build: roll github actions automatically

Author: jkleinsc

src/actions-runner-cron.ts

@@ -0,0 +1,9 @@
+import { rollActionsRunner } from './actions-runner-handler';
+
+if (require.main === module) {
+  rollActionsRunner().catch((err: Error) => {
+    console.log('Actions Runner Cron Failed');
+    console.error(err);
+    process.exit(1);
+  });
+}

src/actions-runner-handler.ts

@@ -0,0 +1,62 @@
+import * as debug from 'debug';
+
+import { WINDOWS_DOCKER_FILE, ARC_RUNNER_ENVIRONMENTS } from './constants';
+import { getOctokit } from './utils/octokit';
+
+import { getLatestRunnerImages } from './utils/get-latest-runner-images';
+import {
+  getCurrentWindowsRunnerVersion,
+  getFileContent,
+  currentLinuxImages,
+} from './utils/arc-image';
+import { rollInfra } from './utils/roll-infra';
+
+export async function rollActionsRunner() {
+  const d = debug(`roller/infra:rollActionsRunner()`);
+
+  const octokit = await getOctokit();
+  const { archDigests, latestVersion } = (await getLatestRunnerImages(octokit)) ?? {
+    archDigests: {},
+    latestVersion: '',
+  };
+  if (latestVersion === '') {
+    d('No latest version found for github actions runner, exiting...');
+    return;
+  }
+
+  const windowsDockerFile = await getFileContent(octokit, WINDOWS_DOCKER_FILE);
+  const currentWindowsRunnerVersion = await getCurrentWindowsRunnerVersion(windowsDockerFile.raw);
+  if (currentWindowsRunnerVersion !== latestVersion) {
+    d(`Runner version ${currentWindowsRunnerVersion} is outdated, updating to ${latestVersion}.`);
+    const newDockerFile = windowsDockerFile.raw.replace(currentWindowsRunnerVersion, latestVersion);
+    await rollInfra(
+      `prod/actions-runner`,
+      'github actions runner images',
+      latestVersion,
+      WINDOWS_DOCKER_FILE,
+      newDockerFile,
+    );
+  }
+
+  for (const arcEnv of Object.keys(ARC_RUNNER_ENVIRONMENTS)) {
+    d(`Fetching current version of "${arcEnv}" arc image in: ${ARC_RUNNER_ENVIRONMENTS[arcEnv]}`);
+
+    const runnerFile = await getFileContent(octokit, ARC_RUNNER_ENVIRONMENTS['prod']);
+
+    const currentImages = currentLinuxImages(runnerFile.raw);
+    if (currentImages.amd64 !== archDigests.amd64 || currentImages.arm64 !== archDigests.arm64) {
+      d(`Current linux images in "${arcEnv}" are outdated, updating to ${latestVersion}.`);
+      let newContent = runnerFile.raw.replace(currentImages.amd64, archDigests.amd64);
+      newContent = newContent.replace(currentImages.arm64, archDigests.arm64);
+      await rollInfra(
+        `${arcEnv}/actions-runner`,
+        'github actions runner images',
+        latestVersion,
+        ARC_RUNNER_ENVIRONMENTS[arcEnv],
+        newContent,
+      );
+    } else {
+      d(`Current linux images in "${arcEnv}" are up-to-date, skipping...`);
+    }
+  }
+}

src/constants.ts

@@ -48,6 +48,7 @@ export const NO_BACKPORT = 'no-backport';
 export const ARC_RUNNER_ENVIRONMENTS = {
   prod: 'argo/arc-cluster/runner-sets/runners.yaml',
 };
+export const WINDOWS_DOCKER_FILE = 'docker/windows-actions-runner/Dockerfile';
 export const WINDOWS_DOCKER_IMAGE_NAME = 'windows-actions-runner';
 
 export interface Commit {

src/utils/arc-image.ts

@@ -1,12 +1,12 @@
 import { Octokit } from '@octokit/rest';
-import { MAIN_BRANCH, REPOS } from '../constants';
+import { MAIN_BRANCH, REPOS, WINDOWS_DOCKER_FILE } from '../constants';
 import { getOctokit } from './octokit';
 
+const WINDOWS_RUNNER_REGEX = /ARG RUNNER_VERSION=([\d.]+)/;
 const WINDOWS_IMAGE_REGEX =
   /electronarc\.azurecr\.io\/win-actions-runner:main-[a-f0-9]{7}@sha256:[a-f0-9]{64}/;
-// TODO: Also roll the linux ARC container
-// const LINUX_IMAGE_REGEX =
-//   /ghcr\.io\/actions\/actions-runner:[0-9]+\.[0-9]+\.[0-9]+@sha256:[a-f0-9]{64}/;
+const LINUX_IMAGE_REGEX =
+  /if eq .cpuArch "amd64".*\n.*image: (ghcr.io\/actions\/actions-runner:[0-9]+\.[0-9]+\.[0-9]+@sha256:[a-f0-9]{64}).*\n.*{{- else }}.*\n.*image: (ghcr.io\/actions\/actions-runner:[0-9]+\.[0-9]+\.[0-9]+@sha256:[a-f0-9]{64})/;
 
 export async function getFileContent(octokit: Octokit, filePath: string, ref = MAIN_BRANCH) {
   const { data } = await octokit.repos.getContent({
@@ -24,6 +24,25 @@ export const currentWindowsImage = (content: string) => {
   return content.match(WINDOWS_IMAGE_REGEX)?.[0];
 };
 
