From aa446619f23152f39cb07b796f0853fbb1e3c8ea Mon Sep 17 00:00:00 2001 From: AsamK Date: Wed, 22 Apr 2026 22:08:10 +0200 Subject: [PATCH] Add script to update pinned container versions --- reproducible-builds/client.Containerfile | 4 +- reproducible-builds/native.Containerfile | 4 +- .../update-pinned-container-versions.sh | 45 +++++++++++++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100755 reproducible-builds/update-pinned-container-versions.sh diff --git a/reproducible-builds/client.Containerfile b/reproducible-builds/client.Containerfile index 8a8dfa34..c65f1678 100644 --- a/reproducible-builds/client.Containerfile +++ b/reproducible-builds/client.Containerfile @@ -1,4 +1,6 @@ -FROM docker.io/rust:1.94.1-slim-trixie@sha256:c6a474d7164ea2455e09b60a759b1edca38db7373c5689c1dae31780de4e71ac +ARG RUST_TAG="1.94.1-slim-trixie@sha256:c6a474d7164ea2455e09b60a759b1edca38db7373c5689c1dae31780de4e71ac" + +FROM docker.io/rust:$RUST_TAG ENV SOURCE_DATE_EPOCH=1767225600 ENV LANG=C.UTF-8 ENV LC_CTYPE=en_US.UTF-8 diff --git a/reproducible-builds/native.Containerfile b/reproducible-builds/native.Containerfile index 47cd5ce3..326bb52b 100644 --- a/reproducible-builds/native.Containerfile +++ b/reproducible-builds/native.Containerfile @@ -1,4 +1,6 @@ -FROM container-registry.oracle.com/graalvm/native-image:25.0.2@sha256:4c0d5919f6840d89721274eb8cf81962faa2f870b816967e6732e2a151b150d8 +ARG GRAALVM_TAG="25.0.2@sha256:4c0d5919f6840d89721274eb8cf81962faa2f870b816967e6732e2a151b150d8" + +FROM container-registry.oracle.com/graalvm/native-image:$GRAALVM_TAG ENV SOURCE_DATE_EPOCH=1767225600 ENV LANG=C.UTF-8 ENV LC_CTYPE=en_US.UTF-8 diff --git a/reproducible-builds/update-pinned-container-versions.sh b/reproducible-builds/update-pinned-container-versions.sh new file mode 100755 index 00000000..46b903a7 --- /dev/null +++ b/reproducible-builds/update-pinned-container-versions.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +set -euo pipefail + +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/../" +cd "$ROOT_DIR" + +if command -v podman >/dev/null; then + ENGINE=podman +elif command -v docker >/dev/null; then + ENGINE=docker +else + echo "error: neither podman nor docker is available" >&2 + exit 1 +fi + +resolve_digest() { + local image_ref="$1" + "$ENGINE" pull "$image_ref" >/dev/null + "$ENGINE" image inspect --format '{{range .RepoDigests}}{{println .}}{{end}}' "$image_ref" \ + | grep -m1 -E '@sha256:[0-9a-f]{64}$' \ + | sed -E 's|.*(@sha256:[0-9a-f]{64})$|\1|' +} + +update_arg_tag() { + local file="$1" + local arg_name="$2" + local image_prefix="$3" + local current + current="$(sed -n "s/^ARG ${arg_name}=\"\([^\"]*\)\"$/\\1/p" "$file")" + if [[ -z "$current" ]]; then + echo "error: could not find ARG ${arg_name} in $file" >&2 + exit 1 + fi + local tag + tag="${current%@*}" + local digest + digest="$(resolve_digest "${image_prefix}${tag}")" + sed -i -E "s|^ARG ${arg_name}=\"[^\"]+\"$|ARG ${arg_name}=\"${tag}${digest}\"|" "$file" + echo "updated $file -> ${tag}${digest}" +} + +update_arg_tag reproducible-builds/build.Containerfile ZULU_TAG docker.io/azul/zulu-openjdk: +update_arg_tag reproducible-builds/native.Containerfile GRAALVM_TAG container-registry.oracle.com/graalvm/native-image: +update_arg_tag reproducible-builds/client.Containerfile RUST_TAG docker.io/rust: