Add a 'noop' input

[ribbybibby]

Add an option that stops digestabot from actually updating any files. The create_pr option would be implicitly disabled in this case. The json output would still describe the changes digestabot would have made.

This would allow users to run custom code that decides which files to update based on whatever criteria they have, without having to completely fork and maintain the action.

Here's an example of what I'm thinking of. Untested code here.

Details

# Run digestabot to discover images to update
- uses: chainguard-dev/digestabot@v1
  id: digestabot
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    noop: true

# Iterate over the json output. Run chainctl image diff and only perform updates
# that remove vulnerabilities.
- run: |
    while read -r item; do
      from_image=$(jq -r '.image + "@" + .digest' <<<$item)
      to_image=$(jq -r '.image + "@" + .updated_digest' <<<$item)
      file=$(jq -r '.file' <<<$item)

      if [[ ! "${from_image}" =~ ^cgr.dev/.+$ ]] || [[ ! "${to_image}" =~ ^cgr.dev/.+$ ]]; then
        echo "Skipping ${to_image} because it is not a Chainguard image."
        continue
      fi

      vulnerabilities_removed=$(chainctl image diff -o json "${from_image}" "${to_image}" | jq -r '.vulnerabilities.removed // [] | .[])
      if [[ -z "${vulnerabilities_removed}" ]]; then
        echo "Skipping ${to_image} because it doesn't remove any vulnerabilities."
        continue
      fi

      sed -i -e "s|$from_image|$to_image|g" "$file"
    done < <(jq -c '.updates // [] | .[]' <<<'${{ steps.digestabot.outputs.json }}')

# Check if any changes were made
- id: check_workspace
  run: |
    echo "create_pr_update=false" >> $GITHUB_OUTPUT
    if [[ -n $(git diff --stat) ]]; then
      echo "create_pr_update=true" >> $GITHUB_OUTPUT
      echo "diff<<EOF" >> "${GITHUB_OUTPUT}"
      git diff >> "${GITHUB_OUTPUT}"
      echo "EOF" >> "${GITHUB_OUTPUT}"
    fi

# Create the pull request
- uses: peter-evans/create-pull-request@v7
  if: ${{ steps.check_workspace.outputs.create_pr_update == 'true' }}
  id: pull_request
  with:
    token: ${{ secret.GITHUB_TOKEN }}
    commit-message: Update image digests
    title: Update image digests
    body: |
      Update images digests.

      ## Changes
      <details>

      ```diff
      ${{ steps.check_workspace.outputs.diff }}
      ```

      </details>

I suppose another solution would be for users to run a git reset or whatever after digestbot runs with create_pr: false. We should document that so users have a good example of how to extend digestabot like this.

[cpanato]

i did not see where the noop variable is used

[ribbybibby]

@cpanato Sorry, the example is what a user could do to extend digestabot if the noop input existed, rather than an example of how to implement it inside digestabot. The noop input is set in the digestabot step at the top.

Actually looking at it, I wonder whether it's a valuable change at all. It would be pretty straightforward to do this:

# Run digestabot to discover images to update
- uses: chainguard-dev/digestabot@v1
  id: digestabot
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    create-pr: false

# Revert the changes made by digestabot
- run: |
    git reset --hard && git clean -fd

# Do all the other stuff with the json output. Create the PR yourself.

Perhaps this issue should be called 'Document how to filter changes made by digestabot'. What do you think?

[cpanato]

sgtm