs.determine-if-workflow-should-run.outputs.WORKFLOW_SHOULD_RUN
runs-on: ubuntu-latest
steps:
- name: Clone dkp-insights Repository
uses: actions/checkout@v3
with:
repository: mesosphere/dkp-insights
ref: main
submodules: 'false'
path: dkp-insights
token: ${{ secrets.MERGEBOT_TOKEN }}
- name: Fetch All Branches from dkp-insights Repository
working-directory: dkp-insights
run: git fetch
- name: Set Git Global Username and Email
run: |
git config --global user.email "[email protected]"
git config --global user.name "d2iq-mergebot"
- name: Download Artifact with dkp-insights Release Branches and their Updated trivy-bundles Image Tags
uses: actions/download-artifact@v3
with:
name: updated-trivy-bundles-image-tags
- name: Move artifact to dkp-insights folder
run: mv updated-trivy-bundles-image-tags.txt dkp-insights
- name: Install Hub (wrapper for git for opening PRs)
run: sudo apt install hub
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v4
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: true
git_config_global: true
- name: Update trivy-bundles Image Tags in Each dkp-insights Release Branch and Open a Pull Request
working-directory: dkp-insights
env:
GITHUB_TOKEN: ${{ secrets.MERGEBOT_TOKEN }}
run: |
updated_timestamp=${{ needs.rebuild-trivy-bundles-images.outputs.UPDATED_TIMESTAMP }}
while read branch_and_tag; do
dkp_insights_branch=${branch_and_tag%=*}
trivy_bundles_image_tag=${branch_and_tag##*=}
trivy_image_version=${trivy_bundles_image_tag%-*}
echo "dkp_insights_branch: $dkp_insights_branch"
echo "trivy_bundles_image_tag: $trivy_bundles_image_tag"
echo "trivy_image_version: $trivy_image_version"
echo "time_stamp: $updated_timestamp"
echo "checkout branch"
dkp_insights_branch_name=$( echo $dkp_insights_branch | cut -f2- -d/ )
git checkout -b gha-trivy-bundles-update/$dkp_insights_branch_name/$trivy_bundles_image_tag $dkp_insights_branch
echo "replace image tag name"
replace_string=$TRIVY_IMAGE_NAME:$trivy_image_version-$updated_timestamp
sed -i "s|$TRIVY_IMAGE_NAME:$trivy_image_version-[0-9]\{8\}T[0-9]\{6\}Z|$replace_string|" ./charts/dkp-insights/values.yaml
echo "commit and push changes"
git add ./charts/dkp-insights/values.yaml
git commit -m "Updating trivy-bundles image on $(date -u +%Y-%m-%d)"
git push origin gha-trivy-bundles-update/$dkp_insights_branch_name/$trivy_bundles_image_tag
echo "open a pull request"
hub pull-request -m "trivy-bundles image automatic update $(date -u +%Y-%m-%d)" \
--no-edit \
--base $dkp_insights_branch_name \
--labels "ok-to-test","ready for review"
done <updated-trivy-bundles-image-tags.txt