Update Docker #24550
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # updatebot | |
| # | |
| # This runs every hour to check if upstream repos have had a new release | |
| # | |
| name: Update Docker | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - scripts/updateDockerImages.sh | |
| - .github/workflows/ansible.yml | |
| - .github/workflows/catprinter.yml | |
| - .github/workflows/dkimpy.yml | |
| - .github/workflows/docker-autocompose.yml | |
| - .github/workflows/ruff.yml | |
| - .github/workflows/sslyze.yml | |
| - .github/workflows/visidata.yml | |
| - .github/workflows/update-docker.yml | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 * * * *" | |
| env: | |
| DOCKER_CLI_EXPERIMENTAL: enabled | |
| REPOSITORY: ${{ github.actor }}/${{ github.workflow }} | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: true | |
| permissions: read-all | |
| jobs: | |
| update-docker: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| # checkout with a PAT configured with workflow access to allow the workflow to check changes back in | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v1 | |
| with: | |
| egress-policy: block | |
| disable-telemetry: true | |
| allowed-endpoints: | |
| aerodent.canonical.com:443 | |
| api.github.com:443 | |
| azure.archive.ubuntu.com:80 | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| pypi.org:443 | |
| security.ubuntu.com:443 | |
| - name: Source checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2 | |
| with: | |
| token: ${{ secrets.UPDATE_SECRET }} | |
| fetch-depth: 1 | |
| - name: Setup SSH keys | |
| env: | |
| BOT_SSH_PRIVATE_KEY: ${{ secrets.JBOT_SSH_PRIVATE_KEY }} | |
| BOT_SSH_PUBLIC_KEY: ${{ secrets.JBOT_SSH_PUBLIC_KEY }} | |
| run: | | |
| mkdir -m 700 -p ~/.ssh | |
| echo "$BOT_SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 | |
| echo "$BOT_SSH_PUBLIC_KEY" > ~/.ssh/id_ed25519.pub | |
| chmod 600 ~/.ssh/id_ed25519 | |
| chmod 644 ~/.ssh/id_ed25519.pub | |
| - name: Update dependencies | |
| run: | | |
| git config --global user.name "Jauder Ho Bot" | |
| git config --global user.email "jauderho-bot@users.noreply.github.com" | |
| git config --global pull.rebase false | |
| git config --global user.signingkey ~/.ssh/id_ed25519.pub | |
| git config --global gpg.format ssh | |
| git config --global commit.gpgsign true | |
| PAT="${{ github.actor }}/${{ secrets.UPDATE_SECRET }}" scripts/updateDockerImages.sh | |
| rm -rf ~/.ssh |