Add script to update pinned container versions

2026-06-10 17:00:18 +00:00 · 2026-04-22 22:08:10 +02:00 · 2026-04-22 22:08:10 +02:00 · aa446619f2
commit aa446619f2
parent 6405655127
3 changed files with 51 additions and 2 deletions
--- a/reproducible-builds/client.Containerfile
+++ b/reproducible-builds/client.Containerfile
@ -1,4 +1,6 @@
-FROM docker.io/rust:1.94.1-slim-trixie@sha256:c6a474d7164ea2455e09b60a759b1edca38db7373c5689c1dae31780de4e71ac
+ARG RUST_TAG="1.94.1-slim-trixie@sha256:c6a474d7164ea2455e09b60a759b1edca38db7373c5689c1dae31780de4e71ac"
+
+FROM docker.io/rust:$RUST_TAG
 ENV SOURCE_DATE_EPOCH=1767225600
 ENV LANG=C.UTF-8
 ENV LC_CTYPE=en_US.UTF-8
--- a/reproducible-builds/native.Containerfile
+++ b/reproducible-builds/native.Containerfile
@ -1,4 +1,6 @@
-FROM container-registry.oracle.com/graalvm/native-image:25.0.2@sha256:4c0d5919f6840d89721274eb8cf81962faa2f870b816967e6732e2a151b150d8
+ARG GRAALVM_TAG="25.0.2@sha256:4c0d5919f6840d89721274eb8cf81962faa2f870b816967e6732e2a151b150d8"
+
+FROM container-registry.oracle.com/graalvm/native-image:$GRAALVM_TAG
 ENV SOURCE_DATE_EPOCH=1767225600
 ENV LANG=C.UTF-8
 ENV LC_CTYPE=en_US.UTF-8
--- a/reproducible-builds/update-pinned-container-versions.sh
+++ b/reproducible-builds/update-pinned-container-versions.sh
@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/../"
+cd "$ROOT_DIR"
+
+if command -v podman >/dev/null; then
+	ENGINE=podman
+elif command -v docker >/dev/null; then
+	ENGINE=docker
+else
+	echo "error: neither podman nor docker is available" >&2
+	exit 1
+fi
+
+resolve_digest() {
+	local image_ref="$1"
+	"$ENGINE" pull "$image_ref" >/dev/null
+	"$ENGINE" image inspect --format '{{range .RepoDigests}}{{println .}}{{end}}' "$image_ref" \
+		| grep -m1 -E '@sha256:[0-9a-f]{64}$' \
+		| sed -E 's|.*(@sha256:[0-9a-f]{64})$|\1|'
+}
+
+update_arg_tag() {
+	local file="$1"
+	local arg_name="$2"
+	local image_prefix="$3"
+	local current
+	current="$(sed -n "s/^ARG ${arg_name}=\"\([^\"]*\)\"$/\\1/p" "$file")"
+	if [[ -z "$current" ]]; then
+		echo "error: could not find ARG ${arg_name} in $file" >&2
+		exit 1
+	fi
+	local tag
+	tag="${current%@*}"
+	local digest
+	digest="$(resolve_digest "${image_prefix}${tag}")"
+	sed -i -E "s|^ARG ${arg_name}=\"[^\"]+\"$|ARG ${arg_name}=\"${tag}${digest}\"|" "$file"
+	echo "updated $file -> ${tag}${digest}"
+}
+
+update_arg_tag reproducible-builds/build.Containerfile ZULU_TAG docker.io/azul/zulu-openjdk:
+update_arg_tag reproducible-builds/native.Containerfile GRAALVM_TAG container-registry.oracle.com/graalvm/native-image:
+update_arg_tag reproducible-builds/client.Containerfile RUST_TAG docker.io/rust: