watch-dependencies.yaml

# This is a GitHub workflow defining a set of jobs with a set of steps.
# ref: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
#
# - Watch multiple images tags referenced in values.yaml to match the latest
#   image tag.
#
# - Watch the jupyterhub pinning in images/*/unfrozen/requirements.txt to match the
#   latest jupyterhub version available on PyPI, and if doing this, also
#   refreeze images/*/requirements.txt.
#
# About environment: watch-dependencies
#
# To reduce the exposure of the secrets.jupyterhub_bot_pat token that was setup
# for the environment watch-dependencies, we have setup a dedicated environment
# according to steps in
# https://github.com/jupyterhub/team-compass/issues/516#issuecomment-1129961954.
#
name: Watch dependencies

on:
  push:
    paths:
      - "images/*/unfrozen/requirements.txt"
      - ".github/workflows/watch-dependencies.yaml"
    branches: ["main"]
  schedule:
    # Run at 05:00 every day, ref: https://crontab.guru/#0_5_*_*_*
    - cron: "0 5 * * *"
  workflow_dispatch:

jobs:
  update-image-dependencies:
    # Don't run this job on forks
    if: github.repository == 'jupyterhub/zero-to-jupyterhub-k8s'
    runs-on: ubuntu-22.04
    environment: watch-dependencies

    strategy:
      fail-fast: false
      matrix:
        include:
          - name: chp
            registry: registry.hub.docker.com
            repository: jupyterhub/configurable-http-proxy
            values_path: proxy.chp.image.tag
            version_startswith: ""
            version_patch_regexp_group_suffix: ""

          # traefik made us need to introduce version_patch_regexp_group_suffix
          # to control if we accept omitting the patch version. The traefik
          # image provides tags like 2.7 even though 2.7.0 hasn't been released,
          # which makes bumping to it something we don't want to do. We still
          # need to accept major.minor formatted tags though as the pause image
          # has them.
          #
          - name: traefik
            registry: registry.hub.docker.com
            repository: library/traefik
            values_path: proxy.traefik.image.tag
            version_startswith: ""
            version_patch_regexp_group_suffix: ""

          # kube-scheduler should be pinned to its minor version as bumping it
          # will require manual interventions sometimes, see the notes in
          # values.yaml about bumping its version.
          #
          - name: kube-scheduler
            registry: registry.k8s.io
            repository: kube-scheduler
            values_path: scheduling.userScheduler.image.tag
            version_startswith: "v1.30"
            version_patch_regexp_group_suffix: ""

          - name: pause
            registry: registry.k8s.io
            repository: pause
            values_path: scheduling.userPlaceholder.image.tag
            version_startswith: ""
            version_patch_regexp_group_suffix: "?"

    steps:
      - uses: actions/checkout@v4

      - name: Get values.yaml pinned tag of ${{ matrix.registry }}/${{ matrix.repository }}
        id: local
        run: |
          local_tag=$(cat jupyterhub/values.yaml | yq e '.${{ matrix.values_path }}' -)
          echo "tag=$local_tag" >> $GITHUB_OUTPUT

      - name: Get latest tag of ${{ matrix.registry }}/${{ matrix.repository }}
        id: latest
        # The skopeo image helps us list tags consistently from different docker
        # registries. We use jq to filter out tags of the x.y or x.y.z format
        # with the optional v prefix or version_startswith filter, and then sort
        # based on the numerical x, y, and z values. Finally, we pick the last
        # value in the list.
        #
        run: |
          latest_tag=$(
              docker run --rm quay.io/skopeo/stable list-tags docker://${{ matrix.registry }}/${{ matrix.repository }} \
            | jq -r '[.Tags[] | select(. | match("^v?\\d+\\.\\d+(\\.\\d+)${{ matrix.version_patch_regexp_group_suffix }}$") | .string | startswith("${{ matrix.version_startswith }}"))] | sort_by(split(".") | map(tonumber? // (.[1:] | tonumber))) | last'
          )
          echo "tag=$latest_tag" >> $GITHUB_OUTPUT

      - name: Update values.yaml pinned tag
        if: steps.local.outputs.tag != steps.latest.outputs.tag
        run: |
          sed --in-place 's/tag: "${{ steps.local.outputs.tag }}"/tag: "${{ steps.latest.outputs.tag }}"/g' jupyterhub/values.yaml

      - name: git diff
        if: steps.local.outputs.tag != steps.latest.outputs.tag
        run: git --no-pager diff --color=always

