Adds GitHub flow to automate busybox container SHAs (#4965)

* Adds github flow to automate busybox container SHAs

Signed-off-by: Rij, W. van (Wiard) <wiard@outlook.com>
Signed-off-by: Wiard van Rij <wiard@pop-os.localdomain>
Signed-off-by: Wiard van Rij <wiard@outlook.com>

* fixes formatting

Signed-off-by: Rij, W. van (Wiard) <wiard@outlook.com>
Signed-off-by: Wiard van Rij <wiard@pop-os.localdomain>
Signed-off-by: Wiard van Rij <wiard@outlook.com>

* Trigger e2e again

Signed-off-by: Rij, W. van (Wiard) <wiard@outlook.com>
Signed-off-by: Wiard van Rij <wiard@pop-os.localdomain>
Signed-off-by: Wiard van Rij <wiard@outlook.com>

* make sure the bot does a signoff...

Signed-off-by: Rij, W. van (Wiard) <wiard@outlook.com>
Signed-off-by: Wiard van Rij <wiard@pop-os.localdomain>
Signed-off-by: Wiard van Rij <wiard@outlook.com>

* Trigger e2e again

Signed-off-by: Rij, W. van (Wiard) <wiard@outlook.com>
Signed-off-by: Wiard van Rij <wiard@pop-os.localdomain>
Signed-off-by: Wiard van Rij <wiard@outlook.com>

* Adds better comments and create branch per PR

Signed-off-by: Rij, W. van (Wiard) <wiard@outlook.com>
Signed-off-by: Wiard van Rij <wiard@pop-os.localdomain>
Signed-off-by: Wiard van Rij <wiard@outlook.com>

* Update Makefile

Adds newline

Signed-off-by: Wiard van Rij <wiard@pop-os.localdomain>
Signed-off-by: Wiard van Rij <wiard@outlook.com>

* Update container-version.yaml

Adds newline

Signed-off-by: Wiard van Rij <wiard@pop-os.localdomain>
Signed-off-by: Wiard van Rij <wiard@outlook.com>

* karma - rerun test

Signed-off-by: Wiard van Rij <wiard@outlook.com>

.busybox-versions

@@ -0,0 +1,6 @@
+# Auto generated by busybox-updater.sh. DO NOT EDIT
+amd64=768a51a5f71827471e6e58f0d6200c2fa24f2cb5cde1ecbd67fe28f93d4ef464
+arm64=042d6195e1793b226d1632117cccb4c4906c8ab393b8b68328ad43cf59c64f9d
+arm=239809417d1e79388ae1bdb59c167d86f18ebaad37dafb5a93d241fe3c79b0df
+ppc64le=f30732299f06265688d63a454723a0d718c7509f51b0dacb9bf7f58388bb32b2
+s390x=97babce614354ac9a263fa7c8e48a5b062318a9ae77f6c31179bf6fb2200106f

.github/workflows/container-version.yaml

@@ -0,0 +1,27 @@
+on:
+  schedule:
+    - cron: '37 13 * * *'
+name: busybox-update workflow
+jobs:
+  checkVersionAndCreatePR:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run busybox updater
+        run: |
+          chmod +x ./scripts/busybox-updater.sh
+          ./scripts/busybox-updater.sh
+        shell: bash
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+          signoff: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'Updates busybox SHA'
+          branch: update-sha-action
+          delete-branch: true
+          title: '*: Updates Prometheus BusyBox image SHAs'
+          body: >
+            This PR is auto-generated by 
+            [create-pull-request](https://github.com/peter-evans/create-pull-request).
+          labels: busybox, automated pr

Makefile

@@ -1,4 +1,6 @@
 include .bingo/Variables.mk
+include .busybox-versions
+
 FILES_TO_FMT      ?= $(shell find . -path ./vendor -prune -o -name '*.go' -print)
 MD_FILES_TO_FORMAT = $(shell find docs -name "*.md") $(shell find examples -name "*.md") $(filter-out mixin/runbook.md, $(shell find mixin -name "*.md")) $(shell ls *.md)
 
@@ -11,20 +13,14 @@ GH_INDEX ?= 0
 
 BASE_DOCKER_SHA=''
 arch = $(shell uname -m)
-# Run `DOCKER_CLI_EXPERIMENTAL=enabled docker manifest inspect quay.io/prometheus/busybox:latest` to get SHA or
-# just visit https://quay.io/repository/prometheus/busybox?tag=latest&tab=tags.
-# TODO(bwplotka): https://github.com/thanos-io/thanos/issues/4949
-# Pinning is important but somehow quay kills the old images, so make sure to update regularly.
-# Update at 2021.12.15
-AMD64_SHA="768a51a5f71827471e6e58f0d6200c2fa24f2cb5cde1ecbd67fe28f93d4ef464"
-ARM64_SHA="042d6195e1793b226d1632117cccb4c4906c8ab393b8b68328ad43cf59c64f9d"
 
+# The include .busybox-versions includes the SHA's of all the platforms, which can be used as var.
 ifeq ($(arch), x86_64)
     # amd64
-    BASE_DOCKER_SHA=$(AMD64_SHA)
+    BASE_DOCKER_SHA=${amd64}
 else ifeq ($(arch), armv8)
     # arm64
-    BASE_DOCKER_SHA=$(ARM64_SHA)
+    BASE_DOCKER_SHA=${arm64}
 else
     echo >&2 "only support amd64 or arm64 arch" && exit 1
 endif

scripts/busybox-updater.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# This script is called via .github/workflows/container-version.yaml
+# No need to manually run this (unless you want to force an update NOW)
+
+# Get the tags from the registry, so we can get the base manifest_digest ID
+echo "Doing CURL request 1 of 2: getting tags."
+CURL_TAGS=$(curl --fail --silent --show-error -H "Content-type: application/json" -H "Accept: application/json" https://quay.io/api/v1/repository/prometheus/busybox/tag/ 2>&1)
+if [ $? -ne 0 ]; then
+  echo "Error: ""$CURL_TAGS"
+  exit 1
+fi
+
+MANIFEST_DIGEST=$(echo "${CURL_TAGS}" | jq -r '.tags[]' | jq -r -n 'first(inputs | select (.name=="latest")) | .manifest_digest ')
+
+# With this manifest_digest, we can now fetch the actual manifest, which contains the digest per platform
+echo "Doing CURL request 2/2: getting manifest."
+RESULT_CURL=$(curl --fail --silent --show-error -H "Content-type: application/json" -H "Accept: application/json" https://quay.io/api/v1/repository/prometheus/busybox/manifest/${MANIFEST_DIGEST} 2>&1)
+if [ $? -ne 0 ]; then
+  echo "Error: ""$RESULT_CURL"
+  exit 1
+fi
+
+# Output this as file
+echo "Creating result and writing to .busybox-versions."
+RESULT=$(echo "${RESULT_CURL}" | jq -r '.manifest_data | fromjson | .manifests[] | .platform.architecture +"="+ .digest' | sed 's/sha256://g')
+echo "# Auto generated by busybox-updater.sh. DO NOT EDIT" >./.busybox-versions
+echo "${RESULT}" >>./.busybox-versions