rework reporting of dependencies and requirements to better handle tr… #1813
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Latest images | |
env: | |
UPDATER_IMAGE: "ghcr.io/dependabot/dependabot-updater-" | |
on: # yamllint disable-line rule:truthy | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- "common/lib/dependabot.rb" | |
jobs: | |
date-version: | |
runs-on: ubuntu-latest | |
outputs: | |
date: ${{ steps.date.outputs.DATE_BASED_VERSION }} | |
steps: | |
- id: date | |
name: Set date based version | |
# The v2 tag is the Updater image tag, not related to the core version. | |
# This env var has to be set here so all versions are the same. | |
run: | | |
export DATE_BASED_VERSION=v2.0.$(date +%Y%m%d%H%M%S) | |
echo "DATE_BASED_VERSION=$DATE_BASED_VERSION" >> $GITHUB_OUTPUT | |
push-updater-image: | |
name: Deploy | |
runs-on: ubuntu-latest | |
needs: date-version | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
strategy: | |
fail-fast: false | |
matrix: | |
suite: | |
- { name: bundler, ecosystem: bundler } | |
- { name: cargo, ecosystem: cargo } | |
- { name: composer, ecosystem: composer } | |
- { name: docker, ecosystem: docker } | |
- { name: elm, ecosystem: elm } | |
- { name: git_submodules, ecosystem: gitsubmodule } | |
- { name: github_actions, ecosystem: github-actions } | |
- { name: go_modules, ecosystem: gomod } | |
- { name: gradle, ecosystem: gradle } | |
- { name: hex, ecosystem: mix } | |
- { name: maven, ecosystem: maven } | |
- { name: npm_and_yarn, ecosystem: npm } | |
- { name: nuget, ecosystem: nuget } | |
- { name: pub, ecosystem: pub } | |
- { name: python, ecosystem: pip } | |
- { name: swift, ecosystem: swift } | |
- { name: devcontainers, ecosystem: devcontainers } | |
- { name: terraform, ecosystem: terraform } | |
env: | |
COMMIT_SHA: ${{ github.sha }} | |
NAME: ${{ matrix.suite.name }} | |
ECOSYSTEM: ${{ matrix.suite.ecosystem }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
submodules: recursive | |
- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | |
- name: Build the dependabot-updater-<ecosystem> image | |
# despite the script input being $NAME, the resulting image is dependabot-updater-${ECOSYSTEM} | |
run: script/build ${NAME} | |
- name: Tag the images with the SHA, `latest`, and the date version | |
run: | | |
docker tag "${UPDATER_IMAGE}${ECOSYSTEM}" "${UPDATER_IMAGE}${ECOSYSTEM}:$COMMIT_SHA" | |
docker tag "${UPDATER_IMAGE}${ECOSYSTEM}" "${UPDATER_IMAGE}${ECOSYSTEM}:latest" | |
docker tag "${UPDATER_IMAGE}${ECOSYSTEM}" "${UPDATER_IMAGE}${ECOSYSTEM}:${{ needs.date-version.outputs.date }}" | |
- name: Log in to GHCR | |
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
- name: Push the images to GHCR | |
run: | | |
docker push --all-tags "${UPDATER_IMAGE}${ECOSYSTEM}" | |
# All tags should resolve to the same digest so we only need to look up one of them | |
cosign sign --yes $(cosign triangulate --type=digest "${UPDATER_IMAGE}${ECOSYSTEM}:latest") | |
- name: Set summary | |
run: | | |
echo "updater uploaded with tag \`$COMMIT_SHA\`" >> $GITHUB_STEP_SUMMARY | |
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
echo "${UPDATER_IMAGE}${ECOSYSTEM}:$COMMIT_SHA" >> $GITHUB_STEP_SUMMARY | |
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY |