diff --git a/.github/workflows/updater.yml b/.github/workflows/updater.yml index 86f08419..1d681e06 100644 --- a/.github/workflows/updater.yml +++ b/.github/workflows/updater.yml @@ -88,12 +88,21 @@ jobs: # remove this after at least one release tagged 'latest' continue-on-error: true + - name: Get dependabot-updater image tag version + id: docker-base-version + run: | + tag_name=$(grep -oP "(?<=gem \"dependabot-omnibus\", \"~>).*(?=\")" updater/Gemfile) + tag_sha=$(curl --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' --url "https://api.github.com/repos/dependabot/dependabot-core/tags" | jq -r "[.[]|select(.name==\"v$tag_name\")][0].commit.sha") + echo "Using dependabot-updater image tag '$tag_sha' (v$tag_name)" + echo "version=$tag_sha" >> $GITHUB_OUTPUT + - name: Build image run: | docker build \ -f updater/Dockerfile \ --build-arg BUILDKIT_INLINE_CACHE=1 \ --build-arg ECOSYSTEM=${{ matrix.suite.ecosystem }} \ + --build-arg BASE_VERSION=${{ steps.docker-base-version.outputs.version }} \ --label com.github.image.run.id=${{ github.run_id }} \ --label com.github.image.run.number=${{ github.run_number }} \ --label com.github.image.job.id=${{ github.job }} \ diff --git a/docs/updater.md b/docs/updater.md index 92119591..ccba83ee 100644 --- a/docs/updater.md +++ b/docs/updater.md @@ -172,10 +172,14 @@ docker build \ -f updater/Dockerfile \ --build-arg BUILDKIT_INLINE_CACHE=1 \ --build-arg ECOSYSTEM= \ + --build-arg BASE_VERSION=latest \ -t "ghcr.io/tinglesoftware/dependabot-updater-:latest" \ . ``` +In some scenarios, you may want to set `BASE_VERSION` to a specific version instead of "latest". +See [updater/Dockerfile](../updater/Dockerfile) for a more detailed explanation. + ## Running your code changes To test run your code changes, you'll first need to build the updater Docker image (see above), then run the updater Docker image in a container with all the required environment variables (see above). diff --git a/updater/Dockerfile b/updater/Dockerfile index 60f41666..234895f5 100644 --- a/updater/Dockerfile +++ b/updater/Dockerfile @@ -1,7 +1,11 @@ -# The docker images in https://github.com/dependabot/dependabot-core are no longer versioned like the ruby Gems -#TODO: find out how to lock the base image version without the ruby Gem version ARG ECOSYSTEM -FROM ghcr.io/dependabot/dependabot-updater-$ECOSYSTEM +ARG BASE_VERSION=latest + +# The Dependabot docker images in https://github.com/dependabot/dependabot-core are no longer versioned like the Ruby Gems; instead they are versioned by the commit SHA of the release tag. +# In production, the build pipeline automatically calculates BASE_VERSION to match the dependabot-omnibus version set in updater/Gemfile (see .github/workflows/updater.yml). +# In local/dev, the "latest" tag will be used by default. You can override this by setting BASE_VERSION to the commit SHA of a dependabot-core release tag. +# e.g. for v0.264.0, use BASE_VERSION="e8d8a1268ea61304e939ba9ab963e249cac5b241" +FROM ghcr.io/dependabot/dependabot-updater-$ECOSYSTEM:$BASE_VERSION LABEL org.opencontainers.image.source="https://github.com/tinglesoftware/dependabot-azure-devops"