Merge pull request #1752 from jupyterhub/dependabot/github_actions/ac… #394
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is a GitHub workflow defining a set of jobs with a set of steps. | |
| # ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions | |
| # | |
| # - Watch multiple images tags referenced in values.yaml to match the latest | |
| # stable image tag (ignoring pre-releases). | |
| # - Refreeze helm-chart/images/binderhub/requirements.txt based on | |
| # helm-chart/images/binderhub/requirements.in | |
| # | |
| name: Watch dependencies | |
| on: | |
| pull_request: | |
| paths: | |
| - ".github/workflows/watch-dependencies.yaml" | |
| push: | |
| paths: | |
| - "helm-chart/images/*/requirements.in" | |
| - ".github/workflows/watch-dependencies.yaml" | |
| branches: ["main"] | |
| schedule: | |
| # Run at 05:00 on day-of-month 1, ref: https://crontab.guru/#0_5_1_*_* | |
| - cron: "0 5 1 * *" | |
| workflow_dispatch: | |
| jobs: | |
| update-image-dependencies: | |
| # Don't run this job on forks | |
| if: github.repository == 'jupyterhub/binderhub' | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: docker | |
| registry: docker.io | |
| repository: library/docker | |
| values_path: dind.daemonset.image.tag | |
| tag_prefix: "" | |
| tag_suffix: -dind | |
| - name: podman | |
| registry: quay.io | |
| repository: podman/stable | |
| values_path: pink.daemonset.image.tag | |
| tag_prefix: v | |
| tag_suffix: "" | |
| # FIXME: After docker-image-cleaner 1.0.0 is released, we can enable | |
| # this. So far, there isn't any available stable release, and | |
| # due to that our regexp fails to match anything at all. | |
| # | |
| # - name: docker-image-cleaner | |
| # registry: quay.io | |
| # repository: jupyterhub/docker-image-cleaner | |
| # values_path: imageCleaner.image.tag | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Get values.yaml pinned tag of ${{ matrix.registry }}/${{ matrix.repository }} | |
| id: local | |
| run: | | |
| local_tag=$(cat helm-chart/binderhub/values.yaml | yq e '.${{ matrix.values_path }}' -) | |
| echo "tag=$local_tag" >> $GITHUB_OUTPUT | |
| - name: Get latest tag of ${{ matrix.registry }}/${{ matrix.repository }} | |
| id: latest | |
| # The skopeo image helps us list tags consistently from different docker | |
| # registries. We identify the latest docker image tag based on the | |
| # version numbers of format x.y.z included in a pattern with an optional | |
| # prefix and suffix, like the tags "v4.5.0" (v prefix) and "23.0.4-dind" | |
| # (-dind suffix). | |
| run: | | |
| latest_tag=$( | |
| docker run --rm quay.io/skopeo/stable list-tags docker://${{ matrix.registry }}/${{ matrix.repository }} \ | |
| | jq -r '[.Tags[] | select(. | match("^${{ matrix.tag_prefix }}\\d+\\.\\d+\\.\\d+${{ matrix.tag_suffix }}$") | .string)] | sort_by(split(".") | map(ltrimstr("${{ matrix.tag_prefix }}") | rtrimstr("${{ matrix.tag_suffix }}") | tonumber)) | last' | |
| ) | |
| echo "tag=$latest_tag" >> $GITHUB_OUTPUT | |
| - name: Update values.yaml pinned tag | |
| run: | | |
| sed --in-place 's/tag: "${{ steps.local.outputs.tag }}"/tag: "${{ steps.latest.outputs.tag }}"/g' helm-chart/binderhub/values.yaml | |
| - name: git diff | |
| run: git --no-pager diff --color=always | |
| # ref: https://github.com/peter-evans/create-pull-request | |
| - name: Create a PR | |
| if: github.event_name != 'pull_request' | |
| uses: peter-evans/create-pull-request@v5 | |
| with: | |
| token: "${{ secrets.jupyterhub_bot_pat }}" | |
| author: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com> | |
| committer: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com> | |
| branch: update-image-${{ matrix.name }} | |
| labels: maintenance,dependencies | |
| commit-message: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }} | |
| title: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }} | |
| body: >- | |
| A new ${{ matrix.repository }} image version has been detected, version | |
| `${{ steps.latest.outputs.tag }}`. | |
| refreeze-dockerfile-requirements-txt: | |
| # Don't run this job on forks, but also not on the daily schedule to reduce | |
| # noise. If we could run this weekly that would be reasonable, but updating | |
| # these dependencies every day is too much noise. | |
| # | |
| if: github.repository == 'jupyterhub/binderhub' && github.event_name != 'schedule' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Refreeze helm-chart/images/binderhub/requirements.txt based on requirements.in | |
| run: ci/refreeze | |
| - name: git diff | |
| run: git --no-pager diff --color=always | |
| # ref: https://github.com/peter-evans/create-pull-request | |
| - name: Create a PR | |
| if: github.event_name != 'pull_request' | |
| uses: peter-evans/create-pull-request@v5 | |
| with: | |
| token: "${{ secrets.jupyterhub_bot_pat }}" | |
| author: JupyterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com> | |
| committer: JupyterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com> | |
| branch: update-image-requirements | |
| labels: dependencies | |
| commit-message: "binderhub image: refreeze requirements.txt" | |
| title: "binderhub image: refreeze requirements.txt" | |
| body: >- | |
| The binderhub image's requirements.txt has been refrozen based on | |
| requirements.in. |