Refresh base image SHAs in platforms.json via weekly workflow#2189
Merged
larsewi merged 3 commits intocfengine:masterfrom Apr 23, 2026
Merged
Refresh base image SHAs in platforms.json via weekly workflow#2189larsewi merged 3 commits intocfengine:masterfrom
larsewi merged 3 commits intocfengine:masterfrom
Conversation
Queries Docker Hub for the current manifest digest of each platform's base_image and rewrites base_image_sha accordingly. Intended to be wired into the dependency update workflow so upstream base image pins are refreshed alongside other dependencies. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
The same Path(__file__).resolve().parent / "platforms.json" expression was computed in three places. Defining it once removes the duplication without changing behavior. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Runs build-in-container.py --update-sha on a weekly schedule and opens a PR with any refreshed digests. Modeled on update-base-images.yml, which performs the analogous job for image_version. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
larsewi
force-pushed
the
update-base-image-shas
branch
from
fdacc77 to
2815895
Compare
craigcomstock
approved these changes
Apr 22, 2026
|
|
||
| # The v2 API requires a bearer token even for anonymous public pulls. | ||
| token_url = ( | ||
| "https://auth.docker.io/token" |
Contributor
There was a problem hiding this comment.
I thought we were using ghcr.io/cfengine?
https://github.com/cfengine/buildscripts/blob/master/build-in-container.md#container-registry
Contributor
Author
There was a problem hiding this comment.
Yeah, so we grab an image from docker, install our build dependencies, then we push that to ghcr.io/cfengine. Think of this as the base image of our base image.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new mechanism for keeping
base_image_shainplatforms.jsonin sync with upstream Docker Hub digests.build-in-container.pygains an--update-shamode that queries Docker Hub for the current OCI index digest of each platform'sbase_imageand rewritesbase_image_shaaccordingly..github/workflows/update-base-image-shas.yml, modeled onupdate-base-images.yml, which runs weekly and opens a PR with any refreshed digests. Reviewers: larsewi, craigcomstock.Path(__file__).resolve().parent / "platforms.json"into aCONFIG_PATHconstant.Rationale for keeping this separate from
update-deps.yml(which also refreshes inputs):platforms.jsononly exists onmaster, not on the release branchesupdate-deps.ymltargets, so bolting it on there would require a branch guard.base_image_shabumps benefit from their own reviewable PR rather than mixing with package-version bumps.🤖 Generated with Claude Code