dd-trace-java-docker-build/.github/workflows/update-mirror-digests.yml at master · DataDog/dd-trace-java-docker-build · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Update mirror digests for ci-* images

on:
  workflow_run:
    workflows: ["Tag new images version"]
    types: [completed]
  workflow_dispatch:

jobs:
  update-mirror-digests:
    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    permissions:
      id-token: write # Required for OIDC token federation
      contents: read
    steps:
      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
        id: octo-sts
        with:
          scope: DataDog/images
          policy: dd-trace-java-docker-build.update-mirror

      - name: Checkout DataDog/dd-trace-java-docker-build
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          path: dd-trace-java-docker-build

      - name: Checkout DataDog/images
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: DataDog/images
          token: ${{ steps.octo-sts.outputs.token }}
          path: images

      - name: Capture images HEAD SHA
        id: images-head
        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
        working-directory: images

      - name: Install crane
        run: |
          CRANE_VERSION="0.20.2"
          curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${CRANE_VERSION}/go-containerregistry_Linux_x86_64.tar.gz" -o crane.tar.gz
          tar -xzf crane.tar.gz crane
          sudo mv crane /usr/local/bin/crane
          rm crane.tar.gz

      - name: Get baseline digest for ci-base image # base variant used to check freshness
        id: baseline
        run: |
          BASELINE=$(awk '/source:.*dd-trace-java-docker-build:ci-base/{found=1; next} found && /digest:/{print $2; exit}' images/mirror.lock.yaml || true)
          echo "digest=${BASELINE}" >> "$GITHUB_OUTPUT"
          echo "Baseline ci-base digest: ${BASELINE:-<none found>}"

      - name: Wait for new ci-base image to be published
        run: |
          BASELINE="${{ steps.baseline.outputs.digest }}"
          DEADLINE=$((SECONDS + 1800))
          echo "Waiting for ci-base digest to differ from: ${BASELINE:-<none>}"
          while [[ $SECONDS -lt $DEADLINE ]]; do
            CURRENT=$(crane digest ghcr.io/datadog/dd-trace-java-docker-build:ci-base 2>/dev/null || true)
            if [[ -n "$CURRENT" && "$CURRENT" != "$BASELINE" ]]; then
              echo "New ci-base digest detected: $CURRENT"
              exit 0
            fi
            echo "No change yet (current: ${CURRENT:-unavailable}), retrying in 60s..."
            sleep 60
          done
          echo "::error::Timeout after 30 minutes: ci-base digest did not change from existing mirror"
          exit 1

      - name: Resolve digests and update mirror.lock.yaml files
        run: bash "${GITHUB_WORKSPACE}/dd-trace-java-docker-build/scripts/update-ci-image-digests.sh"
        working-directory: images

      - name: Define branch name
        id: define-branch
        run: echo "branch=ci/update-dd-trace-java-docker-build-ci-digests-$(date +'%Y%m%d')" >> "$GITHUB_OUTPUT"

      - name: Commit changes
        id: create-commit
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git add mirror.lock.yaml
          if git diff --cached --quiet; then
            echo "No changes detected in mirror files; skipping commit."
            echo "has_changes=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          git commit -m "chore: Update dd-trace-java-docker-build ci-* image digests"
          echo "has_changes=true" >> "$GITHUB_OUTPUT"
          echo "commit=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
        working-directory: images

      - name: Push changes
        if: ${{ steps.create-commit.outputs.has_changes == 'true' }}
        uses: DataDog/commit-headless@05d7b7ee023e2c7d01c47832d420c2503cd416f3 # action/v2.0.3
        with:
          target: DataDog/images
          token: "${{ steps.octo-sts.outputs.token }}"
          branch: "${{ steps.define-branch.outputs.branch }}"
          head-sha: "${{ steps.images-head.outputs.sha }}"
          create-branch: true
          command: push
          commits: "${{ steps.create-commit.outputs.commit }}"
          working-directory: images

      - name: Create pull request
        if: ${{ steps.create-commit.outputs.has_changes == 'true' }}
        env:
          GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
        run: |
          gh pr create \
            --repo DataDog/images \
            --title "Update dd-trace-java-docker-build ci-* image digests" \
            --base master \
            --head "${{ steps.define-branch.outputs.branch }}" \
            --body "Automated digest update for \`dd-trace-java-docker-build\` \`ci-*\` images after tagging."