Use correct version of dependabot-updater base image when running the…

… 'updater' workflow (#1192)
tinglesoftware · Jul 8, 2024 · 052bc00 · 052bc00
1 parent 22864b0
commit 052bc00
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/.github/workflows/updater.yml b/.github/workflows/updater.yml
@@ -88,12 +88,21 @@ jobs:
       # remove this after at least one release tagged 'latest'
       continue-on-error: true
 
+    - name: Get dependabot-updater image tag version
+      id: docker-base-version
+      run: |
+        tag_name=$(grep -oP "(?<=gem \"dependabot-omnibus\", \"~>).*(?=\")" updater/Gemfile)
+        tag_sha=$(curl --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' --url "https://api.github.com/repos/dependabot/dependabot-core/tags" | jq -r "[.[]|select(.name==\"v$tag_name\")][0].commit.sha")
+        echo "Using dependabot-updater image tag '$tag_sha' (v$tag_name)"
+        echo "version=$tag_sha" >> $GITHUB_OUTPUT
+
     - name: Build image
       run: |
         docker build \
         -f updater/Dockerfile \
         --build-arg BUILDKIT_INLINE_CACHE=1 \
         --build-arg ECOSYSTEM=${{ matrix.suite.ecosystem }} \
+        --build-arg BASE_VERSION=${{ steps.docker-base-version.outputs.version }} \
         --label com.github.image.run.id=${{ github.run_id }} \
         --label com.github.image.run.number=${{ github.run_number }} \
         --label com.github.image.job.id=${{ github.job }} \

diff --git a/docs/updater.md b/docs/updater.md
@@ -172,10 +172,14 @@ docker build \
     -f updater/Dockerfile \
     --build-arg BUILDKIT_INLINE_CACHE=1 \
     --build-arg ECOSYSTEM=<your-ecosystem> \
+    --build-arg BASE_VERSION=latest \
     -t "ghcr.io/tinglesoftware/dependabot-updater-<your_ecosystem>:latest" \
     .
 ```
 
+In some scenarios, you may want to set `BASE_VERSION` to a specific version instead of "latest".
+See [updater/Dockerfile](../updater/Dockerfile) for a more detailed explanation.
+
 ## Running your code changes
 To test run your code changes, you'll first need to build the updater Docker image (see above), then run the updater Docker image in a container with all the required environment variables (see above).
 

diff --git a/updater/Dockerfile b/updater/Dockerfile
@@ -1,7 +1,11 @@
-# The docker images in https://github.com/dependabot/dependabot-core are no longer versioned like the ruby Gems
-#TODO: find out how to lock the base image version without the ruby Gem version
 ARG ECOSYSTEM
-FROM ghcr.io/dependabot/dependabot-updater-$ECOSYSTEM
+ARG BASE_VERSION=latest
+
+# The Dependabot docker images in https://github.com/dependabot/dependabot-core are no longer versioned like the Ruby Gems; instead they are versioned by the commit SHA of the release tag.
+# In production, the build pipeline automatically calculates BASE_VERSION to match the dependabot-omnibus version set in updater/Gemfile (see .github/workflows/updater.yml).
+# In local/dev,  the "latest" tag will be used by default. You can override this by setting BASE_VERSION to the commit SHA of a dependabot-core release tag.
+#                e.g. for v0.264.0, use BASE_VERSION="e8d8a1268ea61304e939ba9ab963e249cac5b241"
+FROM ghcr.io/dependabot/dependabot-updater-$ECOSYSTEM:$BASE_VERSION
 
 LABEL org.opencontainers.image.source="https://github.com/tinglesoftware/dependabot-azure-devops"