Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 9 additions & 11 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -1,18 +1,16 @@
## What

## Why

## Notes
<!-- Add any notes here -->

## Labels

Assign the following labels to the PR:

`security` - to trigger image scanning in CI build
<!--
Describe the changes briefly yet comprehensively.
Link relevant Linear issues, e.g.:
Closes CF-1234
-->

## PR Comments

Add the following comments to the PR:

`/e2e` - to trigger E2E build
* `/e2e` - to trigger E2E build
* `/bump patch` - to bump the patch version
* `/bump minor` - to bump the minor version
* `/bump major` - to bump the major version
87 changes: 87 additions & 0 deletions .github/actions/bump-version/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
name: Bump version
description: Compute and apply a semver bump to service.yaml, commit, push, and report on the PR.

inputs:
bump:
description: Version component to bump (major, minor, or patch)
required: true
base:
description: Base branch name
required: true
head:
description: Head branch name
required: true
pr:
description: Pull request number
required: true
github-token:
description: GitHub token
required: true

runs:
using: composite
steps:
- name: Check out PR branch
uses: actions/checkout@v4
with:
ref: ${{ inputs.head }}
fetch-depth: 0
token: ${{ inputs.github-token }}

- name: Compute and apply version bump
id: bump
shell: bash
env:
BUMP: ${{ inputs.bump }}
BASE: ${{ inputs.base }}
run: |
git fetch origin "$BASE" --depth=1
base_version=$(git show "origin/$BASE:service.yaml" | grep '^version:' | awk '{print $2}')
echo "Base ($BASE) version: $base_version"

IFS='.' read -r major minor patch <<< "$base_version"
case "$BUMP" in
major) major=$((major + 1)); minor=0; patch=0 ;;
minor) minor=$((minor + 1)); patch=0 ;;
patch) patch=$((patch + 1)) ;;
esac
new_version="${major}.${minor}.${patch}"
echo "New version: $new_version"
echo "new_version=$new_version" >> "$GITHUB_OUTPUT"
echo "base_version=$base_version" >> "$GITHUB_OUTPUT"

# Reset to base version first, then apply bump — result depends only on
# base branch, never on a previous bump.
sed -i "s/^version:.*/version: $new_version/" service.yaml

if git diff --quiet -- service.yaml; then
echo "changed=false" >> "$GITHUB_OUTPUT"
else
echo "changed=true" >> "$GITHUB_OUTPUT"
fi

- name: Commit and push
if: steps.bump.outputs.changed == 'true'
shell: bash
env:
NEW_VERSION: ${{ steps.bump.outputs.new_version }}
HEAD: ${{ inputs.head }}
run: |
git config user.name 'github-actions[bot]'
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
git add service.yaml
git commit -m "ci: bump version to ${NEW_VERSION}"
git push origin "HEAD:${HEAD}"

- name: Report result
shell: bash
env:
GH_TOKEN: ${{ inputs.github-token }}
PR: ${{ inputs.pr }}
run: |
if [ '${{ steps.bump.outputs.changed }}' = 'true' ]; then
body="✅ Bumped version to \`${{ steps.bump.outputs.new_version }}\` (\`${{ inputs.bump }}\` from \`${{ steps.bump.outputs.base_version }}\` on \`${{ inputs.base }}\`)."
else
body="ℹ️ Version is already \`${{ steps.bump.outputs.new_version }}\` (\`${{ inputs.bump }}\` from \`${{ steps.bump.outputs.base_version }}\` on \`${{ inputs.base }}\`). Nothing to do."
fi
gh pr comment "$PR" --repo "${{ github.repository }}" --body "$body"
57 changes: 57 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2

registries:
docker-registry:
type: docker-registry
url: https://registry.hub.docker.com
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

multi-ecosystem-groups:
docker-weekly:
schedule:
interval: "weekly"

updates:
- package-ecosystem: "gomod"
directory: "/cleaner/dind-cleaner"
schedule:
interval: "weekly"
labels:
- "dependabot"
- "review-required"
- "gomod"
cooldown:
default-days: 7
groups:
minor-and-patch-security:
applies-to: security-updates
update-types:
- "minor"
- "patch"

