Add update-images workflow

JosBritton · Oct 26, 2024 · f2cf0db · f2cf0db
1 parent 14b5ccc
commit f2cf0db
Show file tree

Hide file tree

Showing 3 changed files with 157 additions and 0 deletions.
diff --git a/.github/workflows/update-images.yml b/.github/workflows/update-images.yml
@@ -0,0 +1,67 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+# yamllint disable rule:comments
+name: Check for image repository updates
+
+on: # yamllint disable-line rule:truthy
+  schedule:
+  - cron: 0 * * * *  # every hour
+  workflow_dispatch: {}
+
+jobs:
+  update-file:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        id: app-token
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Python
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          python-version: '3.x'
+          cache: 'pip'
+
+      - name: Install requirements
+        run: |
+          python3 -m pip install -U -r requirements.txt
+
+      - name: Get updates
+        id: update_file
+        run: |
+          python scripts/update_images.py
+
+      - name: Check if there are changes
+        id: check_changes
+        run: |
+          git diff --exit-code || echo "changed=true" >> "$GITHUB_OUTPUT"
+
+      - name: Commit and push changes
+        if: steps.check-changes.outputs.changed == 'true'
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "Update Images"
+          git add images.auto.pkrvars.hcl
+          git commit -m "Image repository updated"
+          git push origin --force HEAD:updateimages/image-repository-updated
+
+      - name: Create pull request
+        if: steps.check-changes.outputs.changed == 'true'
+        run: |
+          curl -X POST "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/pulls" \
+          -H "Authorization: Bearer ${BEARER_TOKEN}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          -d '{
+            "title": "Update Images",
+            "head": "updateimages/image-repository-updated",
+            "body": "Upstream images have updated.",
+            "base": "main"
+          }'
+        env:
+          BEARER_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/requirements.txt b/requirements.txt
@@ -1,2 +1,3 @@
 ansible==10.5.0
 pre-commit==4.0.1
+requests==2.32.3
diff --git a/scripts/update_images.py b/scripts/update_images.py
@@ -0,0 +1,89 @@
+import json
+import requests
+import base64
+
+def get_remote(url: str) -> tuple[dict, bool]:
+    try:
+        resp = requests.get(url)
+        resp.raise_for_status()  # HTTPError
+
+        data = resp.json()
+
+        if not data:
+            return {}, False
+
+        return data, True
+    except requests.exceptions.RequestException as err:
+        print(f'Error fetching the JSON file: {err}')
+        return {}, False
+
+def get_local(path: str) -> tuple[dict, bool]:
+    with open(path) as f:
+        return json.load(f), True
+
+def parse_debian_cloud_meta(meta: dict) -> dict:
+    d = {}
+    for item in meta["items"]:
+        if item["kind"] == "Upload":
+            if item["metadata"]["labels"]["upload.cloud.debian.org/image-format"] == "qcow2":
+                enc_digest = item["metadata"]["annotations"]["cloud.debian.org/digest"]
+                url = f"https://cloud.debian.org/images/cloud/{ item["data"]["ref"] }"
+
+                # split at prefix `sha512:...`
+                enc_digest_data = enc_digest.split(":", 1)[1]
+                # add correct b64 padding
+                while len(enc_digest_data) % 4 != 0:
+                    enc_digest_data += "="
+
+                # checksum
+                digest = f"sha512:{ base64.b64decode(enc_digest_data).hex() }"
+
+                d["url"] = url
+                d["digest"] = digest
+    return d
+
+def main():
+    meta = {}
+    for provider in {"genericcloud", "generic", "nocloud"}:
+        for arch in {"amd64", "arm64"}:
+            uri = f"https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-{provider}-{arch}.json"
+            data, ok = get_remote(uri)
+            if not ok:
+                raise Exception("No data for: ", uri)
+            meta[f"debian-12-{provider}-{arch}"] = parse_debian_cloud_meta(data)
+
+    s = f"""\
+image_repository = {{
+  debian-12-genericcloud-amd64 = {{
+    url    = "{ meta["debian-12-genericcloud-amd64"]["url"] }"
+    digest = "{ meta["debian-12-genericcloud-amd64"]["digest"] }"
+  }},
+  debian-12-genericcloud-arm64 = {{
+    url    = "{ meta["debian-12-genericcloud-arm64"]["url"] }"
+    digest = "{ meta["debian-12-genericcloud-arm64"]["digest"] }"
+  }}
+  debian-12-generic-amd64 = {{
+    url    = "{ meta["debian-12-generic-amd64"]["url"] }"
+    digest = "{ meta["debian-12-generic-amd64"]["digest"] }"
+  }}
+  debian-12-generic-arm64 = {{
+    url    = "{ meta["debian-12-generic-arm64"]["url"] }"
+    digest = "{ meta["debian-12-generic-arm64"]["digest"] }"
+  }}
+  debian-12-nocloud-amd64 = {{
+    url    = "{ meta["debian-12-nocloud-amd64"]["url"] }"
+    digest = "{ meta["debian-12-nocloud-amd64"]["digest"] }"
+  }}
+  debian-12-nocloud-arm64 = {{
+    url    = "{ meta["debian-12-nocloud-arm64"]["url"] }"
+    digest = "{ meta["debian-12-nocloud-arm64"]["digest"] }"
+  }}
+}}
+"""
+    print("Got info:\n", meta, "\nWriting to file...")
+    with open("images.auto.pkrvars.hcl", "w", encoding="utf-8") as f:
+        f.write(s)
+
+
+if __name__ == "__main__":
+    main()