From ad11b268763a200c1763a7c69f8c1b877fcacef6 Mon Sep 17 00:00:00 2001 From: Priya Ananthasankar Date: Tue, 30 Dec 2025 11:20:45 -0800 Subject: [PATCH 1/6] GitHub Action to update Pinned libraries --- .github/workflows/update-pinned-libs.yml | 92 ++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 .github/workflows/update-pinned-libs.yml diff --git a/.github/workflows/update-pinned-libs.yml b/.github/workflows/update-pinned-libs.yml new file mode 100644 index 00000000..6f78df06 --- /dev/null +++ b/.github/workflows/update-pinned-libs.yml @@ -0,0 +1,92 @@ +name: Update Pinned Library Versions + +on: + schedule: + # Check for updates every day at 6:00 AM UTC + - cron: '0 6 * * *' + workflow_dispatch: # Allow manual trigger + +jobs: + check-library-versions: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get current Istio version + id: current-istio + run: | + CURRENT_VERSION=$(grep 'ENV ISTIO_VERSION=' linux/base.Dockerfile | cut -d'=' -f2) + echo "version=${CURRENT_VERSION}" >> $GITHUB_OUTPUT + echo "Current Istio version: ${CURRENT_VERSION}" + + - name: Get latest Istio version + id: latest-istio + run: | + LATEST_VERSION=$(curl -s https://api.github.com/repos/istio/istio/releases/latest | jq -r '.tag_name') + echo "version=${LATEST_VERSION}" >> $GITHUB_OUTPUT + echo "Latest Istio version: ${LATEST_VERSION}" + + - name: Compare Istio versions + id: compare-istio + run: | + CURRENT="${{ steps.current-istio.outputs.version }}" + LATEST="${{ steps.latest-istio.outputs.version }}" + + if [ "${CURRENT}" != "${LATEST}" ]; then + echo "needs_update=true" >> $GITHUB_OUTPUT + echo "Istio update needed: ${CURRENT} -> ${LATEST}" + else + echo "needs_update=false" >> $GITHUB_OUTPUT + echo "Istio already on latest version: ${CURRENT}" + fi + + - name: Update Istio in Dockerfile + if: steps.compare-istio.outputs.needs_update == 'true' + run: | + LATEST="${{ steps.latest-istio.outputs.version }}" + sed -i "s/ENV ISTIO_VERSION=.*/ENV ISTIO_VERSION=${LATEST}/" linux/base.Dockerfile + echo "Updated ISTIO_VERSION to ${LATEST}" + + - name: Determine if any updates needed + id: check-updates + run: | + if [ "${{ steps.compare-istio.outputs.needs_update }}" == "true" ]; then + echo "has_updates=true" >> $GITHUB_OUTPUT + else + echo "has_updates=false" >> $GITHUB_OUTPUT + fi + + - name: Create Pull Request + if: steps.check-updates.outputs.has_updates == 'true' + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "chore: update pinned library versions" + title: "chore: update pinned library versions" + body: | + ## Automated Library Version Updates + + This PR updates the following pinned library versions: + + ${{ steps.compare-istio.outputs.needs_update == 'true' && format('- **Istio**: `{0}` → `{1}`', steps.current-istio.outputs.version, steps.latest-istio.outputs.version) || '' }} + + ### Changes + - Updated version variables in [linux/base.Dockerfile](linux/base.Dockerfile) + + ### Release Notes + ${{ steps.compare-istio.outputs.needs_update == 'true' && format('- [Istio {0}](https://github.com/istio/istio/releases/tag/{0})', steps.latest-istio.outputs.version) || '' }} + + --- + *This PR was automatically created by the Update Pinned Library Versions workflow.* + branch: update-pinned-libs-${{ github.run_number }} + delete-branch: true + labels: | + dependencies + automated From 6b57c67efde94b9c9891068f2c4d4819e5ee5f7f Mon Sep 17 00:00:00 2001 From: Priya Ananthasankar Date: Tue, 30 Dec 2025 11:38:59 -0800 Subject: [PATCH 2/6] Update .github/workflows/update-pinned-libs.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/update-pinned-libs.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update-pinned-libs.yml b/.github/workflows/update-pinned-libs.yml index 6f78df06..eebac91a 100644 --- a/.github/workflows/update-pinned-libs.yml +++ b/.github/workflows/update-pinned-libs.yml @@ -23,6 +23,10 @@ jobs: id: current-istio run: | CURRENT_VERSION=$(grep 'ENV ISTIO_VERSION=' linux/base.Dockerfile | cut -d'=' -f2) + if [ -z "${CURRENT_VERSION}" ]; then + echo "Error: Unable to determine current Istio version from linux/base.Dockerfile" >&2 + exit 1 + fi echo "version=${CURRENT_VERSION}" >> $GITHUB_OUTPUT echo "Current Istio version: ${CURRENT_VERSION}" From bf112ee4a3a4001f04a5cee48f268f3f8a987d58 Mon Sep 17 00:00:00 2001 From: Priya Ananthasankar Date: Tue, 30 Dec 2025 11:39:38 -0800 Subject: [PATCH 3/6] Update .github/workflows/update-pinned-libs.