|
| 1 | +# Automated Docker Image Hash Updates Plan |
| 2 | + |
| 3 | +## Problem Statement |
| 4 | + |
| 5 | +The `build.yml` workflow uses hardcoded container SHA hashes for `ghcr.io/rust-cross/rust-musl-cross` images. These hashes become stale when the upstream images are updated, requiring manual updates to stay current with security patches and toolchain improvements. |
| 6 | + |
| 7 | +## Proposed Solution |
| 8 | + |
| 9 | +### 1. Extract Container Configuration |
| 10 | + |
| 11 | +Create `.github/rust-cross-containers.yml`: |
| 12 | + |
| 13 | +```yaml |
| 14 | +# Container configurations for rust-musl-cross builds |
| 15 | +containers: |
| 16 | + - target: i686-unknown-linux-musl |
| 17 | + arch: i686 |
| 18 | + image_tag: i686-unknown-linux-musl |
| 19 | + current_sha: 5539b836c671353becda5c18f7675138a8724c5a4d3ecf5c26ba74e40239f89a |
| 20 | + - target: x86_64-unknown-linux-musl |
| 21 | + arch: x86_64 |
| 22 | + image_tag: x86_64-unknown-linux-musl |
| 23 | + current_sha: 8da7503d1199ddea00be75ef56d971da79f023fa4b7a8366be3df24fd31c2279 |
| 24 | + - target: armv7-unknown-linux-musleabi |
| 25 | + arch: armv7 |
| 26 | + image_tag: armv7-unknown-linux-musleabi |
| 27 | + current_sha: 5c9b9ee4777ad74dcee6913171918b6d02bcaab25289d751912a27e151af0224 |
| 28 | + - target: aarch64-unknown-linux-musl |
| 29 | + arch: aarch64 |
| 30 | + image_tag: aarch64-unknown-linux-musl |
| 31 | + current_sha: 8098ec3ebd8268a8ae37ef3a5bc35def863dda30a7f6817b65ce70ecad4bb413 |
| 32 | +``` |
| 33 | +
|
| 34 | +### 2. Create Update Automation Workflow |
| 35 | +
|
| 36 | +Create `.github/workflows/update-rust-cross-hashes.yml`: |
| 37 | + |
| 38 | +**Trigger**: Scheduled (cron) - runs 1st and 15th of each month |
| 39 | +**Permissions**: Read contents, write PRs |
| 40 | +**Steps**: |
| 41 | + |
| 42 | +1. Checkout repository |
| 43 | +2. Install required tools (jq, curl) |
| 44 | +3. Run update script to check for new hashes |
| 45 | +4. If changes detected, create PR with detailed information |
| 46 | + |
| 47 | +### 3. Hash Update Script |
| 48 | + |
| 49 | +Create `scripts/update-rust-cross-hashes.js` (or `.sh`): |
| 50 | + |
| 51 | +**Responsibilities**: |
| 52 | + |
| 53 | +- Query GitHub Container Registry API for each image tag |
| 54 | +- Get current image digest (SHA256 hash) |
| 55 | +- Compare with stored hashes in configuration file |
| 56 | +- Update configuration file if changes detected |
| 57 | +- Generate commit message and PR body with details |
| 58 | + |
| 59 | +**API Endpoints**: |
| 60 | + |
| 61 | +- Use GitHub Container Registry API: `GET /v2/{name}/manifests/{reference}` |
| 62 | +- Extract `docker-content-digest` header for SHA256 hash |
| 63 | + |
| 64 | +### 4. Modify Build Workflow |
| 65 | + |
| 66 | +Update `build.yml` to read from configuration file: |
| 67 | + |
| 68 | +**Strategy**: |
| 69 | + |
| 70 | +- Use `fromJSON()` to parse the YAML configuration |
| 71 | +- Replace hardcoded matrix with dynamic matrix from config file |
| 72 | +- Maintain same job structure and steps |
| 73 | + |
| 74 | +### 5. PR Content Enhancement |
| 75 | + |
| 76 | +**PR Title**: `chore: Update rust-musl-cross container hashes` |
| 77 | + |
| 78 | +**PR Body Template**: |
| 79 | + |
| 80 | +```markdown |
| 81 | +## Container Hash Updates |
| 82 | +
|
| 83 | +This PR updates the container SHA hashes for rust-musl-cross images. |
| 84 | +
|
| 85 | +### Changes Detected |
| 86 | +
|
| 87 | +| Target | Previous Hash | New Hash | |
| 88 | +| -------- | ------------- | ------------ | |
| 89 | +| {target} | `{old_hash}` | `{new_hash}` | |
| 90 | + |
| 91 | +### Upstream Changes |
| 92 | + |
| 93 | +- [View commits since last update](link-to-ghcr-commits) |
| 94 | +- [rust-cross/rust-musl-cross repository](https://github.com/rust-cross/rust-musl-cross) |
| 95 | + |
| 96 | +### Verification |
| 97 | + |
| 98 | +- [ ] All builds pass with new hashes |
| 99 | +- [ ] No breaking changes detected |
| 100 | +- [ ] Security scan results reviewed |
| 101 | + |
| 102 | +_This PR was automatically generated on {date}_ |
| 103 | +``` |
| 104 | + |
| 105 | +## Implementation Steps |
| 106 | + |
| 107 | +### Step 1: Configuration Extraction |
| 108 | + |
| 109 | +1. Create `.github/rust-cross-containers.yml` with current mappings |
| 110 | +2. Add validation schema/comments for maintainability |
| 111 | + |
| 112 | +### Step 2: Build Workflow Migration |
| 113 | + |
| 114 | +1. Modify `build.yml` matrix to read from config file |
| 115 | +2. Test that builds work identically with new structure |
| 116 | +3. Ensure no behavioral changes in the build process |
| 117 | + |
| 118 | +### Step 3: Update Script Development |
| 119 | + |
| 120 | +1. Create `scripts/update-rust-cross-hashes.js` |
| 121 | +2. Implement registry API queries |
| 122 | +3. Add hash comparison and file update logic |
| 123 | +4. Include error handling and logging |
| 124 | + |
| 125 | +### Step 4: Automation Workflow |
| 126 | + |
| 127 | +1. Create `.github/workflows/update-rust-cross-hashes.yml` |
| 128 | +2. Implement scheduled trigger (1st and 15th monthly) |
| 129 | +3. Add PR creation with rich content |
| 130 | +4. Include failure notification mechanisms |
| 131 | + |
| 132 | +### Step 5: Integration & Testing |
| 133 | + |
| 134 | +1. Test the full automation flow in a fork/branch |
| 135 | +2. Verify PR creation works correctly |
| 136 | +3. Validate that generated PRs build successfully |
| 137 | +4. Document the new process for maintainers |
| 138 | + |
| 139 | +## Technical Considerations |
| 140 | + |
| 141 | +### Registry API Access |
| 142 | + |
| 143 | +- Use GitHub Container Registry API (no auth needed for public images) |
| 144 | +- Handle rate limiting gracefully |
| 145 | +- Include retry logic for network failures |
| 146 | + |
| 147 | +### Security |
| 148 | + |
| 149 | +- Pin all GitHub Actions by commit hash (following project convention) |
| 150 | +- Use minimal permissions for automation workflow |
| 151 | +- Validate SHA256 hashes properly |
| 152 | + |
| 153 | +### Error Handling |
| 154 | + |
| 155 | +- Graceful failure when registry is unavailable |
| 156 | +- Clear error messages for debugging |
| 157 | +- Skip updates if unable to verify new hashes |
| 158 | + |
| 159 | +### Maintenance |
| 160 | + |
| 161 | +- Configuration file should be well-documented |
| 162 | +- Include instructions for manual updates if needed |
| 163 | +- Consider adding dry-run mode for testing |
| 164 | + |
| 165 | +## Benefits |
| 166 | + |
| 167 | +1. **Automated Security**: Stay current with upstream security patches |
| 168 | +2. **Reduced Maintenance**: No more manual hash updates |
| 169 | +3. **Transparency**: PRs provide visibility into what's changing |
| 170 | +4. **Rollback Safety**: Easy to revert if issues discovered |
| 171 | +5. **Extensibility**: Easy to add new targets or modify schedule |
| 172 | + |
| 173 | +## Risks & Mitigations |
| 174 | + |
| 175 | +- **Registry API changes**: Monitor for API deprecations, include error handling |
| 176 | +- **Breaking image updates**: PR review process catches issues before merge |
| 177 | +- **Schedule conflicts**: Choose times that don't conflict with releases |
| 178 | +- **False positives**: Robust hash comparison prevents unnecessary PRs |
| 179 | + |
| 180 | +## Future Enhancements |
| 181 | + |
| 182 | +1. **Smart scheduling**: Check for updates more frequently if pattern of releases detected |
| 183 | +2. **Changelog integration**: Parse upstream commit messages for impact analysis |
| 184 | +3. **Dependency tracking**: Correlate with Rust toolchain updates |
| 185 | +4. **Health monitoring**: Track update success/failure rates over time |
0 commit comments