opencode-cloud/.github/workflows/dockerfile-updates.yml at main · pRizz/opencode-cloud · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Check Dockerfile Updates

on:
  schedule:
    # Every Monday at 9am UTC
    - cron: '0 9 * * 1'
  workflow_dispatch:  # Allow manual trigger

permissions:
  contents: write
  pull-requests: write
  packages: write

env:
  IMAGE_NAME_GHCR: ghcr.io/prizz/opencode-cloud-sandbox

jobs:
  check-updates:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Install jq
        run: sudo apt-get update && sudo apt-get install -y jq

      - name: Check for updates
        id: check
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Run the update script and capture output
          updates_dir="${RUNNER_TEMP}"
          updates_output_path="${updates_dir}/updates-output.txt"
          updates_output_plain_path="${updates_dir}/updates-output-plain.txt"
          updates_body_path="${updates_dir}/updates.md"
          ./scripts/check-dockerfile-updates.sh --apply 2>&1 | tee "${updates_output_path}"
          sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' "${updates_output_path}" > "${updates_output_plain_path}"

          # Generate PR body markdown
          cat > "${updates_body_path}" << 'HEADER'
          ## Dockerfile Tool Version Updates

          This PR was automatically generated by the weekly version check workflow.

          ### Changes
          HEADER

          # Check if there are actual changes
          if git diff --quiet packages/core/src/docker/Dockerfile; then
            echo "updates_available=false" >> $GITHUB_OUTPUT
            echo "No updates available." >> "${updates_body_path}"
          else
            echo "updates_available=true" >> $GITHUB_OUTPUT

            # Add diff summary
            echo '```diff' >> "${updates_body_path}"
            git diff packages/core/src/docker/Dockerfile >> "${updates_body_path}"
            echo '```' >> "${updates_body_path}"

            # Add the script output
            echo "" >> "${updates_body_path}"
            echo "### Version Check Output" >> "${updates_body_path}"
            echo '```' >> "${updates_body_path}"
            cat "${updates_output_plain_path}" >> "${updates_body_path}"
            echo '```' >> "${updates_body_path}"
          fi

          # Add footer
          cat >> "${updates_body_path}" << 'FOOTER'

          ### Testing

          - [ ] Review version changes
          - [ ] Verify no breaking changes in release notes
          - [ ] CI Docker build succeeded

          ---
          *Generated by [dockerfile-updates workflow](https://github.com/${{ github.repository }}/actions/workflows/dockerfile-updates.yml)*
          FOOTER
          echo "updates_body_path=${updates_body_path}" >> $GITHUB_OUTPUT

      - name: Verify OCI description label
        run: python3 scripts/extract-oci-description.py packages/core/src/docker/Dockerfile

      - name: Set up Docker Buildx
        if: steps.check.outputs.updates_available == 'true'
        uses: docker/setup-buildx-action@v3

      - name: Log in to GHCR (cache)
        if: steps.check.outputs.updates_available == 'true'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build updated Dockerfile
        if: steps.check.outputs.updates_available == 'true'
        uses: docker/build-push-action@v6
        with:
          context: .
          file: packages/core/src/docker/Dockerfile
          push: false
          # Dual cache approach:
          # - Registry cache: shared across workflows and runners (best for reuse with publish builds).
          # - GHA cache: fast per-workflow cache that doesn't require registry access.
          cache-from: |
            type=registry,ref=${{ env.IMAGE_NAME_GHCR }}:buildcache
            type=gha,scope=opencode-cloud-dockerfile-updates,version=2
          cache-to: |
            type=registry,ref=${{ env.IMAGE_NAME_GHCR }}:buildcache,mode=max
            type=gha,scope=opencode-cloud-dockerfile-updates,mode=min,version=2

      - name: Create Pull Request
        if: steps.check.outputs.updates_available == 'true'
        uses: peter-evans/create-pull-request@v8
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          title: "chore(docker): update pinned tool versions"
          body-path: ${{ steps.check.outputs.updates_body_path }}
          branch: dockerfile-version-updates
          commit-message: "chore(docker): update pinned tool versions"
          labels: dependencies,docker
          delete-branch: true
          add-paths: packages/core/src/docker/Dockerfile