Merge pull request #84 from dependabot/feelepxyz/extract-docker-tags-…

…dockerfile Use automatically updated Dockerfiles to set the tag of the updater/proxy used.
github · Feb 23, 2022 · aac5a0e · aac5a0e
2 parents 360cc5e + 2899215
commit aac5a0e
Show file tree

Hide file tree

Showing 12 changed files with 103 additions and 13 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,10 +1,15 @@
 version: 2
 updates:
-  # Enable version updates for npm
   - package-ecosystem: 'npm'
-    # Look for `package.json` and `lock` files in the `root` directory
     directory: '/'
-    # Check the npm registry for updates every day (weekdays)
+    schedule:
+      interval: 'weekly'
+  - package-ecosystem: 'docker'
+    directory: '/docker'
     schedule:
       interval: 'daily'
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
 
diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/dist/main/index.js.map b/dist/main/index.js.map
diff --git a/docker/Dockerfile.proxy b/docker/Dockerfile.proxy
@@ -0,0 +1 @@
+FROM docker.pkg.github.com/github/dependabot-update-job-proxy:v1
diff --git a/docker/Dockerfile.updater b/docker/Dockerfile.updater
@@ -0,0 +1 @@
+FROM docker.pkg.github.com/dependabot/dependabot-updater:v1
diff --git a/docker/README.md b/docker/README.md
@@ -0,0 +1,11 @@
+## Dependabot Containers
+
+This Action uses two Dependabot containers from the GitHub Container Registry to perform jobs.
+
+In order to ensure that any given release of the Action deterministically uses the same, tested containers we
+uses these Dockerfiles to check-in the specific SHA for each.
+
+This allows us to use Dependabot to keep these SHAs up to date as new versions of the container are published.
+
+These Dockerfiles are not actually built by the Action or any CI processes, they are purely used as compile-time
+configuration to generate `containers.json` which is used at runtime.
diff --git a/docker/containers.json b/docker/containers.json
@@ -0,0 +1,4 @@
+{
+  "proxy": "docker.pkg.github.com/github/dependabot-update-job-proxy:v1",
+  "updater": "docker.pkg.github.com/dependabot/dependabot-updater:v1"
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -14,7 +14,8 @@
     "test-integration": "jest --detectOpenHandles 'integration'",
     "prepare": "husky install",
     "dependabot": "ts-node src/cli.ts",
-    "fetch-images": "ts-node src/fetch-images.ts"
+    "fetch-images": "ts-node src/fetch-images.ts",
+    "update-container-manifest": "ts-node src/update-containers.ts"
   },
   "repository": {
     "type": "git",
@@ -32,6 +33,7 @@
     "@actions/github": "^5.0.0",
     "@octokit/webhooks-types": "^5.4.0",
     "axios": "^0.23.0",
+    "ci": "^2.1.1",
     "commander": "^8.2.0",
     "dockerode": "^3.3.1",
     "npm": "^8.4.0",

diff --git a/src/docker-tags.ts b/src/docker-tags.ts
@@ -1,4 +1,4 @@
-export const UPDATER_IMAGE_NAME =
-  'docker.pkg.github.com/dependabot/dependabot-updater:v1'
-export const PROXY_IMAGE_NAME =
-  'docker.pkg.github.com/github/dependabot-update-job-proxy:v1'
+import dockerContainerConfig from '../docker/containers.json'
+
+export const UPDATER_IMAGE_NAME = dockerContainerConfig.updater
+export const PROXY_IMAGE_NAME = dockerContainerConfig.proxy
diff --git a/src/update-containers.ts b/src/update-containers.ts
@@ -0,0 +1,36 @@
+import fs from 'fs'
+
+function getImageName(dockerfileName: string): String {
+  const dockerfile = fs.readFileSync(
+    require.resolve(`../docker/${dockerfileName}`),
+    'utf8'
+  )
+
+  const imageName = dockerfile
+    .split(/\n/)
+    .find(a => a.startsWith('FROM'))
+    ?.replace('FROM', '')
+    .trim()
+
+  if (!imageName) {
+    throw new Error(`Could not find an image name in ${dockerfile}`)
+  }
+
+  return imageName
+}
+
+const manifest = {
+  proxy: getImageName('Dockerfile.proxy'),
+  updater: getImageName('Dockerfile.updater')
+}
+
+fs.writeFile(
+  require.resolve(`../docker/containers.json`),
+  JSON.stringify(manifest, null, 2),
+  function (err) {
+    if (err) {
+      // eslint-disable-next-line no-console
+      console.log(err)
+    }
+  }
+)
diff --git a/tsconfig.json b/tsconfig.json
@@ -7,7 +7,8 @@
     "esModuleInterop": true,                  /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
     "moduleResolution": "node",
     "noEmit": true,                           /* Do not emit compiler output files as we use ncc to package the action */
-    "forceConsistentCasingInFileNames": true  /* Error if requiring a file by a casing different from the casing on disk */
+    "forceConsistentCasingInFileNames": true, /* Error if requiring a file by a casing different from the casing on disk */
+    "resolveJsonModule": true
   },
   "include": ["src/**/*.ts"],
   "exclude": ["**/node_modules/**"]