Setup automatic updates for dependabot containers

github · Feb 23, 2022 · f2040d9 · f2040d9
1 parent c44504b
commit f2040d9
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 4 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,10 +1,15 @@
 version: 2
 updates:
-  # Enable version updates for npm
   - package-ecosystem: 'npm'
-    # Look for `package.json` and `lock` files in the `root` directory
     directory: '/'
-    # Check the npm registry for updates every day (weekdays)
+    schedule:
+      interval: 'weekly'
+  - package-ecosystem: 'docker'
+    directory: '/'
     schedule:
       interval: 'daily'
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
 
diff --git a/docker/Dockerfile.proxy b/docker/Dockerfile.proxy
@@ -0,0 +1 @@
+FROM docker.pkg.github.com/github/dependabot-update-job-proxy:v1
diff --git a/docker/Dockerfile.updater b/docker/Dockerfile.updater
@@ -0,0 +1 @@
+FROM docker.pkg.github.com/dependabot/dependabot-updater:v1
diff --git a/docker/README.md b/docker/README.md
@@ -0,0 +1,11 @@
+## Dependabot Containers
+
+This Action uses two Dependabot containers from the GitHub Container Registry to perform jobs.
+
+In order to ensure that any given release of the Action deterministically uses the same, tested containers we
+uses these Dockerfiles to check-in the specific SHA for each.
+
+This allows us to use Dependabot to keep these SHAs up to date as new versions of the container are published.
+
+These Dockerfiles are not actually built by the Action or any CI processes, they are purely used as compile-time
+configuration to generate `containers.json` which is used at runtime.
diff --git a/docker/containers.json b/docker/containers.json
@@ -0,0 +1,4 @@
+{
+  "proxy": "docker.pkg.github.com/github/dependabot-update-job-proxy:v1",
+  "updater": "docker.pkg.github.com/dependabot/dependabot-updater:v1"
+}
diff --git a/package.json b/package.json
@@ -14,7 +14,8 @@
     "test-integration": "jest --detectOpenHandles 'integration'",
     "prepare": "husky install",
     "dependabot": "ts-node src/cli.ts",
-    "fetch-images": "ts-node src/fetch-images.ts"
+    "fetch-images": "ts-node src/fetch-images.ts",
+    "update-container-manifest": "ts-node src/update-containers.ts"
   },
   "repository": {
     "type": "git",

diff --git a/src/update-containers.ts b/src/update-containers.ts
@@ -0,0 +1,36 @@
+import fs from 'fs'
+
+function getImageName(dockerfileName: string): String {
+  const dockerfile = fs.readFileSync(
+    require.resolve(`../docker/${dockerfileName}`),
+    'utf8'
+  )
+
+  const imageName = dockerfile
+    .split(/\n/)
+    .find(a => a.startsWith('FROM'))
+    ?.replace('FROM', '')
+    .trim()
+
+  if (!imageName) {
+    throw new Error(`Could not find an image name in ${dockerfile}`)
+  }
+
+  return imageName
+}
+
+const manifest = {
+  proxy: getImageName('Dockerfile.proxy'),
+  updater: getImageName('Dockerfile.updater')
+}
+
+fs.writeFile(
+  require.resolve(`../docker/containers.json`),
+  JSON.stringify(manifest, null, 2),
+  function (err) {
+    if (err) {
+      // eslint-disable-next-line no-console
+      console.log(err)
+    }
+  }
+)