From 1e8e72def572e08ae2839ffe9d91a5bbbefeac6c Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Wed, 11 Jun 2025 07:45:01 +0100 Subject: [PATCH 1/2] feat: check if the pr-XXX images are to be merged This should stop us from accidentally merging code with reference to the ephermeral container images. --- .github/workflows/no-pr-images.yaml | 76 +++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 .github/workflows/no-pr-images.yaml diff --git a/.github/workflows/no-pr-images.yaml b/.github/workflows/no-pr-images.yaml new file mode 100644 index 000000000..4b92bbee1 --- /dev/null +++ b/.github/workflows/no-pr-images.yaml @@ -0,0 +1,76 @@ +name: Check for ephemeral PR images +on: + # push: + pull_request: + + +jobs: + check-files: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check files matching glob patterns for pr-\d+ pattern + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + const prPattern = /ghcr\.io\/rackerlabs\/understack.*pr-\d+/ + + // Define glob patterns for files to check for reference to PR images + const globPatterns = [ + '**/*.yml', + '**/*.yaml', + '**/Dockerfile*', + '**/.env*', + ]; + + // Exclude files from checks + const excludePatterns = [ + '!**/.git/**', + '!**/docs/**', + '!**/ansible/**' + ]; + + // Combine include and exclude patterns + const allPatterns = [...globPatterns, ...excludePatterns]; + + core.info('Inspecting files matching following glob patterns:'); + globPatterns.forEach(pattern => core.info(` Include: ${pattern}`)); + excludePatterns.forEach(pattern => core.info(` Exclude: ${pattern}`)); + core.info(''); + + const globber = await glob.create(allPatterns.join('\n')); + const filesToCheck = await globber.glob(); + + core.info(`Found ${filesToCheck.length} files matching glob patterns:`); + filesToCheck.forEach(file => core.debug(` - ${file}`)); + core.debug(''); + + let hasPatternMatch = false; + const matchedFiles = []; + + for (const filePath of filesToCheck) { + try { + const fileContent = fs.readFileSync(filePath, 'utf8'); + + if (prPattern.test(fileContent)) { + hasPatternMatch = true; + matchedFiles.push(filePath); + core.error(`❌ Ephemeral container image reference found in: ${filePath}`); + } else { + core.debug(`✅ No pattern found in: ${filePath}`); + } + } catch (error) { + core.info(`Error reading file ${filePath}: ${error.message}`); + } + } + + if (hasPatternMatch) { + core.setFailed(`Pattern 'pr-\\d+' found in ${matchedFiles.length} files: ${matchedFiles.join(', ')}`); + core.info(`Please switch to a different tag before merging as this container image will not be available after PR is merged`) + core.info(`Alternatively, if this is intended, edit .github/workflows/no-pr-images.yaml -> excludePatterns.`) + } else { + core.info(`✅ All ${filesToCheck.length} files checked - no pr-\\d+ pattern found`); + } From 040003564390df4ec0764b71823d0e28d055de01 Mon Sep 17 00:00:00 2001 From: Marek Skrobacki Date: Wed, 11 Jun 2025 08:27:17 +0100 Subject: [PATCH 2/2] fix: container image used in sensor-k8s-neutron-deployment --- workflows/openstack/sensors/sensor-k8s-neutron-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflows/openstack/sensors/sensor-k8s-neutron-deployment.yaml b/workflows/openstack/sensors/sensor-k8s-neutron-deployment.yaml index 6b02f8c5a..fadd0b788 100644 --- a/workflows/openstack/sensors/sensor-k8s-neutron-deployment.yaml +++ b/workflows/openstack/sensors/sensor-k8s-neutron-deployment.yaml @@ -29,7 +29,7 @@ spec: spec: containers: - name: create-provisioning-network - image: ghcr.io/rackerlabs/understack/ansible:pr-857 + image: ghcr.io/rackerlabs/understack/ansible:latest imagePullPolicy: Always command: ["ansible-runner", "run", "/runner", "--playbook", "openstack_network.yaml"] env: