Chainguard only allows the :latest and :latest-dev tags for their images (announcement). Older verions must be referenced by digests (@sha256:...). Use this action to setup nightly github actions that bump chainguard images to the newest digests.
example for nightly job:
name: Bump redis image
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
permissions:
contents: write
jobs:
bump-chainguard-images:
runs-on: ubuntu-latest
steps:
- name: bump redis image
uses: digitalservicebund/bump-chainguard-digest@LATEST_HASH
with:
image_name: redis
file_path: manifests/base/redis-deployment.yaml
github_token: ${{ github.token }}| input | info |
|---|---|
image_name |
name of the image to check for (e.g. nginx) |
file_path |
path to the file where the image is located (e.g frontend/Dockerfile) |
github_token |
required for using the github api to make commits (steps inside composite github actions cannot directly access the secrets context). |
Note
Triggering another github workflow (e.g. a build pipeline) does not work automatically via the push trigger. You'll need to trigger the workflow manually.