From f2040d9743a51873ebc79523e495f639f25365b8 Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Tue, 22 Feb 2022 15:28:19 +0000 Subject: [PATCH] Setup automatic updates for dependabot containers --- .github/dependabot.yml | 11 ++++++++--- docker/Dockerfile.proxy | 1 + docker/Dockerfile.updater | 1 + docker/README.md | 11 +++++++++++ docker/containers.json | 4 ++++ package.json | 3 ++- src/update-containers.ts | 36 ++++++++++++++++++++++++++++++++++++ 7 files changed, 63 insertions(+), 4 deletions(-) create mode 100644 docker/Dockerfile.proxy create mode 100644 docker/Dockerfile.updater create mode 100644 docker/README.md create mode 100644 docker/containers.json create mode 100644 src/update-containers.ts diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2bb6d96..c786eff 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,10 +1,15 @@ version: 2 updates: - # Enable version updates for npm - package-ecosystem: 'npm' - # Look for `package.json` and `lock` files in the `root` directory directory: '/' - # Check the npm registry for updates every day (weekdays) + schedule: + interval: 'weekly' + - package-ecosystem: 'docker' + directory: '/' schedule: interval: 'daily' + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/docker/Dockerfile.proxy b/docker/Dockerfile.proxy new file mode 100644 index 0000000..ae1499e --- /dev/null +++ b/docker/Dockerfile.proxy @@ -0,0 +1 @@ +FROM docker.pkg.github.com/github/dependabot-update-job-proxy:v1 diff --git a/docker/Dockerfile.updater b/docker/Dockerfile.updater new file mode 100644 index 0000000..c8baac3 --- /dev/null +++ b/docker/Dockerfile.updater @@ -0,0 +1 @@ +FROM docker.pkg.github.com/dependabot/dependabot-updater:v1 diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 0000000..3179732 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,11 @@ +## Dependabot Containers + +This Action uses two Dependabot containers from the GitHub Container Registry to perform jobs. + +In order to ensure that any given release of the Action deterministically uses the same, tested containers we +uses these Dockerfiles to check-in the specific SHA for each. + +This allows us to use Dependabot to keep these SHAs up to date as new versions of the container are published. + +These Dockerfiles are not actually built by the Action or any CI processes, they are purely used as compile-time +configuration to generate `containers.json` which is used at runtime. diff --git a/docker/containers.json b/docker/containers.json new file mode 100644 index 0000000..7522784 --- /dev/null +++ b/docker/containers.json @@ -0,0 +1,4 @@ +{ + "proxy": "docker.pkg.github.com/github/dependabot-update-job-proxy:v1", + "updater": "docker.pkg.github.com/dependabot/dependabot-updater:v1" +} \ No newline at end of file diff --git a/package.json b/package.json index 0180296..392bb6c 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,8 @@ "test-integration": "jest --detectOpenHandles 'integration'", "prepare": "husky install", "dependabot": "ts-node src/cli.ts", - "fetch-images": "ts-node src/fetch-images.ts" + "fetch-images": "ts-node src/fetch-images.ts", + "update-container-manifest": "ts-node src/update-containers.ts" }, "repository": { "type": "git", diff --git a/src/update-containers.ts b/src/update-containers.ts new file mode 100644 index 0000000..e9c56a0 --- /dev/null +++ b/src/update-containers.ts @@ -0,0 +1,36 @@ +import fs from 'fs' + +function getImageName(dockerfileName: string): String { + const dockerfile = fs.readFileSync( + require.resolve(`../docker/${dockerfileName}`), + 'utf8' + ) + + const imageName = dockerfile + .split(/\n/) + .find(a => a.startsWith('FROM')) + ?.replace('FROM', '') + .trim() + + if (!imageName) { + throw new Error(`Could not find an image name in ${dockerfile}`) + } + + return imageName +} + +const manifest = { + proxy: getImageName('Dockerfile.proxy'), + updater: getImageName('Dockerfile.updater') +} + +fs.writeFile( + require.resolve(`../docker/containers.json`), + JSON.stringify(manifest, null, 2), + function (err) { + if (err) { + // eslint-disable-next-line no-console + console.log(err) + } + } +)