- package-ecosystem: "docker"
directory: "/"
registries: "*"
schedule:
interval: "weekly"
labels:
- "dependabot"
- "review-required"
- "docker"
multi-ecosystem-group: "docker-weekly"
patterns:
- "*"
ignore:
- dependency-name: "octopusdeploy/dhi-golang"
update-types:
- version-update:semver-major
- dependency-name: "octopusdeploy/dhi-node-exporter"
update-types:
- version-update:semver-major
- dependency-name: "docker"
update-types:
- version-update:semver-major
38 changes: 38 additions & 0 deletions .github/workflows/dependabot-version-bump.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Auto bump patch version for dependabot PRs

# Bumps the "version" field in service.yaml (patch increment) whenever a PR
# with the "dependabot" label is opened or has the label added.
#
# The new version is always computed relative to the PR's target (base) branch,
# so re-labelling never stacks bumps — the result is always base + 1 patch.

on:
pull_request:
types: [opened, labeled]

permissions:
contents: write
pull-requests: write

jobs:
bump-version:
if: contains(github.event.pull_request.labels.*.name, 'dependabot')
runs-on: ubuntu-latest
steps:
- name: Resolve PR branches
id: pr
run: |
echo "head=${{ github.event.pull_request.head.ref }}" >> "$GITHUB_OUTPUT"
echo "base=${{ github.event.pull_request.base.ref }}" >> "$GITHUB_OUTPUT"

- name: Check out repository
uses: actions/checkout@v4

- name: Bump patch version
uses: ./.github/actions/bump-version
with:
bump: patch
base: ${{ steps.pr.outputs.base }}
head: ${{ steps.pr.outputs.head }}
pr: ${{ github.event.pull_request.number }}
github-token: ${{ secrets.GITHUB_TOKEN }}
81 changes: 81 additions & 0 deletions .github/workflows/version-bump.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
name: Bump version on comment

# Bumps the "version" field in service.yaml when a maintainer comments
# "/bump major", "/bump minor" or "/bump patch" on a pull request.
#
# The new version is always computed relative to the PR's target (base) branch,
# so commenting several times only ever produces a single bump from the base —
# it never stacks on top of a previous comment.

on:
issue_comment:
types: [created]

permissions:
contents: write
pull-requests: write

jobs:
bump-version:
# Only run on PR comments, only for users that can write to the repo, and
# only when the comment is one of the supported /bump commands.
if: >
github.event.issue.pull_request &&
contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association) &&
(startsWith(github.event.comment.body, '/bump major') ||
startsWith(github.event.comment.body, '/bump minor') ||
startsWith(github.event.comment.body, '/bump patch'))
runs-on: ubuntu-latest
steps:
- name: Acknowledge command
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api \
--method POST \
"/repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions" \
-f content='eyes'

- name: Parse command
id: parse
env:
COMMENT_BODY: ${{ github.event.comment.body }}
run: |
# Pass the comment via env (never interpolated into the script) to
# avoid shell injection from untrusted comment content.
# Only parse the first line: integrations (e.g. Linear) may append
# extra lines such as "<!-- linear:isThreadRoot -->".
bump=$(printf '%s' "$COMMENT_BODY" | awk 'NR==1{print $2}')
case "$bump" in
major|minor|patch)
echo "bump=$bump" >> "$GITHUB_OUTPUT"
;;
*)
echo "::error::Unsupported version command: '$bump'"
exit 1
;;
esac

- name: Resolve PR branches
id: pr
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr view "${{ github.event.issue.number }}" \
--repo "${{ github.repository }}" \
--json headRefName,baseRefName \
> pr.json
echo "head=$(jq -r .headRefName pr.json)" >> "$GITHUB_OUTPUT"
echo "base=$(jq -r .baseRefName pr.json)" >> "$GITHUB_OUTPUT"

- name: Check out repository
uses: actions/checkout@v4

- name: Bump version
uses: ./.github/actions/bump-version
with:
bump: ${{ steps.parse.outputs.bump }}
base: ${{ steps.pr.outputs.base }}
head: ${{ steps.pr.outputs.head }}
pr: ${{ github.event.issue.number }}
github-token: ${{ secrets.GITHUB_TOKEN }}
18 changes: 9 additions & 9 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# CI relies on this ARG. Don't remove or rename it
ARG DOCKER_VERSION=29.5.3