+export const currentLinuxImages = (content: string) => {
+  const matches = content.match(LINUX_IMAGE_REGEX);
+  if (!matches || matches.length < 3) {
+    return {
+      amd64: '',
+      arm64: '',
+    };
+  } else {
+    return {
+      amd64: matches[1],
+      arm64: matches[2],
+    };
+  }
+};
+
+export async function getCurrentWindowsRunnerVersion(content: string) {
+  return content.match(WINDOWS_RUNNER_REGEX)?.[1];
+}
+
 export const didFileChangeBetweenShas = async (file: string, sha1: string, sha2: string) => {
   const octokit = await getOctokit();
   const [start, end] = await Promise.all([

src/utils/get-latest-runner-images.ts

@@ -0,0 +1,120 @@
+// get-latest-runner-images.ts
+// Fetches the latest linux/amd64 and linux/arm64 images for actions/runner from GitHub Container Registry
+// Usage: ts-node get-latest-runner-images.ts
+
+import https from 'https';
+import { Octokit } from '@octokit/rest';
+import { getOctokit } from './octokit';
+
+const OWNER = 'actions';
+const PACKAGE = 'actions-runner';
+
+type PackageVersion = {
+  metadata?: {
+    container?: {
+      tags?: string[];
+    };
+  };
+};
+
+type ManifestPlatform = {
+  os?: string;
+  architecture?: string;
+};
+
+type Manifest = {
+  platform?: ManifestPlatform;
+  digest: string;
+};
+
+type ManifestList = {
+  manifests?: Manifest[];
+};
+
+// Helper to fetch JSON from a URL
+function fetchJson(url: string, headers: Record<string, string> = {}): Promise<any> {
+  return new Promise((resolve, reject) => {
+    https
+      .get(url, { headers }, (res) => {
+        let data = '';
+        res.on('data', (chunk) => (data += chunk));
+        res.on('end', () => {
+          if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) {
+            try {
+              resolve(JSON.parse(data));
+            } catch (e) {
+              reject(e);
+            }
+          } else {
+            reject(new Error(`HTTP ${res.statusCode}: ${data}`));
+          }
+        });
+      })
+      .on('error', reject);
+  });
+}
+
+export async function getLatestRunnerImages(
+  octokit: Octokit,
+): Promise<{ archDigests: Record<string, string>; latestVersion: string } | null> {
+  let versions: PackageVersion[];
+  try {
+    const response = await octokit.rest.packages.getAllPackageVersionsForPackageOwnedByOrg({
+      package_type: 'container',
+      package_name: PACKAGE,
+      org: OWNER,
+      per_page: 10,
+    });
+    versions = response.data as PackageVersion[];
+  } catch (e) {
+    console.error('Failed to fetch package versions:', e);
+    return null;
+  }
+
+  // Find the version with the 'latest' tag
+  const latestVersion = versions.find((v) => v.metadata?.container?.tags?.includes('latest'));
+  const tags = latestVersion?.metadata?.container?.tags || [];
+  // Find the first tag that matches a semver version (e.g., 2.315.0)
+  const tagVersion = tags.find((t) => /^\d+\.\d+\.\d+$/.test(t));
+
+  if (!latestVersion || !tagVersion) {
+    console.error("No version with the 'latest' tag found; tags were:", tags);
+    return null;
+  }
+
+  // Fetch the manifest list for the latest tag
+  const manifestUrl = `https://ghcr.io/v2/${OWNER}/${PACKAGE}/manifests/${tagVersion}`;
+  const manifestHeaders = {
+    'User-Agent': 'node.js',
+    Accept: 'application/vnd.oci.image.index.v1+json',
+    Authorization: 'Bearer QQ==',
+  };
+  let manifestList: ManifestList;
+  try {
+    manifestList = await fetchJson(manifestUrl, manifestHeaders);
+  } catch (e) {
+    console.error('Failed to fetch manifest list:', e);
+    return null;
+  }
+
+  // Find digests for linux/amd64 and linux/arm64
+  const archDigests: Record<string, string> = {};
+  for (const manifest of manifestList.manifests || []) {
+    const platform = manifest.platform;
+    if (
+      platform?.os === 'linux' &&
+      (platform.architecture === 'amd64' || platform.architecture === 'arm64')
+    ) {
+      archDigests[platform.architecture] = manifest.digest;
+    }
+  }
+
+  if (!archDigests.amd64 && !archDigests.arm64) {
+    console.error('No linux/amd64 or linux/arm64 digests found in manifest list.');
+    return null;
+  }
+  return {
+    archDigests,
+    latestVersion: tagVersion,
+  };
+}