      # ref: https://github.com/peter-evans/create-pull-request
      - name: Create a PR
        if: steps.local.outputs.tag != steps.latest.outputs.tag
        uses: peter-evans/create-pull-request@v7
        with:
          token: "${{ secrets.jupyterhub_bot_pat }}"
          author: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>
          committer: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>
          branch: update-image-${{ matrix.name }}
          labels: dependencies
          commit-message: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }}
          title: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }}
          body: >-
            A new ${{ matrix.repository }} image version has been detected, version
            `${{ steps.latest.outputs.tag }}`.

  update-jupyterhub-dependencies:
    # Don't run this job on forks
    if: github.repository == 'jupyterhub/zero-to-jupyterhub-k8s'
    runs-on: ubuntu-20.04
    environment: watch-dependencies

    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install Python dependencies
        run: pip install packaging requests

      - name: Get images/hub/unfrozen/requirements.txt pinned version of jupyterhub
        id: local
        run: |
          local_version=$(cat images/hub/unfrozen/requirements.txt | grep 'jupyterhub==' | sed 's/jupyterhub==//')
          echo "version=$local_version" >> $GITHUB_OUTPUT

      - name: Get latest version of jupyterhub
        id: latest
        shell: python
        run: |
          import os
          import packaging.version
          import requests

          request = requests.get("https://pypi.org/pypi/jupyterhub/json")
          data = request.json()
          releases = data["releases"]
          latest_version = sorted(releases.keys(), key=packaging.version.Version)[-1]

          with open(os.environ["GITHUB_OUTPUT"], "a") as f:
              f.write(f"version={latest_version}\n")

      - name: Update pinned version of jupyterhub
        if: steps.local.outputs.version != steps.latest.outputs.version
        run: |
          for img in hub singleuser-sample; do
            sed --in-place 's/jupyterhub==${{ steps.local.outputs.version }}/jupyterhub==${{ steps.latest.outputs.version }}/g' images/$img/unfrozen/requirements.txt
          done
          sed --in-place 's/appVersion: "${{ steps.local.outputs.version }}"/appVersion: "${{ steps.latest.outputs.version }}"/g' jupyterhub/Chart.yaml

      - name: Refreeze images/*/requirements.txt based on images/*/unfrozen/requirements.txt
        if: steps.local.outputs.version != steps.latest.outputs.version
        run: ci/refreeze

      - name: git diff
        if: steps.local.outputs.version != steps.latest.outputs.version
        run: git --no-pager diff --color=always

      # ref: https://github.com/peter-evans/create-pull-request
      - name: Create a PR
        if: steps.local.outputs.version != steps.latest.outputs.version
        uses: peter-evans/create-pull-request@v7
        with:
          token: "${{ secrets.jupyterhub_bot_pat }}"
          author: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>
          committer: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>
          branch: update-jupyterhub
          labels: dependencies
          commit-message: Update jupyterhub from ${{ steps.local.outputs.version }} to ${{ steps.latest.outputs.version }}
          title: Update jupyterhub from ${{ steps.local.outputs.version }} to ${{ steps.latest.outputs.version }}
          body: >-
            A new jupyterhub version has been detected, version
            `${{ steps.latest.outputs.version }}`.

  refreeze-dockerfile-requirements-txt:
    # Don't run this job on forks, but also not on the daily schedule to reduce
    # noise. If we could run this weekly that would be reasonable, but updating
    # these dependencies every day is too much noise.
    #
    if: github.repository == 'jupyterhub/zero-to-jupyterhub-k8s' && github.event_name != 'schedule'
    runs-on: ubuntu-22.04
    environment: watch-dependencies

    steps:
      - uses: actions/checkout@v4

      - name: Refreeze images/*/requirements.txt based on images/*/unfrozen/requirements.txt
        run: ci/refreeze

      - name: git diff
        run: git --no-pager diff --color=always

      # ref: https://github.com/peter-evans/create-pull-request
      - name: Create a PR
        uses: peter-evans/create-pull-request@v7
        with:
          token: "${{ secrets.jupyterhub_bot_pat }}"
          author: JupyterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>
          committer: JupyterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>
          branch: update-image-requirements
          labels: dependencies
          commit-message: "hub image: refreeze requirements.txt"
          title: "hub image: refreeze requirements.txt"
          body: >-
            The hub image's requirements.txt has been refrozen based on
            unfrozen/requirements.txt.