Switch to the latest images

[evverx]

CFLite can't be pinned properly so to unpin it it should be
possible to always use the latest images.

This reverts #2

Closes #95

[oliverchang]

Thanks for the PR!

The "v1" tag always points to the latest anyway, so this isn't actually changing anything. It's intended for major/breaking changes in the base images.

[evverx]

The "v1" tag always points to the latest anyway

It does but it's kind of counterintuitive. The idea is to point the action to the main branch and to the latest images explicitly without any tags (by analogy with CIFuzz).

[oliverchang]

The "v1" is intended to prevent widespread breakages if we e.g. update to a new Ubuntu distro (as we did previously with 16.04 -> 20.04). If we do this in the future, we'll update this to "v2" and update this reference here also in "main", so if you just point to the main branch, you'll still get the latest images.

[evverx]

If we do this in the future, we'll update this to "v2" and update this reference here also in "main", so if you just point to the main branch, you'll still get the latest images.

It seems it can help to keep the action and the images used by the action in sync but I'm planning to point .clusterfuzz/Dockerfile to gcr.io/oss-fuzz-base/base-builder:latest as well and the action can't control how that image gets updated. I can imagine a scenario where the latest base-builder image can diverge from whatever the action points to.

[oliverchang]

If we do this in the future, we'll update this to "v2" and update this reference here also in "main", so if you just point to the main branch, you'll still get the latest images.

It seems it can help to keep the action and the images used by the action in sync but I'm planning to point .clusterfuzz/Dockerfile to gcr.io/oss-fuzz-base/base-builder:latest as well and the action can't control how that image gets updated. I can imagine a scenario where the latest base-builder image can diverge from whatever the action points to.

Right, so our guidance is to just pin to "v1" for everything (both actions and images). This will ensure everything is continuously updated for the foreseeable future (most likely until 2024 when a new Ubuntu LTS is out). If/when a "v2" does come out, we'll announce and users can just s/v1/v2/ and rinse/repeat. Would that work?

[evverx]

If/when a "v2" does come out, we'll announce and users can just s/v1/v2/ and rinse/repeat. Would that work?

It would as long as google/oss-fuzz#7212 is never implemented. With auto-releaser tagging releases every week or so I'd receive bogus dependabot updates and that's what I'm trying to avoid.

[oliverchang]

If/when a "v2" does come out, we'll announce and users can just s/v1/v2/ and rinse/repeat. Would that work?

It would as long as google/oss-fuzz#7212 is never implemented. With auto-releaser tagging releases every week or so I'd receive bogus dependabot updates and that's what I'm trying to avoid.

Right, we'll definitely make sure this doesn't cause unnecessary spam if/when we do this. We may just end up just dropping this completely as well.

[evverx]

Got it. Thanks! I'll point everything to v1 then.

[evverx]

@oliverchang on second thought the images get updated automatically but the action itself doesn't so I can't for example use the "report-unreproducible-crashes" setting if I point to the "v1" tag.

[evverx]

#87 doesn't seem to be included in "v1" either

[oliverchang]

@oliverchang on second thought the images get updated automatically but the action itself doesn't so I can't for example use the "report-unreproducible-crashes" setting if I point to the "v1" tag.

Sorry about that! I just updated the v1 tag to the latest main commit. We definitely are missing this automation today, and will add it.