diff --git a/.github/workflows/docker-githubaction.yml b/.github/workflows/docker-githubaction.yml index 1f0a3140..c2556cf7 100644 --- a/.github/workflows/docker-githubaction.yml +++ b/.github/workflows/docker-githubaction.yml @@ -2,10 +2,6 @@ name: Release Docker GitHub Action on: workflow_dispatch: - inputs: - image_version: - description: 'yq version to tag the github-action image with (e.g. 4.53.3)' - required: true permissions: {} @@ -14,7 +10,6 @@ jobs: environment: dockerhub env: IMAGE_NAME: mikefarah/yq - IMAGE_VERSION: ${{ inputs.image_version }} runs-on: ubuntu-latest permissions: contents: read @@ -33,6 +28,36 @@ jobs: with: version: latest + - name: Verify Dockerfile base image digest matches yq:4 + run: | + PINNED_DIGEST=$(grep -oE 'sha256:[a-f0-9]{64}' github-action/Dockerfile | head -1) + if [ -z "${PINNED_DIGEST}" ]; then + echo "::error::Could not find a sha256 digest in github-action/Dockerfile" + exit 1 + fi + + LATEST_DIGEST=$(docker buildx imagetools inspect "${IMAGE_NAME}:4" --format '{{.Digest}}') + + echo "Dockerfile pins: ${PINNED_DIGEST}" + echo "mikefarah/yq:4 is: ${LATEST_DIGEST}" + + if [ "${PINNED_DIGEST}" != "${LATEST_DIGEST}" ]; then + echo "::error::github-action/Dockerfile digest does not match the current mikefarah/yq:4 image" + echo "Update the FROM line in github-action/Dockerfile to:" + echo " FROM mikefarah/yq:4@${LATEST_DIGEST}" + exit 1 + fi + + - name: Resolve version from yq:4 + run: | + IMAGE_VERSION=$(docker run --rm "${IMAGE_NAME}:4" --version | awk '{print $NF}' | sed 's/^v//') + if [ -z "${IMAGE_VERSION}" ]; then + echo "::error::Could not determine yq version from ${IMAGE_NAME}:4" + exit 1 + fi + echo "Resolved yq version: ${IMAGE_VERSION}" + echo "IMAGE_VERSION=${IMAGE_VERSION}" >> "${GITHUB_ENV}" + - name: Login to Docker Hub uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: diff --git a/release_instructions.txt b/release_instructions.txt index 06b4e9dd..873ae4aa 100644 --- a/release_instructions.txt +++ b/release_instructions.txt @@ -8,12 +8,12 @@ - git push --tags - use github actions to publish docker and make github release - check github updated yq action in marketplace -- update github-action/Dockerfile to pin the newly published docker image digest: - skopeo inspect docker://docker.io/mikefarah/yq:4 --override-arch amd64 --override-os linux | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['Digest'])" +- update github-action/Dockerfile to pin the newly published docker image digest (must match the mikefarah/yq:4 manifest digest): + docker buildx imagetools inspect docker.io/mikefarah/yq:4 --format '{{.Digest}}' then update the FROM line in github-action/Dockerfile with the new digest: - FROM mikefarah/yq:4@sha256: + FROM mikefarah/yq:4@ - commit the Dockerfile change, then manually run the "Release Docker GitHub Action" workflow - (Actions -> Release Docker GitHub Action -> Run workflow) with the new version number + (Actions -> Release Docker GitHub Action -> Run workflow) // release artifacts are signed with cosign keyless signing (Sigstore) // users can verify with: