ast-github-action/.github/workflows/update-docker-image.yml at main · Checkmarx/ast-github-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: Update Dockerfile Base Image

on:
  workflow_dispatch:
    inputs:
      cli_version:
        description: "Specify a version (e.g., 2.3.14). Leave empty for the latest official version."
        required: false
        default: ""
  repository_dispatch:
    types: [cli-version-update]

jobs:
  update-base-image:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Get Version and SHA256 Manifest Digest
        id: checkmarx-ast-cli
        run: |
          REPO="checkmarx/ast-cli"
          TOKEN=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${REPO}:pull" | jq -r .token)

          # Fetch the latest version if not provided
          if [[ -n "${{ github.event.inputs.cli_version }}" ]]; then
            RELEASE_TAG="${{ github.event.inputs.cli_version }}"
          else
            RELEASE_TAG=$(curl -s -H "Authorization: Bearer $TOKEN" "https://registry.hub.docker.com/v2/${REPO}/tags/list" | \
              jq -r '.tags | map(select(test("^[0-9]+\\.[0-9]+\\.[0-9]+$"))) | sort_by(split(".") | map(tonumber)) | .[-1]')
          fi

          DIGEST=$(curl -s -I -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
            "https://registry.hub.docker.com/v2/${REPO}/manifests/${RELEASE_TAG}" | grep -i "Docker-Content-Digest" | awk '{print $2}' | tr -d '\r')

          # Get the current tag from the Dockerfile
          CURRENT_TAG=$(grep -oP '(?<=FROM checkmarx/ast-cli:)[^@]+' Dockerfile)

          echo "RELEASE_TAG=$RELEASE_TAG" >> $GITHUB_ENV
          echo "DIGEST=$DIGEST" >> $GITHUB_ENV
          echo "CURRENT_TAG=$CURRENT_TAG" >> $GITHUB_ENV

      - name: Update Dockerfile
        if: env.CURRENT_TAG != env.RELEASE_TAG
        run: |
          sed -i "s|FROM checkmarx/ast-cli:.*@sha256:[a-f0-9]*|FROM checkmarx/ast-cli:${RELEASE_TAG}@${DIGEST}|" Dockerfile

      - name: Commit Changes
        if: env.CURRENT_TAG != env.RELEASE_TAG
        run: |
          git config --global user.name "github-actions"
          git config --global user.email "github-actions@github.com"
          git add Dockerfile
          git commit -m "Update checkmarx-ast-cli to ${RELEASE_TAG}"

      - name: Create Pull Request
        id: cretae_pull_request
        if: env.CURRENT_TAG != env.RELEASE_TAG
        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c
        with:
          token: ${{ secrets.AUTOMATION_TOKEN }}
          commit-message: Update checkmarx-ast-cli to ${{ env.RELEASE_TAG }}
          title: Update checkmarx-ast-cli binaries with ${{ env.RELEASE_TAG }}
          body: |
            Updates [checkmarx-ast-cli][1] to ${{ env.RELEASE_TAG }}

            Auto-generated by [create-pull-request][2]

            [1]: https://github.com/Checkmarx/checkmarx-ast-cli
          labels: cxone
          branch: feature/update_cli_${{ env.RELEASE_TAG }}