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/update-pinned-libs.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-pinned-libs.yml b/.github/workflows/update-pinned-libs.yml index eebac91a..bb1618a6 100644 --- a/.github/workflows/update-pinned-libs.yml +++ b/.github/workflows/update-pinned-libs.yml @@ -33,7 +33,17 @@ jobs: - name: Get latest Istio version id: latest-istio run: | - LATEST_VERSION=$(curl -s https://api.github.com/repos/istio/istio/releases/latest | jq -r '.tag_name') + set -e + LATEST_VERSION=$(curl -fsSL https://api.github.com/repos/istio/istio/releases/latest | jq -er '.tag_name') || { + echo "Error: Failed to fetch latest Istio release information from GitHub API." >&2 + exit 1 + } + + if [ -z "${LATEST_VERSION}" ] || [ "${LATEST_VERSION}" = "null" ]; then + echo "Error: Received empty or invalid latest Istio version from GitHub API." >&2 + exit 1 + fi + echo "version=${LATEST_VERSION}" >> $GITHUB_OUTPUT echo "Latest Istio version: ${LATEST_VERSION}" From 7dcad71b1efbb24b4f6a8b4205a6c58426a3ac55 Mon Sep 17 00:00:00 2001 From: Priya Ananthasankar Date: Tue, 30 Dec 2025 11:39:56 -0800 Subject: [PATCH 4/6] Update .github/workflows/update-pinned-libs.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/update-pinned-libs.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-pinned-libs.yml b/.github/workflows/update-pinned-libs.yml index bb1618a6..206ec3bb 100644 --- a/.github/workflows/update-pinned-libs.yml +++ b/.github/workflows/update-pinned-libs.yml @@ -65,7 +65,20 @@ jobs: if: steps.compare-istio.outputs.needs_update == 'true' run: | LATEST="${{ steps.latest-istio.outputs.version }}" - sed -i "s/ENV ISTIO_VERSION=.*/ENV ISTIO_VERSION=${LATEST}/" linux/base.Dockerfile + + # Ensure the expected ENV ISTIO_VERSION line exists before attempting to update + if ! grep -q '^ENV ISTIO_VERSION=' linux/base.Dockerfile; then + echo "Error: Could not find 'ENV ISTIO_VERSION=' line in linux/base.Dockerfile" + exit 1 + fi + + sed -i "s/^ENV ISTIO_VERSION=.*/ENV ISTIO_VERSION=${LATEST}/" linux/base.Dockerfile + + # Verify that the update was applied successfully + if ! grep -q "^ENV ISTIO_VERSION=${LATEST}$" linux/base.Dockerfile; then + echo "Error: Failed to update ISTIO_VERSION to ${LATEST} in linux/base.Dockerfile" + exit 1 + fi echo "Updated ISTIO_VERSION to ${LATEST}" - name: Determine if any updates needed From 44d4fd49298b012986c32603415489e49a5b74b3 Mon Sep 17 00:00:00 2001 From: Priya Ananthasankar Date: Tue, 30 Dec 2025 11:40:16 -0800 Subject: [PATCH 5/6] Update .github/workflows/update-pinned-libs.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/update-pinned-libs.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/workflows/update-pinned-libs.yml b/.github/workflows/update-pinned-libs.yml index 206ec3bb..e0887b09 100644 --- a/.github/workflows/update-pinned-libs.yml +++ b/.github/workflows/update-pinned-libs.yml @@ -81,17 +81,8 @@ jobs: fi echo "Updated ISTIO_VERSION to ${LATEST}" - - name: Determine if any updates needed - id: check-updates - run: | - if [ "${{ steps.compare-istio.outputs.needs_update }}" == "true" ]; then - echo "has_updates=true" >> $GITHUB_OUTPUT - else - echo "has_updates=false" >> $GITHUB_OUTPUT - fi - - name: Create Pull Request - if: steps.check-updates.outputs.has_updates == 'true' + if: steps.compare-istio.outputs.needs_update == 'true' uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} From 586ad7f50419de661698f9d0c9170845567deb8d Mon Sep 17 00:00:00 2001 From: Priya Ananthasankar Date: Tue, 30 Dec 2025 11:41:02 -0800 Subject: [PATCH 6/6] Run once every 2 weeks --- .github/workflows/update-pinned-libs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-pinned-libs.yml b/.github/workflows/update-pinned-libs.yml index e0887b09..58c8461e 100644 --- a/.github/workflows/update-pinned-libs.yml +++ b/.github/workflows/update-pinned-libs.yml @@ -2,8 +2,8 @@ name: Update Pinned Library Versions on: schedule: - # Check for updates every day at 6:00 AM UTC - - cron: '0 6 * * *' + # Check for updates every 2 weeks (1st and 15th of each month) at 6:00 AM UTC + - cron: '0 6 1,15 * *' workflow_dispatch: # Allow manual trigger jobs: