Add workflow and script to automatically update distribution snapshots by daandemeyer · Pull Request #4208 · systemd/mkosi

daandemeyer · 2026-03-07T09:10:54Z

Add a GitHub Actions workflow that runs every three days to pin each distribution to its latest snapshot. The workflow runs tools/update-snapshot.py for each distribution (arch, centos, debian, fedora, opensuse, ubuntu) which fetches the latest snapshot via "mkosi latest-snapshot", updates the corresponding mkosi config file with the new Snapshot= setting, and commits the result.

The workflow then creates a pull request for the update using github-script. Each distribution gets its own dedicated branch (update-snapshot/) so that only a single pull request is open per distribution at a time. If an existing pull request is already open, it is updated in place by force-pushing to the branch.

Auto-merge is enabled on each pull request via the GraphQL enablePullRequestAutoMerge mutation so that the snapshot update lands automatically once CI is green.

keszybz · 2026-03-09T09:14:49Z

Looks reasonable…


            yield f"{DISTRIBUTION_GPG_KEYS_UPSTREAM}/RPM-GPG-KEY-fedora-{version + 1}-primary"
-        except subprocess.CalledProcessError:
+        except urllib.error.URLError:


github-actions · 2026-03-19T13:11:17Z

Claude review of PR #4208 (`acdac0c`)

Suggestions

Proxy SSL context applied to all connections — mkosi/curl.py:42 — The proxy-specific certificate settings (proxy_client_certificate, proxy_client_key) are loaded into the HTTPS handler’s SSL context, which applies to all HTTPS connections, not just the proxy. The old curl CLI used --proxy-cert/--proxy-key which only affected the proxy tunnel. (Note: improved in this revision — the custom context is now only created when proxy is configured and custom certs exist, but the fundamental urllib limitation remains.)
No timeout on HTTP requests — mkosi/curl.py:52 — opener.open(url) has no timeout parameter; the default socket timeout is None (block indefinitely). The old curl CLI had built-in timeouts.
${{ inputs.config }} interpolated directly in shell — .github/actions/mkosi-update-snapshot/action.yml:53 — Unlike distribution and release (passed via env:), config is interpolated directly into the run: block. Pass it through an env var for consistency and to avoid injection if the path ever contains special characters.
Script injection risk in github-script — .github/actions/mkosi-update-snapshot/action.yml:137 — ${{ steps.update.outputs.title }} is interpolated directly into a JS string literal. If the value contained a single quote it would break syntax or allow injection. Use process.env via an env: block instead.
Unpinned action version — .github/workflows/update-snapshot.yml:36 — actions/create-github-app-token@v2 uses a mutable tag. All other external action references in the repo are pinned to commit SHAs.
update_snapshot edge case with empty [Distribution] section — mkosi/snapshot.py:46 — If [Distribution] is immediately followed by another section header (no keys between them), Snapshot= is inserted under the wrong section. Also, if [Distribution] is the last line with no keys, the fallback creates a duplicate section. Current workflow configs are unaffected, but adding a guard for line.startswith("[") in the in_distribution block would make this robust.
False-positive update detection when snapshot is unchanged — .github/actions/mkosi-update-snapshot/action.yml:56 — When mkosi ... --commit does not create a new commit (snapshot already up to date), HEAD remains at main’s tip. git diff --quiet HEAD~1 HEAD then compares main’s last two commits, which almost certainly differ, incorrectly setting updated=true and causing unnecessary image builds and PR creation/updates. Recording the SHA before and comparing after would be more reliable.
Intermediate commit breaks bisectability — mkosi/distribution/centos.py:510 — Commit e9ad77e removes from mkosi.curl import curl from centos.py and fedora.py and uses fetch() without importing it (the import is only added in the following commit). The same commit also introduces duplicate from mkosi.distribution import ... lines in arch.py, debian.py, opensuse.py, and ubuntu.py. Consider squashing or reordering so each commit builds cleanly.
Shell expansion in build-log heredoc — .github/actions/mkosi-update-snapshot/action.yml:93 — $(cat /tmp/mkosi-build.log) inside an unquoted heredoc (<<BODY) means shell metacharacters in build output (e.g. $(...), backticks) will be interpreted by bash. Use a quoted heredoc or build the file by concatenation to avoid unintended expansion.

Nits

Missing trailing newline — tools/mkosi-manifest-diff.py:72 — File is missing a final newline, inconsistent with the rest of the repo.

Workflow run

Rename to fetch while we're at it.

Add a GitHub Actions workflow that runs every three days to pin each distribution to its latest snapshot. To make this work, we extend the latest-snapshot verb with the option to write the snapshot to a config file provided by the user. We do this to avoid having to start tracking which config file provided a setting. Even if we had that, we still would need the explicit config file to bootstrap the initial write so we might as well insist on the user providing it. The workflow runs mkosi latest-snapshot for each distribution (arch, centos, debian, fedora, opensuse, ubuntu) which fetches the latest snapshot, updates the corresponding mkosi config file with the new Snapshot= setting, and commits the result. The workflow then creates a pull request for the update using github-script. Each distribution gets its own dedicated branch (update-snapshot/<distro>) so that only a single pull request is open per distribution at a time. If an existing pull request is already open, it is updated in place by force-pushing to the branch. Auto-merge is enabled on each pull request via the GraphQL enablePullRequestAutoMerge mutation so that the snapshot update lands automatically once CI is green.

daandemeyer force-pushed the snapshot branch from 3735f83 to baf812c Compare March 7, 2026 11:29

behrmann reviewed Mar 7, 2026

View reviewed changes

Comment thread .github/workflows/update-snapshot.yml Outdated

Comment thread tools/update-snapshot.py Outdated

daandemeyer marked this pull request as draft March 7, 2026 12:55

daandemeyer force-pushed the snapshot branch from baf812c to 9e57b33 Compare March 9, 2026 21:58

github-advanced-security AI found potential problems Mar 9, 2026

View reviewed changes

daandemeyer force-pushed the snapshot branch from 9e57b33 to 410a3e6 Compare March 19, 2026 12:57

daandemeyer added the claude-review label Mar 19, 2026

daandemeyer marked this pull request as ready for review March 19, 2026 13:05