Autogenerate pull requests for base image hash updates (#57557)

willdollman · burmudar · web-flow · commit 9632aa9bc1d0 · 2023-10-12T15:09:41.000Z
* Add pipeline step to run sg wolfi update-hashes

* Remove unused variable

* Testing sg version

* Update sg command

* Test gh cli client

* Ad-hoc install gh-cli

This will later be added to the base agents, so this is just a temporary step

* Commit changes to oci_deps and try using gh to fetch PRs

* Remove sg debug commands

* Fox typoo

* Delete branch if it already exists

This might cause problems with stateful runners - need to confirm

* Add debugging

* Tweak github PR search

* Catch potential error in git br -D

* Enable push and PR creation

* Tweak PR metadata

* Add test plan to PR

* Use a multi-line string

* Remove debug comments

* Comment out unused variable

* Replace `cat` with `git diff` to show changes

* Quiet grep

Co-authored-by: William Bezuidenhout &lt;william.bezuidenhout@sourcegraph.com&gt;

* Add git emoji in output

Co-authored-by: William Bezuidenhout &lt;william.bezuidenhout@sourcegraph.com&gt;

* Add github icon to output

Co-authored-by: William Bezuidenhout &lt;william.bezuidenhout@sourcegraph.com&gt;

---------

Co-authored-by: William Bezuidenhout &lt;william.bezuidenhout@sourcegraph.com&gt;
diff --git a/dev/ci/internal/ci/pipeline.go b/dev/ci/internal/ci/pipeline.go
@@ -196,10 +196,12 @@ func GeneratePipeline(c Config) (*bk.Pipeline, error) {
 		)
 
 	case runtype.WolfiBaseRebuild:
-		// If this is a Wolfi base image rebuild, rebuild all Wolfi base images and push to registry
+		// If this is a Wolfi base image rebuild, rebuild all Wolfi base images
+		// and push to registry, then open a PR
 		baseImageOps := wolfiRebuildAllBaseImages(c)
 		if baseImageOps != nil {
 			ops.Merge(baseImageOps)
+			ops.Merge(wolfiGenerateBaseImagePR())
 		}
 
 	case runtype.CandidatesNoTest:
diff --git a/dev/ci/internal/ci/wolfi_operations.go b/dev/ci/internal/ci/wolfi_operations.go
@@ -325,3 +325,21 @@ func wolfiRebuildAllBaseImages(c Config) *operations.Set {
 
 	return baseImageOps
 }
+
+// wolfiGenerateBaseImagePR updates base image hashes and creates a PR in GitHub
+func wolfiGenerateBaseImagePR() *operations.Set {
+	ops := operations.NewNamedSet("Base Image Update PR")
+
+	ops.Append(
+		func(pipeline *bk.Pipeline) {
+			pipeline.AddStep(":whale::hash: Update Base Image Hashes",
+				bk.Cmd("./dev/ci/scripts/wolfi/update-base-image-hashes.sh"),
+				bk.Agent("queue", "bazel"),
+				bk.DependsOn("buildAllBaseImages"),
+				bk.Key("updateBaseImageHashes"),
+			)
+		},
+	)
+
+	return ops
+}
diff --git a/dev/ci/scripts/wolfi/update-base-image-hashes.sh b/dev/ci/scripts/wolfi/update-base-image-hashes.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+cd "$(dirname "${BASH_SOURCE[0]}")/../../../.."
+
+# Update hashes for all base images
+go run ./dev/sg wolfi update-hashes
+# Print diff
+git diff dev/oci_deps.bzl
+
+# Temporary: Install GitHub CLI
+ghtmpdir=$(mktemp -d -t github-cli.XXXXXXXX)
+curl -L https://github.com/cli/cli/releases/download/v2.36.0/gh_2.36.0_linux_amd64.tar.gz -o "${ghtmpdir}/gh.tar.gz"
+# From https://github.com/cli/cli/releases/download/v2.36.0/gh_2.36.0_checksums.txt
+expected_hash="29ed6c04931e6ac8a5f5f383411d7828902fed22f08b0daf9c8ddb97a89d97ce"
+actual_hash=$(sha256sum "${ghtmpdir}/gh.tar.gz" | cut -d ' ' -f 1)
+if [ "$expected_hash" = "$actual_hash" ]; then
+  echo "Hashes match"
+else
+  echo "Error - hashes do not match!"
+  exit 1
+fi
+tar -xzf "${ghtmpdir}/gh.tar.gz" -C "${ghtmpdir}/"
+cp "${ghtmpdir}/gh_2.36.0_linux_amd64/bin/gh" "/usr/local/bin/"
+# Test gh
+gh --version
+
+BRANCH_NAME="wolfi-autoupdate/main"
+TIMESTAMP=$(TZ=UTC date "+%Y-%m-%d %H:%M:%S %z")
+PR_TITLE="Update Wolfi base images to latest"
+# PR_REVIEWER="sourcegraph/security"
+PR_LABELS="SSDLC,wolfi-auto-update"
+PR_BODY="Automatically generated PR to update Wolfi base images to the latest hashes.
+## Test Plan
+- CI build verifies image functionality"
+
+# Commit changes to dev/oci-deps.bzl
+# Delete branch if it exists; catch status code if not
+git branch -D "${BRANCH_NAME}" || :
+git checkout -b "${BRANCH_NAME}"
+git add dev/oci_deps.bzl
+git commit -m "Automatically update Wolfi base image hashes at ${TIMESTAMP}"
+# git remote set-url token-origin https://sg-test:${GH_TOKEN}@github.com/sourcegraph/sourcegraph.git
+git push --force -u origin "${BRANCH_NAME}"
+echo ":git: Successfully commited changes and pushed to branch ${BRANCH_NAME}"
+
+# Check if an update PR already exists
+if gh pr list --head "${BRANCH_NAME}" --state open | grep -q "${PR_TITLE}"; then
+  echo ":github: A pull request already exists - no action required"
+else
+  # If not, create a new PR from the branch foobar-day
+  # TODO: Once validated add '--reviewer "${PR_REVIEWER}"'
+  gh pr create --title "${PR_TITLE}" --head "${BRANCH_NAME}" --base main --body "${PR_BODY}" --label "${PR_LABELS}"
+  echo ":github: Created a new pull request from branch '${BRANCH_NAME}' with title '${PR_TITLE}'"
+fi

Original file line number	Diff line number	Diff line change
`@@ -196,10 +196,12 @@ func GeneratePipeline(c Config) (*bk.Pipeline, error) {`
`196`	`196`	`)`
`197`	`197`
`198`	`198`	`case runtype.WolfiBaseRebuild:`
`199`		`- // If this is a Wolfi base image rebuild, rebuild all Wolfi base images and push to registry`
	`199`	`+ // If this is a Wolfi base image rebuild, rebuild all Wolfi base images`
	`200`	`+ // and push to registry, then open a PR`
`200`	`201`	`baseImageOps := wolfiRebuildAllBaseImages(c)`
`201`	`202`	`if baseImageOps != nil {`
`202`	`203`	`ops.Merge(baseImageOps)`
	`204`	`+ ops.Merge(wolfiGenerateBaseImagePR())`
`203`	`205`	`}`
`204`	`206`
`205`	`207`	`case runtype.CandidatesNoTest:`