@@ -28,26 +28,43 @@ jobs:
2828 - name : Get latest ubuntu 24.04 digest
2929 id : ubuntu
3030 run : |
31- digest=$(docker buildx imagetools inspect docker.io/library/ubuntu:24.04 | awk '/Digest: sha256:/ {print $2; exit}')
31+ set -euo pipefail
32+ digest=$(docker buildx imagetools inspect ubuntu:24.04 --format '{{.Digest}}' || true)
33+ if [ -z "$digest" ] || [ "$digest" = "<no value>" ]; then
34+ digest=$(docker buildx imagetools inspect ubuntu:24.04 | awk '/^Digest: sha256:/ {print $2; exit}')
35+ fi
36+ if [ -z "$digest" ]; then
37+ echo "Failed to resolve ubuntu:24.04 digest" 1>&2
38+ exit 1
39+ fi
3240 echo "digest=$digest" >> "$GITHUB_OUTPUT"
3341
3442name : Update UBUNTU_BASE_IMAGE if needed
3543 id : update_ubuntu
3644 working-directory : python
3745 run : |
38- current=$(grep '^UBUNTU_BASE_IMAGE=' generate_dockerfile.sh | sed -E 's/.*@([^\"]+)\"?/\1/')
39- if [ "$current" != "${{ steps.ubuntu.outputs.digest }}" ]; then
40- sed -i -E "s|^UBUNTU_BASE_IMAGE=.*$|UBUNTU_BASE_IMAGE=\"ubuntu:24.04@${{ steps.ubuntu.outputs.digest }}\"|g" generate_dockerfile.sh
41- echo "updated=true" >> "$GITHUB_OUTPUT"
42- else
46+ set -euo pipefail
47+ new_line="UBUNTU_BASE_IMAGE=\"ubuntu:24.04@${{ steps.ubuntu.outputs.digest }}\""
48+ if grep -q "^${new_line}$" generate_dockerfile.sh; then
4349 echo "updated=false" >> "$GITHUB_OUTPUT"
50+ else
51+ sed -i -E "0,/^UBUNTU_BASE_IMAGE=/{s|^UBUNTU_BASE_IMAGE=.*$|${new_line}|}" generate_dockerfile.sh
52+ echo "updated=true" >> "$GITHUB_OUTPUT"
4453 fi
4554
4655name : Try to update dockerfile
4756 working-directory : python
4857 run : |
4958 bash generate_dockerfile.sh
5059
60+ name : Verify Ubuntu digest is pinned in Dockerfiles
61+ run : |
62+ set -euo pipefail
63+ for f in python/Dockerfile_*; do
64+ echo "Checking $f"
65+ grep -q '^FROM ubuntu:24\.04@sha256:' "$f"
66+ done
67+
5168name : Create Pull Request
5269 uses : peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
5370 with :
0 commit comments