Merge pull request #1965 from GoogleContainerTools/lifecycle-tag

Add cloud build config for lifecycle tagging

Author: loosebazooka

.cloudbuild/lifecycle_tag.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -o errexit -o nounset -o xtrace -o pipefail
+
+BAZELISK_VERSION="1.27.0"
+BAZELISK_SHA256="e1508323f347ad1465a887bc5d2bfb91cffc232d11e8e997b623227c6b32fb76"
+
+GGCR_VERSION="0.20.7"
+GGCR_SHA256="8ef3564d264e6b5ca93f7b7f5652704c4dd29d33935aff6947dd5adefd05953e"
+
+# install gcrane
+curl -fsSL "https://github.com/google/go-containerregistry/releases/download/v${GGCR_VERSION}/go-containerregistry_Linux_x86_64.tar.gz" -o ggcr.tar.gz
+echo "${GGCR_SHA256} ggcr.tar.gz" | sha256sum --check
+tar -xzf ggcr.tar.gz gcrane
+chmod a+x gcrane
+mv gcrane /usr/bin/gcrane # needs to be on path
+
+# we need jq too
+apt-get update
+apt-get -y install jq
+
+# install bazelisk (TODO: there's probably a better way to do this)
+curl -fsSL "https://github.com/bazelbuild/bazelisk/releases/download/v${BAZELISK_VERSION}/bazelisk-linux-amd64" -o bazelisk
+echo "${BAZELISK_SHA256} bazelisk" | sha256sum --check
+chmod a+x bazelisk
+
+echo "common --google_default_credentials" >> ~/.bazelrc
+echo "common --announce_rc" >> ~/.bazelrc
+
+./bazelisk run :attach_lifecycle_tags --config=release

.cloudbuild/lifecycle_tag.yaml

@@ -0,0 +1,13 @@
+timeout: 1800s # 30 minutes
+
+options:
+  machineType: E2_MEDIUM
+  logging: CLOUD_LOGGING_ONLY
+
+steps:
+  - name: gcr.io/cloud-builders/bazel@sha256:70e96d9faec4bab40a9d8d55d6b86ce2657927d8bca6bdc2dcb21a82b66dbdf7 # 5.4.0
+    env:
+      - PROJECT_ID=${PROJECT_ID}
+      - REGISTRY=gcr.io
+    entrypoint: bash
+    args: [".cloudbuild/lifecycle_tag.sh"]

private/tools/lifecycle/tag.sh

@@ -43,6 +43,8 @@ function tag_update() {
       (($now | tonumber) - (.value.timeUploadedMs | tonumber) > 172800000)
     ) | .key
   ');
+  background_pid=$!
+  wait "$background_pid"
 
   echo "tagging ${#targets[@]} images of $image"
 
@@ -58,14 +60,17 @@ function tag_deprecate() {
   images_json=$(gcrane ls "$image" --json)
 
   # get all hashes for all images don't have the deprecated tag
+  # this is only for wholesale deprecation of an image
   readarray -t targets < <(echo "$images_json" | jq -er '
     .manifest | to_entries | sort_by(.value.timeUploadedMs|tonumber) | .[] | select(
       .value.tag // [] | all(test("deprecated-public-image-[a-f0-9]{64}$") | not)
     ) | .key
   ');
+  background_pid=$!
+  wait "$background_pid"
 
   echo "tagging ${#targets[@]} images of $image"
-  echo "disabled for now, edit out comment"
+  echo "disabled for now, edit out comment, be careful about builds happening, this doesn't account for them"
   # exec_tag "$image" "$tag_prefix" targets
 }