# dind-cleaner
FROM golang:1.26-alpine3.23 AS cleaner
# DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang
FROM octopusdeploy/dhi-golang:1.26-alpine3.24-dev@sha256:e48a91483983467f426cae8656aa16be252c6f2e290125e10db01259352a54ca AS cleaner
COPY cleaner/dind-cleaner/* /go/src/github.com/codefresh-io/dind-cleaner/
WORKDIR /go/src/github.com/codefresh-io/dind-cleaner/
RUN go mod tidy
Expand All @@ -12,12 +12,15 @@ RUN CGO_ENABLED=0 go build -o /usr/local/bin/dind-cleaner ./cmd \
&& rm -rf /go/*


# bbolt
FROM golang:1.26-alpine3.23 AS bbolt
# DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang
FROM octopusdeploy/dhi-golang:1.26-alpine3.24-dev@sha256:e48a91483983467f426cae8656aa16be252c6f2e290125e10db01259352a54ca AS bbolt
RUN go install go.etcd.io/bbolt/cmd/bbolt@latest


# Main
# DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-node-exporter
FROM octopusdeploy/dhi-node-exporter:1.11.1-alpine3.23@sha256:8cd8b3f56f6c319a03c7a2224e99d07e34241ae9ced308df5a6fee41d61ea905 AS node-exporter


FROM docker:${DOCKER_VERSION}-dind AS prod
RUN echo 'http://dl-cdn.alpinelinux.org/alpine/v3.23/main' >> /etc/apk/repositories \
&& apk upgrade && apk add --no-cache \
Expand All @@ -30,12 +33,9 @@ RUN echo 'http://dl-cdn.alpinelinux.org/alpine/v3.23/main' >> /etc/apk/repositor
# Backward compatibility with kernels that do not support `iptables-nft`. Check #CR-23033 for details.
RUN update-alternatives --install $(which iptables) iptables $(which iptables-legacy) 10 \
&& update-alternatives --install $(which ip6tables) ip6tables $(which ip6tables-legacy) 10
# DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-node-exporter
COPY --from=docker.io/octopusdeploy/dhi-node-exporter:1.11.1-alpine3.23@sha256:8cd8b3f56f6c319a03c7a2224e99d07e34241ae9ced308df5a6fee41d61ea905 /usr/bin/node_exporter /bin/
COPY --from=node-exporter /usr/bin/node_exporter /bin/
COPY --from=bbolt /go/bin/bbolt /bin/
COPY --from=cleaner /usr/local/bin/dind-cleaner /bin/

WORKDIR /dind
ADD . /dind

ENTRYPOINT ["./run.sh"]
15 changes: 7 additions & 8 deletions cleaner/dind-cleaner/cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,13 @@ package main

import (
"bufio"
"context"
"flag"
"github.com/docker/docker/api/types/image"
"os"
"time"

"github.com/docker/docker/client"
"github.com/golang/glog"
"golang.org/x/net/context"
"github.com/moby/moby/client"
)

func readFileLines(path string) ([]string, error) {
Expand Down Expand Up @@ -75,7 +74,7 @@ func cleanImages(retainedImagesList []string, retainPeriod int64) {
os.Setenv("DOCKER_API_VERSION", "1.35")
}

cli, err := client.NewClientWithOpts(
cli, err := client.New(
client.FromEnv,
)
if err != nil {
Expand Down Expand Up @@ -106,17 +105,17 @@ func cleanImages(retainedImagesList []string, retainPeriod int64) {

// 1. Get All Images
ctx := context.Background()
imagesFullList, err := cli.ImageList(ctx, image.ListOptions{All: true})
imagesFullList, err := cli.ImageList(ctx, client.ImageListOptions{All: true})
if err != nil {
panic(err)
}

glog.Infof("Found %d images in docker", len(imagesFullList))
glog.Infof("Found %d images in docker", len(imagesFullList.Items))

currentTs := time.Now().Unix()
// 2. fill map of imageToCleanStruct
images := make(map[string]*imageToCleanStruct)
for _, img := range imagesFullList {
for _, img := range imagesFullList.Items {
images[img.ID] = &imageToCleanStruct{
ID: img.ID,
Created: img.Created,
Expand Down Expand Up @@ -176,7 +175,7 @@ func cleanImages(retainedImagesList []string, retainPeriod int64) {
// add image delete here
var err error
if !*dryRun {
_, err = cli.ImageRemove(ctx, imageID, image.RemoveOptions{Force: true, PruneChildren: false})
_, err = cli.ImageRemove(ctx, imageID, client.ImageRemoveOptions{Force: true, PruneChildren: false})
} else {
glog.Infof("DRY RUN - do not actually delete")
}
Expand Down
Loading
Loading