Check Dockerfile Base Image Updates and Validate with Image Digest #40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check Dockerfile Base Image Updates and Validate with Image Digest | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' # Run daily | |
| workflow_dispatch: # Allows manual triggering of the workflow | |
| jobs: | |
| check-updates: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@v1 | |
| - name: Check for base image updates | |
| id: check | |
| run: | | |
| # Read the current base image from the Dockerfile, stopping at the first FROM instruction | |
| BASE_IMAGE=$(grep -oPm1 'FROM \K.*' Dockerfile | cut -d' ' -f1) | |
| echo "Base image from Dockerfile: $BASE_IMAGE" | |
| # Extract the image name and tag, ignoring any Dockerfile-specific annotations | |
| IMAGE_NAME=$(echo $BASE_IMAGE | cut -d':' -f1) | |
| echo "Image name extracted: $IMAGE_NAME" | |
| echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV | |
| CURRENT_TAG=$(echo $BASE_IMAGE | cut -d':' -f2) | |
| echo "Current tag extracted: $CURRENT_TAG" | |
| echo "CURRENT_TAG=$CURRENT_TAG" >> $GITHUB_ENV | |
| - name: Build Docker Image and Get Digest | |
| run: | | |
| echo ${{ env.IMAGE_NAME }} | |
| echo ${{ env.CURRENT_TAG }} | |
| docker build -t "${{ env.IMAGE_NAME }}:${{ env.CURRENT_TAG }}" . | |
| DIGEST=$(docker inspect --format='{{.Id}}' "${{ env.IMAGE_NAME }}:${{ env.CURRENT_TAG }}" | sed 's/sha256://') | |
| echo "Docker Image Local Digest: $DIGEST" | |
| echo "digest=$DIGEST" >> $GITHUB_ENV | |
| - name: Fetch Latest Image Digest from Docker Hub | |
| run: | | |
| LATEST_DIGEST=$(wget -qO- "https://hub.docker.com/v2/namespaces/library/repositories/${{ env.IMAGE_NAME }}/tags/${{ env.CURRENT_TAG }}" | jq -r ' .digest') | |
| echo "Latest Image Digest: $LATEST_DIGEST" | |
| echo "latest_digest=$LATEST_DIGEST" >> $GITHUB_ENV | |
| - name: Compare Digests | |
| run: | | |
| if [ "$digest" != "$latest_digest" ]; then | |
| echo "The local image digest does not match the latest image digest. An update is required." | |
| # Potentially trigger another job or step to handle the update | |
| else | |
| echo "The local image digest matches the latest image digest. No update is required." | |
| # Set an environment variable or output to indicate no further action is needed | |
| echo "digest_match=true" >> $GITHUB_ENV | |
| fi | |
| - name: Push changes and create a pull request | |
| uses: peter-evans/create-pull-request@v6 | |
| with: | |
| commit-message: Update Dockerfile to ${{ env.new_tag }} with digest ${{ env.digest }} | |
| title: Update base image to ${{ env.new_tag }} with digest ${{ env.digest }} | |
| body: | | |
| This is an automated PR to update the Dockerfile base image to ${{ env.new_tag }} with digest ${{ env.digest }}. | |
| branch: update-base-image-${{ env.new_tag }}-${{ env.digest }} |